c65df5ec...b1f0 | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Trojan, Dropper, Ransomware

c65df5ec5152af018ff362039351255ba7b59ea844639619f73d96ea135ab1f0 (SHA256)

CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE

Windows Exe (x86-32)

Created at 2019-01-18 08:45:00

...

Notifications (2/2)

The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.

The operating system was rebooted during the analysis.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x93c Analysis Target High (Elevated) cusersgrujaappdataroaming6xx3wi1icfwjbn6f1od~1.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE" -
#2 0x954 Child Process High (Elevated) mov7tw~1:bin C:\Users\5P5NRG~1\AppData\Roaming\MOV7TW~1:bin C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE #1
#3 0x968 Child Process High (Elevated) vssadmin.exe C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet #2
#4 0x4 Created Daemon System (Elevated) System - #2
#5 0x1d4 Created Daemon System (Elevated) services.exe C:\Windows\system32\services.exe #2
#6 0x254 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch #5
#7 0x294 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k RPCSS #5
#8 0x2c8 Child Process System (Elevated) svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted #5
#9 0x310 Child Process System (Elevated) svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted #5
#10 0x350 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k netsvcs #5
#11 0xf0 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k LocalService #5
#12 0x268 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k NetworkService #5
#13 0x4a8 Child Process System (Elevated) spoolsv.exe C:\Windows\System32\spoolsv.exe #5
#14 0x4d0 Child Process Medium taskhost.exe "taskhost.exe" #5
#15 0x4d8 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork #5
#16 0x474 Child Process System (Elevated) taskhost.exe taskhost.exe $(Arg0) #5
#17 0x97c Child Process System (Elevated) ose.exe "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" #5
#18 0x9ac Child Process System (Elevated) vssvc.exe C:\Windows\system32\vssvc.exe #5
#19 0x9cc Child Process Medium 8dat2h~1:bin C:\Users\5P5NRG~1\AppData\Roaming\\8DAT2H~1:bin #17
#20 0x9d4 Child Process System (Elevated) svchost.exe C:\Windows\System32\svchost.exe -k swprv #5
#21 0xaa8 Child Process Medium arp.exe C:\Windows\system32\arp.exe -a #19
#22 0xac8 Child Process Medium nslookup.exe C:\Windows\system32\nslookup.exe 192.168.0.1 #19
#23 0xae0 Child Process Medium nslookup.exe C:\Windows\system32\nslookup.exe 192.168.0.255 #19
#24 0xaf8 Child Process Medium nslookup.exe C:\Windows\system32\nslookup.exe 224.0.0.22 #19
#25 0xb14 Child Process Medium nslookup.exe C:\Windows\system32\nslookup.exe 224.0.0.252 #19
#26 0xb30 Child Process Medium nslookup.exe C:\Windows\system32\nslookup.exe 255.255.255.255 #19
#27 0xb4c Child Process Medium net.exe C:\Windows\system32\net.exe view igmp.mcast.net #19
#28 0xbc4 Child Process System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation #5
#29 0x76c Child Process System (Elevated) sppsvc.exe C:\Windows\system32\sppsvc.exe #5
#32 0x4 Kernel Analysis System (Elevated) System - -
#33 0x610 Autostart System (Elevated) ose.exe "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" -

Behavior Information - Grouped by Category

Process #1: cusersgrujaappdataroaming6xx3wi1icfwjbn6f1od~1.exe
415 0
»
Information Value
ID #1
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\cusersgrujaappdataroaming6xx3wi1icfwjbn6f1od~1.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:17, Reason: Analysis Target
Unmonitor End Time: 00:00:25, Reason: Self Terminated
Monitor Duration 00:00:08
OS Process Information
»
Information Value
PID 0x93c
Parent PID 0x460 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 940
0x 950
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File rwx False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory r True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x0010bfff Private Memory rwx True False False -
private_0x0000000000110000 0x00110000 0x00121fff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0016ffff Private Memory rw True False False -
rsaenh.dll 0x00170000 0x001abfff Memory Mapped File r False False False -
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x0029ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x0041ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory rw True False False -
pagefile_0x0000000000560000 0x00560000 0x006e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006f0000 0x006f0000 0x00870fff Pagefile Backed Memory r True False False -
private_0x0000000000880000 0x00880000 0x0098ffff Private Memory rw True False False -
private_0x0000000000880000 0x00880000 0x0097ffff Private Memory rw True False False -
private_0x0000000000980000 0x00980000 0x0098ffff Private Memory rw True False False -
private_0x0000000000a10000 0x00a10000 0x00a1ffff Private Memory rw True False False -
private_0x0000000000a20000 0x00a20000 0x00baffff Private Memory rw True False False -
private_0x0000000000bc0000 0x00bc0000 0x00cbffff Private Memory rw True False False -
sortdefault.nls 0x00cc0000 0x00f8efff Memory Mapped File r False False False -
cusersgrujaappdataroaming6xx3wi1icfwjbn6f1od~1.exe 0x01010000 0x01032fff Memory Mapped File rwx True True False
...
pagefile_0x0000000001040000 0x01040000 0x0243ffff Pagefile Backed Memory r True False False -
wow64cpu.dll 0x74f80000 0x74f87fff Memory Mapped File rwx False False False -
wow64win.dll 0x74f90000 0x74febfff Memory Mapped File rwx False False False -
wow64.dll 0x74ff0000 0x7502efff Memory Mapped File rwx False False False -
rsaenh.dll 0x75150000 0x7518afff Memory Mapped File rwx False False False -
cryptsp.dll 0x75190000 0x751a5fff Memory Mapped File rwx False False False -
gdiplus.dll 0x751b0000 0x7533ffff Memory Mapped File rwx False False False -
comctl32.dll 0x75340000 0x753c3fff Memory Mapped File rwx False False False -
winmm.dll 0x753d0000 0x75401fff Memory Mapped File rwx False False False -
oledlg.dll 0x75410000 0x7542bfff Memory Mapped File rwx False False False -
winspool.drv 0x75430000 0x75480fff Memory Mapped File rwx False False False -
cryptbase.dll 0x75590000 0x7559bfff Memory Mapped File rwx False False False -
sspicli.dll 0x755a0000 0x755fffff Memory Mapped File rwx False False False -
msvcrt.dll 0x75660000 0x7570bfff Memory Mapped File rwx False False False -
lpk.dll 0x75710000 0x75719fff Memory Mapped File rwx False False False -
crypt32.dll 0x75720000 0x7583cfff Memory Mapped File rwx False False False -
sechost.dll 0x75a60000 0x75a78fff Memory Mapped File rwx False False False -
gdi32.dll 0x75a80000 0x75b0ffff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75b10000 0x75bfffff Memory Mapped File rwx False False False -
msasn1.dll 0x75c60000 0x75c6bfff Memory Mapped File rwx False False False -
shell32.dll 0x75cc0000 0x76909fff Memory Mapped File rwx False False False -
msctf.dll 0x76b30000 0x76bfbfff Memory Mapped File rwx False False False -
imm32.dll 0x76c00000 0x76c5ffff Memory Mapped File rwx False False False -
ole32.dll 0x76e30000 0x76f8bfff Memory Mapped File rwx False False False -
advapi32.dll 0x76f90000 0x7702ffff Memory Mapped File rwx False False False -
user32.dll 0x771d0000 0x772cffff Memory Mapped File rwx False False False -
shlwapi.dll 0x77350000 0x773a6fff Memory Mapped File rwx False False False -
kernel32.dll 0x773b0000 0x774bffff Memory Mapped File rwx False False False -
usp10.dll 0x77550000 0x775ecfff Memory Mapped File rwx False False False -
kernelbase.dll 0x775f0000 0x77635fff Memory Mapped File rwx False False False -
private_0x0000000077640000 0x77640000 0x77739fff Private Memory rwx True False False -
private_0x0000000077740000 0x77740000 0x7785efff Private Memory rwx True False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
ntdll.dll 0x77a40000 0x77bbffff Memory Mapped File rwx False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory r True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory rw True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory rw True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory rw True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory rw True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory r True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE 128.50 KB MD5: 5e4d33770945fab4c48bedf329c7ce5c
SHA1: 54a6e4d0ca09af93a96eb3ee22085759da63902b
SHA256: c65df5ec5152af018ff362039351255ba7b59ea844639619f73d96ea135ab1f0
SSDeep: 3072:drpyXTfAqsqJ6FHoZfsMoQQNglC1Omz8spl+9dVKj+4:Zpy4OBVQGCMmzRpIVKj+ 		False
...
C:\Users\5P5NRG~1\AppData\Roaming\mov7tWJUGg 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3:: 		False
...
C:\Users\5P5NRG~1\AppData\Roaming\MOV7TW~1 96.00 KB MD5: 51e22f2a41fe8def3e54a509493c38cc
SHA1: 47b2ddd61e5f403b5e3716c3b4dec0b0bca4d554
SHA256: c5cea8f1d4edefab1cea7486890586ce845dcfda81d1bbb2ad7f8b30e65fd710
SSDeep: 1536:TwL8tBYwdJNhsaxn0jDJ7n0yRuMxadZFAntGCO6PxmBtn5IHehMw4hGw6G5FyC8Q:TwwtewnVS570M9kdatGCO+xmBc+hMPhs 		False
...
Modified Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE 128.50 KB MD5: 5e4d33770945fab4c48bedf329c7ce5c
SHA1: 54a6e4d0ca09af93a96eb3ee22085759da63902b
SHA256: c65df5ec5152af018ff362039351255ba7b59ea844639619f73d96ea135ab1f0
SSDeep: 3072:drpyXTfAqsqJ6FHoZfsMoQQNglC1Omz8spl+9dVKj+4:Zpy4OBVQGCMmzRpIVKj+ 		False
...
Host Behavior
File (18)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5P5NRG~1\AppData\Roaming\mov7tWJUGg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Create C:\Windows\system32\BdeUnlockWizard.exe desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Roaming\MOV7TW~1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Roaming\MOV7TW~1:bin desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Roaming\mov7tWJUGg type = file_attributes False 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Roaming\mov7tWJUGg type = file_attributes True 1
Fn
Get Info C:\Windows\system32\BdeUnlockWizard.exe type = file_attributes True 1
Fn
Get Info C:\Windows\system32\BdeUnlockWizard.exe type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Roaming\MOV7TW~1 type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE type = file_attributes True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Roaming\MOV7TW~1:bin type = file_attributes False 1
Fn
Read C:\Windows\system32\BdeUnlockWizard.exe size = 98304, size_out = 98304 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE size = 131584, size_out = 131584 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Roaming\MOV7TW~1 size = 98304 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Roaming\MOV7TW~1:bin size = 131584 True 1
Fn
Data
Delete C:\Users\5P5NRG~1\AppData\Roaming\mov7tWJUGg - True 1
Fn
Registry (344)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Open Key HKEY_CURRENT_USER\Software - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming, type = REG_SZ True 1
Fn
Duplicate Key - - True 1
Fn
Duplicate Key - - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - False 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\5P5NRG~1\AppData\Roaming\MOV7TW~1:bin os_pid = 0x954, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.dll base_address = 0x773b0000 True 1
Fn
Load crypt32.dll base_address = 0x0 True 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\cusersgrujaappdataroaming6xx3wi1icfwjbn6f1od~1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE, size = 4096 True 1
Fn
Get Filename crypt32.dll process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\cusersgrujaappdataroaming6xx3wi1icfwjbn6f1od~1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE, size = 512 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringA, address_out = 0x773eb2b7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapValidate, address_out = 0x773db17b True 1
Fn
System (19)
»
Operation Additional Information Success Count Logfile
Get Time type = Ticks, time = 88265 True 10
Fn
Get Info type = Operating System True 6
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Wow64 Directory, result_out = C:\Windows\SysWOW64 True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Mutex (2)
»
Operation Additional Information Success Count Logfile
Create - True 1
Fn
Release - True 1
Fn
Process #2: mov7tw~1:bin
1210 0
»
Information Value
ID #2
File Name c:\users\5p5nrg~1\appdata\roaming\mov7tw~1:bin
Command Line C:\Users\5P5NRG~1\AppData\Roaming\MOV7TW~1:bin C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:24, Reason: Child Process
Unmonitor End Time: 00:00:36, Reason: Self Terminated
Monitor Duration 00:00:12
OS Process Information
»
Information Value
PID 0x954
Parent PID 0x93c (c:\users\5p5nrgjn0js halpmcxz\desktop\cusersgrujaappdataroaming6xx3wi1icfwjbn6f1od~1.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 958
0x 964
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File rwx False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory r True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File r False False False -
private_0x00000000000e0000 0x000e0000 0x000fbfff Private Memory rwx True False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00121fff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x0016ffff Private Memory rw True False False -
rsaenh.dll 0x00170000 0x001abfff Memory Mapped File r False False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory rw True False False -
pagefile_0x0000000000170000 0x00170000 0x00176fff Pagefile Backed Memory rw True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
pagefile_0x0000000000170000 0x00170000 0x00170fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000180000 0x00180000 0x00186fff Pagefile Backed Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x0037ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
pagefile_0x00000000004d0000 0x004d0000 0x00657fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000660000 0x00660000 0x007e0fff Pagefile Backed Memory r True False False -
private_0x00000000007f0000 0x007f0000 0x008cffff Private Memory rw True False False -
private_0x0000000000880000 0x00880000 0x008bffff Private Memory rw True False False -
private_0x00000000008c0000 0x008c0000 0x008cffff Private Memory rw True False False -
private_0x0000000000950000 0x00950000 0x0095ffff Private Memory rw True False False -
private_0x00000000009a0000 0x009a0000 0x009affff Private Memory rw True False False -
private_0x00000000009b0000 0x009b0000 0x00b7ffff Private Memory rw True False False -
private_0x00000000009b0000 0x009b0000 0x00aaffff Private Memory rw True False False -
private_0x0000000000b70000 0x00b70000 0x00b7ffff Private Memory rw True False False -
private_0x0000000000cc0000 0x00cc0000 0x00dbffff Private Memory rw True False False -
mov7tw~1 0x00df0000 0x00e12fff Memory Mapped File rwx True True False
...
pagefile_0x0000000000e20000 0x00e20000 0x0221ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x02220000 0x024eefff Memory Mapped File r False False False -
wow64cpu.dll 0x74f80000 0x74f87fff Memory Mapped File rwx False False False -
wow64win.dll 0x74f90000 0x74febfff Memory Mapped File rwx False False False -
wow64.dll 0x74ff0000 0x7502efff Memory Mapped File rwx False False False -
ntmarta.dll 0x75100000 0x75120fff Memory Mapped File rwx False False False -
rsaenh.dll 0x75130000 0x7516afff Memory Mapped File rwx False False False -
cryptsp.dll 0x75170000 0x75185fff Memory Mapped File rwx False False False -
gdiplus.dll 0x751b0000 0x7533ffff Memory Mapped File rwx False False False -
comctl32.dll 0x75340000 0x753c3fff Memory Mapped File rwx False False False -
winmm.dll 0x753d0000 0x75401fff Memory Mapped File rwx False False False -
oledlg.dll 0x75410000 0x7542bfff Memory Mapped File rwx False False False -
winspool.drv 0x75430000 0x75480fff Memory Mapped File rwx False False False -
cryptbase.dll 0x75590000 0x7559bfff Memory Mapped File rwx False False False -
sspicli.dll 0x755a0000 0x755fffff Memory Mapped File rwx False False False -
msvcrt.dll 0x75660000 0x7570bfff Memory Mapped File rwx False False False -
lpk.dll 0x75710000 0x75719fff Memory Mapped File rwx False False False -
crypt32.dll 0x75720000 0x7583cfff Memory Mapped File rwx False False False -
sechost.dll 0x75a60000 0x75a78fff Memory Mapped File rwx False False False -
gdi32.dll 0x75a80000 0x75b0ffff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75b10000 0x75bfffff Memory Mapped File rwx False False False -
msasn1.dll 0x75c60000 0x75c6bfff Memory Mapped File rwx False False False -
wldap32.dll 0x75c70000 0x75cb4fff Memory Mapped File rwx False False False -
shell32.dll 0x75cc0000 0x76909fff Memory Mapped File rwx False False False -
msctf.dll 0x76b30000 0x76bfbfff Memory Mapped File rwx False False False -
imm32.dll 0x76c00000 0x76c5ffff Memory Mapped File rwx False False False -
ole32.dll 0x76e30000 0x76f8bfff Memory Mapped File rwx False False False -
advapi32.dll 0x76f90000 0x7702ffff Memory Mapped File rwx False False False -
user32.dll 0x771d0000 0x772cffff Memory Mapped File rwx False False False -
shlwapi.dll 0x77350000 0x773a6fff Memory Mapped File rwx False False False -
kernel32.dll 0x773b0000 0x774bffff Memory Mapped File rwx False False False -
usp10.dll 0x77550000 0x775ecfff Memory Mapped File rwx False False False -
kernelbase.dll 0x775f0000 0x77635fff Memory Mapped File rwx False False False -
private_0x0000000077640000 0x77640000 0x77739fff Private Memory rwx True False False -
private_0x0000000077740000 0x77740000 0x7785efff Private Memory rwx True False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
psapi.dll 0x77a10000 0x77a14fff Memory Mapped File rwx False False False -
ntdll.dll 0x77a40000 0x77bbffff Memory Mapped File rwx False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory r True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory rw True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory rw True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory rw True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory rw True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory r True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE 128.50 KB MD5: 5e4d33770945fab4c48bedf329c7ce5c
SHA1: 54a6e4d0ca09af93a96eb3ee22085759da63902b
SHA256: c65df5ec5152af018ff362039351255ba7b59ea844639619f73d96ea135ab1f0
SSDeep: 3072:drpyXTfAqsqJ6FHoZfsMoQQNglC1Omz8spl+9dVKj+4:Zpy4OBVQGCMmzRpIVKj+ 		False
...
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE:0 170.35 KB MD5: 4965b005492cba7719e82b71e3245495
SHA1: 441b048b302f14b6266707de938841a6c27504b5
SHA256: 52ad72c05facc1e0e416a1fa25f34fdd3cb274fab973beaae911a2faca42b650
SSDeep: 3072:wacEHTAkXbVjAaX/0EVNt4xXqutFdNciAqnYCDb5+aVjMvhNOSH2S9oe:0EHskXbVjF/ZNGtFdNdFnTDYZNjPB 		False
...
C:\Users\5P5NRG~1\AppData\Roaming\mov7tWJUGg 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3:: 		False
...
Modified Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE 128.50 KB MD5: 5e4d33770945fab4c48bedf329c7ce5c
SHA1: 54a6e4d0ca09af93a96eb3ee22085759da63902b
SHA256: c65df5ec5152af018ff362039351255ba7b59ea844639619f73d96ea135ab1f0
SSDeep: 3072:drpyXTfAqsqJ6FHoZfsMoQQNglC1Omz8spl+9dVKj+4:Zpy4OBVQGCMmzRpIVKj+ 		False
...
Host Behavior
File (17)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5P5NRG~1\AppData\Local\Temp\y7148.tmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Roaming\MOV7TW~1:bin desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE:0 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Temp File C:\Users\5P5NRG~1\AppData\Local\Temp\y7148.tmp path = C:\Users\5P5NRG~1\AppData\Local\Temp, prefix = y True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\y7148.tmp type = file_attributes True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Roaming\MOV7TW~1:bin type = file_attributes True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Roaming\MOV7TW~1:bin type = size, size_out = 0 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE type = size, size_out = 0 True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE type = time True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE:0 type = file_attributes False 1
Fn
Read C:\Users\5P5NRG~1\AppData\Roaming\MOV7TW~1:bin size = 131584, size_out = 131584 True 1
Fn
Data
Read C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE size = 174440, size_out = 174440 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\y7148.tmp size = 26 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE size = 131584 True 1
Fn
Data
Write C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE:0 size = 174440 True 1
Fn
Data
Delete C:\Users\5P5NRG~1\AppData\Roaming\MOV7TW~1 - True 1
Fn
Registry (497)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet value_name = RequiredPrivileges, data = 10171736, size = 406, type = REG_MULTI_SZ True 1
Fn
Write Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet value_name = ObjectName, data = LocalSystem, size = 12, type = REG_SZ True 1
Fn
Duplicate Key - - True 3
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 3
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 3
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 3
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 3
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 3
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - False 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - True 2
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msiserver - False 2
Fn
Process (110)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\vssadmin.exe os_pid = 0x968, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\diskshadow.exe os_pid = 0x0, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE False 1
Fn
Get filename System - False 1
Fn
Get filename c:\windows\system32\smss.exe file_name = \Device\HarddiskVolume1\Windows\System32\smss.exe True 1
Fn
Get filename c:\windows\system32\wininit.exe file_name = \Device\HarddiskVolume1\Windows\System32\wininit.exe True 1
Fn
Get filename c:\windows\system32\services.exe file_name = \Device\HarddiskVolume1\Windows\System32\services.exe True 1
Fn
Get filename c:\windows\system32\lsass.exe file_name = \Device\HarddiskVolume1\Windows\System32\lsass.exe True 1
Fn
Get filename c:\windows\system32\lsm.exe file_name = \Device\HarddiskVolume1\Windows\System32\lsm.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\System32\svchost.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\System32\svchost.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\System32\svchost.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\System32\svchost.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\System32\svchost.exe True 4
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\System32\audiodg.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\System32\dwm.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\System32\spoolsv.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\System32\taskhost.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\System32\taskeng.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Windows\explorer.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Microsoft Sync Framework\connectionsdecade.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files (x86)\Reference Assemblies\spectrum fs.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files (x86)\Common Files\amounts_under.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files (x86)\Java\emergency_limitation.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files (x86)\Windows Mail\partnerships.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files (x86)\MSBuild\fit.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files (x86)\Windows Mail\ob reid.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Internet Explorer\antonio_done_cultures.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files (x86)\Java\norfolk_trance_directive.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Uninstall Information\cheese-further-reads.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Microsoft Analysis Services\walking.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Windows Photo Viewer\happiness.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files (x86)\Windows Media Player\clubs_mobility_dive.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files (x86)\Mozilla Maintenance Service\completing.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Windows Journal\polished expressed.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Reference Assemblies\need result.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Microsoft Sync Framework\spring.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files (x86)\MSBuild\marvel.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Windows Media Player\clicks plc.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\DVD Maker\inter-angle.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Windows Portable Devices\admit cellular.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files (x86)\Microsoft Analysis Services\contractor.exe True 1
Fn
Get filename c:\windows\system32\svchost.exe file_name = \Device\HarddiskVolume1\Program Files\Microsoft Office\theta.exe True 1
Fn
Get Info System type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\smss.exe type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\wininit.exe type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\services.exe type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\lsass.exe type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\lsm.exe type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\svchost.exe type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\svchost.exe type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\svchost.exe type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\svchost.exe type = PROCESS_SESSION_INFORMATION True 1
Fn
Get Info c:\windows\system32\svchost.exe type = PROCESS_SESSION_INFORMATION True 33
Fn
Open System desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open System desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.dll base_address = 0x773b0000 True 1
Fn
Load crypt32.dll base_address = 0x0 True 1
Fn
Load psapi.dll base_address = 0x0 True 1
Fn
Get Filename - process_name = c:\users\5p5nrg~1\appdata\roaming\mov7tw~1:bin, file_name_orig = C:\Users\5P5NRG~1\AppData\Roaming\MOV7TW~1:bin, size = 4096 True 1
Fn
Get Filename crypt32.dll process_name = c:\users\5p5nrg~1\appdata\roaming\mov7tw~1:bin, file_name_orig = C:\Users\5P5NRG~1\AppData\Roaming\MOV7TW~1:bin, size = 512 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringA, address_out = 0x773eb2b7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapValidate, address_out = 0x773db17b True 1
Fn
Service (485)
»
Operation Additional Information Success Count Logfile
Control service_name = ose64 False 1
Fn
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = AdobeFlashPlayerUpdateSvc False 1
Fn
Get Info service_name = AdobeFlashPlayerUpdateSvc True 1
Fn
Get Info service_name = AeLookupSvc False 1
Fn
Get Info service_name = AeLookupSvc True 1
Fn
Get Info service_name = ALG False 1
Fn
Get Info service_name = ALG True 1
Fn
Get Info service_name = AppIDSvc False 1
Fn
Get Info service_name = AppIDSvc True 1
Fn
Get Info service_name = Appinfo False 1
Fn
Get Info service_name = Appinfo True 1
Fn
Get Info service_name = AppMgmt False 1
Fn
Get Info service_name = AppMgmt True 1
Fn
Get Info service_name = aspnet_state False 1
Fn
Get Info service_name = aspnet_state True 1
Fn
Get Info service_name = AudioEndpointBuilder False 1
Fn
Get Info service_name = AudioEndpointBuilder True 1
Fn
Get Info service_name = AudioSrv False 1
Fn
Get Info service_name = AudioSrv True 1
Fn
Get Info service_name = AxInstSV False 1
Fn
Get Info service_name = AxInstSV True 1
Fn
Get Info service_name = BDESVC False 1
Fn
Get Info service_name = BDESVC True 1
Fn
Get Info service_name = BFE False 1
Fn
Get Info service_name = BFE True 1
Fn
Get Info service_name = BITS False 1
Fn
Get Info service_name = BITS True 1
Fn
Get Info service_name = Browser False 1
Fn
Get Info service_name = Browser True 1
Fn
Get Info service_name = bthserv False 1
Fn
Get Info service_name = bthserv True 1
Fn
Get Info service_name = CertPropSvc False 1
Fn
Get Info service_name = CertPropSvc True 1
Fn
Get Info service_name = clr_optimization_v2.0.50727_32 False 1
Fn
Get Info service_name = clr_optimization_v2.0.50727_32 True 1
Fn
Get Info service_name = clr_optimization_v2.0.50727_64 False 1
Fn
Get Info service_name = clr_optimization_v2.0.50727_64 True 1
Fn
Get Info service_name = clr_optimization_v4.0.30319_32 False 1
Fn
Get Info service_name = clr_optimization_v4.0.30319_32 True 1
Fn
Get Info service_name = clr_optimization_v4.0.30319_64 False 1
Fn
Get Info service_name = clr_optimization_v4.0.30319_64 True 1
Fn
Get Info service_name = COMSysApp False 1
Fn
Get Info service_name = COMSysApp True 1
Fn
Get Info service_name = CryptSvc False 1
Fn
Get Info service_name = CryptSvc True 1
Fn
Get Info service_name = CscService False 1
Fn
Get Info service_name = CscService True 1
Fn
Get Info service_name = DcomLaunch False 1
Fn
Get Info service_name = DcomLaunch True 1
Fn
Get Info service_name = defragsvc False 1
Fn
Get Info service_name = defragsvc True 1
Fn
Get Info service_name = Dhcp False 1
Fn
Get Info service_name = Dhcp True 1
Fn
Get Info service_name = Dnscache False 1
Fn
Get Info service_name = Dnscache True 1
Fn
Get Info service_name = dot3svc False 1
Fn
Get Info service_name = dot3svc True 1
Fn
Get Info service_name = DPS False 1
Fn
Get Info service_name = DPS True 1
Fn
Get Info service_name = EapHost False 1
Fn
Get Info service_name = EapHost True 1
Fn
Get Info service_name = EFS False 1
Fn
Get Info service_name = EFS True 1
Fn
Get Info service_name = ehRecvr False 1
Fn
Get Info service_name = ehRecvr True 1
Fn
Get Info service_name = ehSched False 1
Fn
Get Info service_name = ehSched True 1
Fn
Get Info service_name = eventlog False 1
Fn
Get Info service_name = eventlog True 1
Fn
Get Info service_name = EventSystem False 1
Fn
Get Info service_name = EventSystem True 1
Fn
Get Info service_name = Fax False 1
Fn
Get Info service_name = Fax True 1
Fn
Get Info service_name = fdPHost False 1
Fn
Get Info service_name = fdPHost True 1
Fn
Get Info service_name = FDResPub False 1
Fn
Get Info service_name = FDResPub True 1
Fn
Get Info service_name = FontCache False 1
Fn
Get Info service_name = FontCache True 1
Fn
Get Info service_name = FontCache3.0.0.0 False 1
Fn
Get Info service_name = FontCache3.0.0.0 True 1
Fn
Get Info service_name = gpsvc False 1
Fn
Get Info service_name = gpsvc True 1
Fn
Get Info service_name = gupdate False 1
Fn
Get Info service_name = gupdate True 1
Fn
Get Info service_name = gupdatem False 1
Fn
Get Info service_name = gupdatem True 1
Fn
Get Info service_name = hidserv False 1
Fn
Get Info service_name = hidserv True 1
Fn
Get Info service_name = hkmsvc False 1
Fn
Get Info service_name = hkmsvc True 1
Fn
Get Info service_name = HomeGroupListener False 1
Fn
Get Info service_name = HomeGroupListener True 1
Fn
Get Info service_name = HomeGroupProvider False 1
Fn
Get Info service_name = HomeGroupProvider True 1
Fn
Get Info service_name = idsvc False 1
Fn
Get Info service_name = idsvc True 1
Fn
Get Info service_name = IKEEXT False 1
Fn
Get Info service_name = IKEEXT True 1
Fn
Get Info service_name = IPBusEnum False 1
Fn
Get Info service_name = IPBusEnum True 1
Fn
Get Info service_name = iphlpsvc False 1
Fn
Get Info service_name = iphlpsvc True 1
Fn
Get Info service_name = KeyIso False 1
Fn
Get Info service_name = KeyIso True 1
Fn
Get Info service_name = KtmRm False 1
Fn
Get Info service_name = KtmRm True 1
Fn
Get Info service_name = LanmanServer False 1
Fn
Get Info service_name = LanmanServer True 1
Fn
Get Info service_name = LanmanWorkstation False 1
Fn
Get Info service_name = LanmanWorkstation True 1
Fn
Get Info service_name = lltdsvc False 1
Fn
Get Info service_name = lltdsvc True 1
Fn
Get Info service_name = lmhosts False 1
Fn
Get Info service_name = lmhosts True 1
Fn
Get Info service_name = Mcx2Svc False 1
Fn
Get Info service_name = Mcx2Svc True 1
Fn
Get Info service_name = Microsoft SharePoint Workspace Audit Service False 1
Fn
Get Info service_name = Microsoft SharePoint Workspace Audit Service True 1
Fn
Get Info service_name = MMCSS False 1
Fn
Get Info service_name = MMCSS True 1
Fn
Get Info service_name = MozillaMaintenance False 1
Fn
Get Info service_name = MozillaMaintenance True 1
Fn
Get Info service_name = MpsSvc False 1
Fn
Get Info service_name = MpsSvc True 1
Fn
Get Info service_name = MSDTC False 1
Fn
Get Info service_name = MSDTC True 1
Fn
Get Info service_name = MSiSCSI False 1
Fn
Get Info service_name = MSiSCSI True 1
Fn
Get Info service_name = msiserver False 1
Fn
Get Info service_name = msiserver True 1
Fn
Get Info service_name = napagent False 1
Fn
Get Info service_name = napagent True 1
Fn
Get Info service_name = Netlogon False 1
Fn
Get Info service_name = Netlogon True 1
Fn
Get Info service_name = Netman False 1
Fn
Get Info service_name = Netman True 1
Fn
Get Info service_name = NetMsmqActivator False 1
Fn
Get Info service_name = NetMsmqActivator True 1
Fn
Get Info service_name = NetPipeActivator False 1
Fn
Get Info service_name = NetPipeActivator True 1
Fn
Get Info service_name = netprofm False 1
Fn
Get Info service_name = netprofm True 1
Fn
Get Info service_name = NetTcpActivator False 1
Fn
Get Info service_name = NetTcpActivator True 1
Fn
Get Info service_name = NetTcpPortSharing False 1
Fn
Get Info service_name = NetTcpPortSharing True 1
Fn
Get Info service_name = NlaSvc False 1
Fn
Get Info service_name = NlaSvc True 1
Fn
Get Info service_name = nsi False 1
Fn
Get Info service_name = nsi True 1
Fn
Get Info service_name = ose64 False 1
Fn
Get Info service_name = ose64 True 1
Fn
Get Info service_name = osppsvc False 1
Fn
Get Info service_name = osppsvc True 1
Fn
Get Info service_name = p2pimsvc False 1
Fn
Get Info service_name = p2pimsvc True 1
Fn
Get Info service_name = p2psvc False 1
Fn
Get Info service_name = p2psvc True 1
Fn
Get Info service_name = PcaSvc False 1
Fn
Get Info service_name = PcaSvc True 1
Fn
Get Info service_name = PeerDistSvc False 1
Fn
Get Info service_name = PeerDistSvc True 1
Fn
Get Info service_name = PerfHost False 1
Fn
Get Info service_name = PerfHost True 1
Fn
Get Info service_name = pla False 1
Fn
Get Info service_name = pla True 1
Fn
Get Info service_name = PlugPlay False 1
Fn
Get Info service_name = PlugPlay True 1
Fn
Get Info service_name = PNRPAutoReg False 1
Fn
Get Info service_name = PNRPAutoReg True 1
Fn
Get Info service_name = PNRPsvc False 1
Fn
Get Info service_name = PNRPsvc True 1
Fn
Get Info service_name = PolicyAgent False 1
Fn
Get Info service_name = PolicyAgent True 1
Fn
Get Info service_name = Power False 1
Fn
Get Info service_name = Power True 1
Fn
Get Info service_name = ProfSvc False 1
Fn
Get Info service_name = ProfSvc True 1
Fn
Get Info service_name = ProtectedStorage False 1
Fn
Get Info service_name = ProtectedStorage True 1
Fn
Get Info service_name = QWAVE False 1
Fn
Get Info service_name = QWAVE True 1
Fn
Get Info service_name = RasAuto False 1
Fn
Get Info service_name = RasAuto True 1
Fn
Get Info service_name = RasMan False 1
Fn
Get Info service_name = RasMan True 1
Fn
Get Info service_name = RemoteAccess False 1
Fn
Get Info service_name = RemoteAccess True 1
Fn
Get Info service_name = RemoteRegistry False 1
Fn
Get Info service_name = RemoteRegistry True 1
Fn
Get Info service_name = RpcEptMapper False 1
Fn
Get Info service_name = RpcEptMapper True 1
Fn
Get Info service_name = RpcLocator False 1
Fn
Get Info service_name = RpcLocator True 1
Fn
Get Info service_name = RpcSs False 1
Fn
Get Info service_name = RpcSs True 1
Fn
Get Info service_name = SamSs False 1
Fn
Get Info service_name = SamSs True 1
Fn
Get Info service_name = SCardSvr False 1
Fn
Get Info service_name = SCardSvr True 1
Fn
Get Info service_name = Schedule False 1
Fn
Get Info service_name = Schedule True 1
Fn
Get Info service_name = SCPolicySvc False 1
Fn
Get Info service_name = SCPolicySvc True 1
Fn
Get Info service_name = SDRSVC False 1
Fn
Get Info service_name = SDRSVC True 1
Fn
Get Info service_name = seclogon False 1
Fn
Get Info service_name = seclogon True 1
Fn
Get Info service_name = SENS False 1
Fn
Get Info service_name = SENS True 1
Fn
Get Info service_name = SensrSvc False 1
Fn
Get Info service_name = SensrSvc True 1
Fn
Get Info service_name = SessionEnv False 1
Fn
Get Info service_name = SessionEnv True 1
Fn
Get Info service_name = SharedAccess False 1
Fn
Get Info service_name = SharedAccess True 1
Fn
Get Info service_name = ShellHWDetection False 1
Fn
Get Info service_name = ShellHWDetection True 1
Fn
Get Info service_name = SNMPTRAP False 1
Fn
Get Info service_name = SNMPTRAP True 1
Fn
Get Info service_name = Spooler False 1
Fn
Get Info service_name = Spooler True 1
Fn
Get Info service_name = sppsvc False 1
Fn
Get Info service_name = sppsvc True 1
Fn
Get Info service_name = sppuinotify False 1
Fn
Get Info service_name = sppuinotify True 1
Fn
Get Info service_name = SSDPSRV False 1
Fn
Get Info service_name = SSDPSRV True 1
Fn
Get Info service_name = SstpSvc False 1
Fn
Get Info service_name = SstpSvc True 1
Fn
Get Info service_name = stisvc False 1
Fn
Get Info service_name = stisvc True 1
Fn
Get Info service_name = StorSvc False 1
Fn
Get Info service_name = StorSvc True 1
Fn
Get Info service_name = swprv False 1
Fn
Get Info service_name = swprv True 1
Fn
Get Info service_name = SysMain False 1
Fn
Get Info service_name = SysMain True 1
Fn
Get Info service_name = TabletInputService False 1
Fn
Get Info service_name = TabletInputService True 1
Fn
Get Info service_name = TapiSrv False 1
Fn
Get Info service_name = TapiSrv True 1
Fn
Get Info service_name = TBS False 1
Fn
Get Info service_name = TBS True 1
Fn
Get Info service_name = TermService False 1
Fn
Get Info service_name = TermService True 1
Fn
Get Info service_name = Themes False 1
Fn
Get Info service_name = Themes True 1
Fn
Get Info service_name = THREADORDER False 1
Fn
Get Info service_name = THREADORDER True 1
Fn
Get Info service_name = TrkWks False 1
Fn
Get Info service_name = TrkWks True 1
Fn
Get Info service_name = TrustedInstaller False 1
Fn
Get Info service_name = TrustedInstaller True 1
Fn
Get Info service_name = UI0Detect False 1
Fn
Get Info service_name = UI0Detect True 1
Fn
Get Info service_name = UmRdpService False 1
Fn
Get Info service_name = UmRdpService True 1
Fn
Get Info service_name = upnphost False 1
Fn
Get Info service_name = upnphost True 1
Fn
Get Info service_name = UxSms False 1
Fn
Get Info service_name = UxSms True 1
Fn
Get Info service_name = VaultSvc False 1
Fn
Get Info service_name = VaultSvc True 1
Fn
Get Info service_name = vds False 1
Fn
Get Info service_name = vds True 1
Fn
Get Info service_name = VSS False 1
Fn
Get Info service_name = VSS True 1
Fn
Get Info service_name = W32Time False 1
Fn
Get Info service_name = W32Time True 1
Fn
Get Info service_name = wbengine False 1
Fn
Get Info service_name = wbengine True 1
Fn
Get Info service_name = WbioSrvc False 1
Fn
Get Info service_name = WbioSrvc True 1
Fn
Get Info service_name = wcncsvc False 1
Fn
Get Info service_name = wcncsvc True 1
Fn
Get Info service_name = WcsPlugInService False 1
Fn
Get Info service_name = WcsPlugInService True 1
Fn
Get Info service_name = WdiServiceHost False 1
Fn
Get Info service_name = WdiServiceHost True 1
Fn
Get Info service_name = WdiSystemHost False 1
Fn
Get Info service_name = WdiSystemHost True 1
Fn
Get Info service_name = WebClient False 1
Fn
Get Info service_name = WebClient True 1
Fn
Get Info service_name = Wecsvc False 1
Fn
Get Info service_name = Wecsvc True 1
Fn
Get Info service_name = wercplsupport False 1
Fn
Get Info service_name = wercplsupport True 1
Fn
Get Info service_name = WerSvc False 1
Fn
Get Info service_name = WerSvc True 1
Fn
Get Info service_name = WinDefend False 1
Fn
Get Info service_name = WinDefend True 1
Fn
Get Info service_name = WinHttpAutoProxySvc False 1
Fn
Get Info service_name = WinHttpAutoProxySvc True 1
Fn
Get Info service_name = Winmgmt False 1
Fn
Get Info service_name = Winmgmt True 1
Fn
Get Info service_name = WinRM False 1
Fn
Get Info service_name = WinRM True 1
Fn
Get Info service_name = Wlansvc False 1
Fn
Get Info service_name = Wlansvc True 1
Fn
Get Info service_name = wmiApSrv False 1
Fn
Get Info service_name = wmiApSrv True 1
Fn
Get Info service_name = WMPNetworkSvc False 1
Fn
Get Info service_name = WMPNetworkSvc True 1
Fn
Get Info service_name = WPCSvc False 1
Fn
Get Info service_name = WPCSvc True 1
Fn
Get Info service_name = WPDBusEnum False 1
Fn
Get Info service_name = WPDBusEnum True 1
Fn
Get Info service_name = wscsvc False 1
Fn
Get Info service_name = wscsvc True 1
Fn
Get Info service_name = WSearch False 1
Fn
Get Info service_name = WSearch True 1
Fn
Get Info service_name = wuauserv False 1
Fn
Get Info service_name = wuauserv True 1
Fn
Get Info service_name = wudfsvc False 1
Fn
Get Info service_name = wudfsvc True 1
Fn
Get Info service_name = WwanSvc False 1
Fn
Get Info service_name = WwanSvc True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Set Config service_name = ose64 True 1
Fn
Start service_name = ose64 True 1
Fn
System (19)
»
Operation Additional Information Success Count Logfile
Get Time type = Ticks, time = 91556 True 10
Fn
Get Info type = Operating System True 6
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Wow64 Directory, result_out = C:\Windows\SysWOW64 True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Mutex (6)
»
Operation Additional Information Success Count Logfile
Create - True 1
Fn
Create mutex_name = Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E} True 1
Fn
Open mutex_name = Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E} False 1
Fn
Release - True 1
Fn
Release mutex_name = Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E} True 1
Fn
Release mutex_name = Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E} False 1
Fn
Environment (3)
»
Operation Additional Information Success Count Logfile
Get Environment String name = COMPUTERNAME, result_out = XDUWTFONO True 1
Fn
Get Environment String name = USERNAME, result_out = 5p5NrGJn0jS HALPmcxz True 1
Fn
Get Environment String name = TEMP, result_out = C:\Users\5P5NRG~1\AppData\Local\Temp True 1
Fn
Process #3: vssadmin.exe
0 0
»
Information Value
ID #3
File Name c:\windows\system32\vssadmin.exe
Command Line C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:27, Reason: Child Process
Unmonitor End Time: 00:01:05, Reason: Self Terminated
Monitor Duration 00:00:38
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x968
Parent PID 0x954 (c:\users\5p5nrg~1\appdata\roaming\mov7tw~1:bin)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 96C
0x 984
0x 988
0x 98C
0x 990
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory rw True False False -
vssadmin.exe.mui 0x001e0000 0x001ecfff Memory Mapped File rw False False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x00270fff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory r True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x0051ffff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory rw True False False -
pagefile_0x0000000000570000 0x00570000 0x006f7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000700000 0x00700000 0x00880fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000890000 0x00890000 0x01c8ffff Pagefile Backed Memory r True False False -
private_0x0000000001ca0000 0x01ca0000 0x01d1ffff Private Memory rw True False False -
sortdefault.nls 0x01d20000 0x01feefff Memory Mapped File r False False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007ffff000 0x7ffff000 0x7fffffff Private Memory rw True False False -
vssadmin.exe 0xffac0000 0xffaecfff Memory Mapped File rwx False False False -
vsstrace.dll 0x7fef7e80000 0x7fef7e96fff Memory Mapped File rwx False False False -
vssapi.dll 0x7fef7ea0000 0x7fef804ffff Memory Mapped File rwx False False False -
atl.dll 0x7fefb260000 0x7fefb278fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcda0000 0x7fefcde6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd0a0000 0x7fefd0b6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd6a0000 0x7fefd6aefff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd790000 0x7fefd7a3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdc50000 0x7fefdd26fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff560000 0x7feff5f8fff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
ole32.dll 0x7feff870000 0x7feffa72fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #4: System
0 0
»
Information Value
ID #4
File Name System
Command Line -
Initial Working Directory -
Monitor Start Time: 00:00:28, Reason: Created Daemon
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:58
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x4
Parent PID 0x104 (c:\windows\system32\smss.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x BC
0x 8F0
0x F8
0x 5B8
0x D0
0x 1BC
0x D4
0x 7C
0x 368
0x 50
0x 73C
0x 60
0x 590
0x 660
0x 490
0x 0
0x 18
0x 1C
0x 494
0x 20
0x 71C
0x 6F4
0x 6E8
0x 6B4
0x 6D0
0x 6C8
0x 6A4
0x 638
0x 5D4
0x 5C8
0x 94
0x 514
0x 110
0x 484
0x 5C
0x 3DC
0x 84
0x 24
0x 68
0x 334
0x 8C
0x 98
0x 4C
0x 9C
0x 28C
0x 74
0x 124
0x 100
0x 198
0x 78
0x B4
0x C4
0x 38
0x 3C
0x 158
0x 154
0x 150
0x 130
0x 138
0x 90
0x 88
0x 80
0x 12C
0x 128
0x B8
0x 30
0x 34
0x B0
0x 44
0x 28
0x 40
0x 2C
0x 48
0x 10C
0x C0
0x 8
0x 9F8
0x A90
0x A94
0x A98
0x A9C
0x A8C
0x AA4
0x ABC
0x AC4
0x CC
0x B08
0x B24
0x B38
0x B60
0x B64
0x B68
0x B6C
0x B70
0x B90
0x BA4
0x BA8
0x BAC
0x BB0
0x BB4
0x BB8
0x BE0
0x 844
0x 870
0x 80C
0x 33C
0x 838
0x 948
0x 94C
0x 574
0x 718
0x 81C
0x 10
0x 14
0x 3E0
0x A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x00032fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000040000 0x00040000 0x0005ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000060000 0x00060000 0x0007ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000080000 0x00080000 0x00080fff Pagefile Backed Memory rw True False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
ntdll.dll 0x77a40000 0x77bbffff Memory Mapped File rwx False False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
pagefile_0x000007fff23d0000 0x7fff23d0000 0x7fff23fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff28d0000 0x7fff28d0000 0x7fff28fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff2dd0000 0x7fff2dd0000 0x7fff2dfffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff32d0000 0x7fff32d0000 0x7fff32fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff37d0000 0x7fff37d0000 0x7fff37fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff3cd0000 0x7fff3cd0000 0x7fff3cfffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff41d0000 0x7fff41d0000 0x7fff41fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff46d0000 0x7fff46d0000 0x7fff46fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff4bd0000 0x7fff4bd0000 0x7fff4bfffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff50d0000 0x7fff50d0000 0x7fff50fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff55d0000 0x7fff55d0000 0x7fff55fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff5ad0000 0x7fff5ad0000 0x7fff5afffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff5fd0000 0x7fff5fd0000 0x7fff5ffffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff64d0000 0x7fff64d0000 0x7fff64fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff69d0000 0x7fff69d0000 0x7fff69fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff6ed0000 0x7fff6ed0000 0x7fff6efffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff73d0000 0x7fff73d0000 0x7fff73fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff78d0000 0x7fff78d0000 0x7fff78fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff7dd0000 0x7fff7dd0000 0x7fff7dfffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff82d0000 0x7fff82d0000 0x7fff82fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff87d0000 0x7fff87d0000 0x7fff87fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff8cd0000 0x7fff8cd0000 0x7fff8cfffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff91d0000 0x7fff91d0000 0x7fff91fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff96d0000 0x7fff96d0000 0x7fff96fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fff9bd0000 0x7fff9bd0000 0x7fff9bfffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fffa0d0000 0x7fffa0d0000 0x7fffa0fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fffa5d0000 0x7fffa5d0000 0x7fffa5fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fffaad0000 0x7fffaad0000 0x7fffaafffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fffafd0000 0x7fffafd0000 0x7fffaffffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fffb4d0000 0x7fffb4d0000 0x7fffb4fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fffb9d0000 0x7fffb9d0000 0x7fffb9fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fffbed0000 0x7fffbed0000 0x7fffbefffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fffc3d0000 0x7fffc3d0000 0x7fffc3fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fffc8d0000 0x7fffc8d0000 0x7fffc8fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fffcdd0000 0x7fffcdd0000 0x7fffcdfffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fffd2d0000 0x7fffd2d0000 0x7fffd2fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fffd7d0000 0x7fffd7d0000 0x7fffd7fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fffdcd0000 0x7fffdcd0000 0x7fffdcfffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fffe1d0000 0x7fffe1d0000 0x7fffe1fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fffe6d0000 0x7fffe6d0000 0x7fffe6fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007fffebd0000 0x7fffebd0000 0x7fffebfffff Pagefile Backed Memory rw True False False -
pagefile_0x000007ffff0d0000 0x7ffff0d0000 0x7ffff0fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007ffff5d0000 0x7ffff5d0000 0x7ffff5fffff Pagefile Backed Memory rw True False False -
pagefile_0x000007ffffad0000 0x7ffffad0000 0x7ffffafffff Pagefile Backed Memory rw True False False -
Process #5: services.exe
0 0
»
Information Value
ID #5
File Name c:\windows\system32\services.exe
Command Line C:\Windows\system32\services.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:28, Reason: Created Daemon
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:58
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x1d4
Parent PID 0x178 (c:\windows\system32\wininit.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 484
0x 4EC
0x 4E0
0x 4B8
0x 1C8
0x 288
0x 250
0x 24C
0x 23C
0x 238
0x 22C
0x 228
0x 224
0x 220
0x BDC
0x 720
0x 75C
0x 680
0x 914
0x 8AC
0x 8A0
0x 8BC
0x 8CC
0x 8D0
0x 89C
0x 8F0
0x 8E8
0x 938
0x 880
0x 888
0x 898
0x 944
0x 830
0x 824
0x 82C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x00160fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x001fffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
private_0x0000000000400000 0x00400000 0x00400fff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x00410fff Private Memory rw True False False -
private_0x0000000000430000 0x00430000 0x0043ffff Private Memory rw True False False -
pagefile_0x0000000000440000 0x00440000 0x005c7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005d0000 0x005d0000 0x00750fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000760000 0x00760000 0x0081ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000000820000 0x00820000 0x00c12fff Pagefile Backed Memory r True False False -
private_0x0000000000d00000 0x00d00000 0x00d3ffff Private Memory rw True False False -
private_0x0000000000db0000 0x00db0000 0x00e2ffff Private Memory rw True False False -
private_0x0000000000e40000 0x00e40000 0x00ebffff Private Memory rw True False False -
private_0x0000000000eb0000 0x00eb0000 0x00f2ffff Private Memory rw True False False -
private_0x0000000000f00000 0x00f00000 0x00f7ffff Private Memory rw True False False -
private_0x0000000000f90000 0x00f90000 0x0100ffff Private Memory rw True False False -
private_0x0000000001020000 0x01020000 0x0109ffff Private Memory rw True False False -
private_0x00000000010d0000 0x010d0000 0x0114ffff Private Memory rw True False False -
private_0x0000000001160000 0x01160000 0x011dffff Private Memory rw True False False -
private_0x00000000011f0000 0x011f0000 0x0126ffff Private Memory rw True False False -
private_0x0000000001270000 0x01270000 0x012effff Private Memory rw True False False -
private_0x0000000001300000 0x01300000 0x0137ffff Private Memory rw True False False -
private_0x00000000015f0000 0x015f0000 0x0166ffff Private Memory rw True False False -
private_0x0000000001670000 0x01670000 0x016effff Private Memory rw True False False -
private_0x0000000001730000 0x01730000 0x017affff Private Memory rw True False False -
private_0x00000000017b0000 0x017b0000 0x018affff Private Memory rw True False False -
sortdefault.nls 0x018b0000 0x01b7efff Memory Mapped File r False False False -
private_0x0000000001b80000 0x01b80000 0x01c7ffff Private Memory rw True False False -
private_0x0000000001c80000 0x01c80000 0x01e7ffff Private Memory rw True False False -
private_0x0000000001e80000 0x01e80000 0x0207ffff Private Memory rw True False False -
private_0x0000000002080000 0x02080000 0x0247ffff Private Memory rw True False False -
private_0x0000000002590000 0x02590000 0x0260ffff Private Memory rw True False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
services.exe 0xffeb0000 0xfff02fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefba10000 0x7fefba20fff Memory Mapped File rwx False False False -
wshtcpip.dll 0x7fefca40000 0x7fefca46fff Memory Mapped File rwx False False False -
ubpm.dll 0x7fefcc60000 0x7fefcc98fff Memory Mapped File rwx False False False -
credssp.dll 0x7fefcca0000 0x7fefcca9fff Memory Mapped File rwx False False False -
wship6.dll 0x7fefd030000 0x7fefd036fff Memory Mapped File rwx False False False -
mswsock.dll 0x7fefd040000 0x7fefd094fff Memory Mapped File rwx False False False -
wmsgapi.dll 0x7fefd1f0000 0x7fefd1f7fff Memory Mapped File rwx False False False -
authz.dll 0x7fefd290000 0x7fefd2befff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd5a0000 0x7fefd5c2fff Memory Mapped File rwx False False False -
scesrv.dll 0x7fefd5d0000 0x7fefd636fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd640000 0x7fefd64afff Memory Mapped File rwx False False False -
scext.dll 0x7fefd650000 0x7fefd668fff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd670000 0x7fefd694fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd6a0000 0x7fefd6aefff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd750000 0x7fefd78cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd790000 0x7fefd7a3fff Memory Mapped File rwx False False False -
profapi.dll 0x7fefd7b0000 0x7fefd7befff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
nsi.dll 0x7fefdef0000 0x7fefdef7fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffb20000 0x7feffb6cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
private_0x000007fffff98000 0x7fffff98000 0x7fffff99fff Private Memory rw True False False -
private_0x000007fffff9a000 0x7fffff9a000 0x7fffff9bfff Private Memory rw True False False -
private_0x000007fffff9c000 0x7fffff9c000 0x7fffff9dfff Private Memory rw True False False -
private_0x000007fffff9e000 0x7fffff9e000 0x7fffff9ffff Private Memory rw True False False -
private_0x000007fffffa0000 0x7fffffa0000 0x7fffffa1fff Private Memory rw True False False -
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory rw True False False -
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory rw True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory rw True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #6: svchost.exe
0 0
»
Information Value
ID #6
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k DcomLaunch
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:28, Reason: Child Process
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:58
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x254
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeTcbPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 684
0x 668
0x 2A0
0x 29C
0x 284
0x 280
0x 27C
0x 278
0x 26C
0x 264
0x 260
0x 258
0x 9A8
0x 538
0x 95C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000100000 0x00100000 0x00100fff Pagefile Backed Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory r True False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory rw True False False -
pagefile_0x00000000002b0000 0x002b0000 0x002b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002c0000 0x002c0000 0x002c0fff Pagefile Backed Memory r True False False -
umpnpmgr.dll.mui 0x002d0000 0x002d3fff Memory Mapped File rw False False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory rw True False False -
pagefile_0x0000000000420000 0x00420000 0x005a7fff Pagefile Backed Memory r True False False -
private_0x00000000005c0000 0x005c0000 0x0063ffff Private Memory rw True False False -
private_0x0000000000650000 0x00650000 0x006cffff Private Memory rw True False False -
sortdefault.nls 0x007c0000 0x00a8efff Memory Mapped File r False False False -
pagefile_0x0000000000a90000 0x00a90000 0x00c10fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000c20000 0x00c20000 0x00cdffff Pagefile Backed Memory r True False False -
pagefile_0x0000000000ce0000 0x00ce0000 0x010d2fff Pagefile Backed Memory r True False False -
private_0x0000000001190000 0x01190000 0x0119ffff Private Memory rw True False False -
private_0x00000000011e0000 0x011e0000 0x0125ffff Private Memory rw True False False -
private_0x00000000012a0000 0x012a0000 0x0131ffff Private Memory rw True False False -
private_0x00000000013c0000 0x013c0000 0x0143ffff Private Memory rw True False False -
private_0x00000000014d0000 0x014d0000 0x0154ffff Private Memory rw True False False -
private_0x00000000015a0000 0x015a0000 0x0161ffff Private Memory rw True False False -
private_0x0000000001690000 0x01690000 0x0170ffff Private Memory rw True False False -
private_0x0000000001740000 0x01740000 0x017bffff Private Memory rw True False False -
private_0x00000000017c0000 0x017c0000 0x018bffff Private Memory rw True False False -
private_0x00000000018e0000 0x018e0000 0x0195ffff Private Memory rw True False False -
private_0x0000000001980000 0x01980000 0x019fffff Private Memory rw True False False -
private_0x0000000001be0000 0x01be0000 0x01c5ffff Private Memory rw True False False -
private_0x0000000001cd0000 0x01cd0000 0x01d4ffff Private Memory rw True False False -
private_0x0000000001d50000 0x01d50000 0x01e4ffff Private Memory rw True False False -
private_0x0000000001e50000 0x01e50000 0x01f4ffff Private Memory rw True False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
svchost.exe 0xfff20000 0xfff2afff Memory Mapped File rwx False False False -
wmiutils.dll 0x7fef7040000 0x7fef7065fff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef7070000 0x7fef7083fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7370000 0x7fef737efff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7380000 0x7fef73a6fff Memory Mapped File rwx False False False -
fastprox.dll 0x7fef73b0000 0x7fef7491fff Memory Mapped File rwx False False False -
wmidcprv.dll 0x7fef74a0000 0x7fef74d1fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7690000 0x7fef7715fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefba10000 0x7fefba20fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fefc7a0000 0x7fefc7ccfff Memory Mapped File rwx False False False -
rpcss.dll 0x7fefca70000 0x7fefcaf0fff Memory Mapped File rwx False False False -
umpo.dll 0x7fefcb00000 0x7fefcb2bfff Memory Mapped File rwx False False False -
gpapi.dll 0x7fefcb30000 0x7fefcb4afff Memory Mapped File rwx False False False -
userenv.dll 0x7fefcb50000 0x7fefcb6dfff Memory Mapped File rwx False False False -
devrtl.dll 0x7fefcb70000 0x7fefcb81fff Memory Mapped File rwx False False False -
spinf.dll 0x7fefcb90000 0x7fefcbaefff Memory Mapped File rwx False False False -
umpnpmgr.dll 0x7fefcbb0000 0x7fefcc16fff Memory Mapped File rwx False False False -
credssp.dll 0x7fefcca0000 0x7fefcca9fff Memory Mapped File rwx False False False -
pcwum.dll 0x7fefccb0000 0x7fefccbcfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcda0000 0x7fefcde6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd0a0000 0x7fefd0b6fff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd670000 0x7fefd694fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd6a0000 0x7fefd6aefff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd750000 0x7fefd78cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd790000 0x7fefd7a3fff Memory Mapped File rwx False False False -
profapi.dll 0x7fefd7b0000 0x7fefd7befff Memory Mapped File rwx False False False -
msasn1.dll 0x7fefd850000 0x7fefd85efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
devobj.dll 0x7fefd970000 0x7fefd989fff Memory Mapped File rwx False False False -
crypt32.dll 0x7fefd990000 0x7fefdaf6fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fefdb00000 0x7fefdb35fff Memory Mapped File rwx False False False -
wintrust.dll 0x7fefdb40000 0x7fefdb79fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdc50000 0x7fefdd26fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
nsi.dll 0x7fefdef0000 0x7fefdef7fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
setupapi.dll 0x7feff300000 0x7feff4d6fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff560000 0x7feff5f8fff Memory Mapped File rwx False False False -
wldap32.dll 0x7feff600000 0x7feff651fff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
ole32.dll 0x7feff870000 0x7feffa72fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffb20000 0x7feffb6cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
private_0x000007fffff9a000 0x7fffff9a000 0x7fffff9bfff Private Memory rw True False False -
private_0x000007fffffa0000 0x7fffffa0000 0x7fffffa1fff Private Memory rw True False False -
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory rw True False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory rw True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory rw True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory rw True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #7: svchost.exe
0 0
»
Information Value
ID #7
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k RPCSS
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:28, Reason: Child Process
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:58
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x294
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Network Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 788
0x 740
0x 3FC
0x 2C0
0x 2BC
0x 2B8
0x 2B4
0x 2AC
0x 298
0x 638
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x00160fff Private Memory rw True False False -
pagefile_0x0000000000170000 0x00170000 0x00170fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000180000 0x00180000 0x00180fff Pagefile Backed Memory r True False False -
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x005affff Private Memory rw True False False -
private_0x0000000000630000 0x00630000 0x006affff Private Memory rw True False False -
sortdefault.nls 0x00710000 0x009defff Memory Mapped File r False False False -
private_0x0000000000a30000 0x00a30000 0x00aaffff Private Memory rw True False False -
private_0x0000000000ad0000 0x00ad0000 0x00b4ffff Private Memory rw True False False -
private_0x0000000000bc0000 0x00bc0000 0x00c3ffff Private Memory rw True False False -
pagefile_0x0000000000c40000 0x00c40000 0x00dc7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000dd0000 0x00dd0000 0x00f50fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000f60000 0x00f60000 0x0101ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001020000 0x01020000 0x01412fff Pagefile Backed Memory r True False False -
private_0x0000000001450000 0x01450000 0x014cffff Private Memory rw True False False -
private_0x00000000014f0000 0x014f0000 0x0156ffff Private Memory rw True False False -
private_0x0000000001570000 0x01570000 0x0166ffff Private Memory rw True False False -
private_0x00000000016c0000 0x016c0000 0x0173ffff Private Memory rw True False False -
private_0x0000000001770000 0x01770000 0x017effff Private Memory rw True False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
svchost.exe 0xfff20000 0xfff2afff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x7fefafe0000 0x7fefb032fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefba10000 0x7fefba20fff Memory Mapped File rwx False False False -
version.dll 0x7fefc970000 0x7fefc97bfff Memory Mapped File rwx False False False -
firewallapi.dll 0x7fefc980000 0x7fefca3afff Memory Mapped File rwx False False False -
wshtcpip.dll 0x7fefca40000 0x7fefca46fff Memory Mapped File rwx False False False -
rpcepmap.dll 0x7fefca50000 0x7fefca63fff Memory Mapped File rwx False False False -
rpcss.dll 0x7fefca70000 0x7fefcaf0fff Memory Mapped File rwx False False False -
credssp.dll 0x7fefcca0000 0x7fefcca9fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcda0000 0x7fefcde6fff Memory Mapped File rwx False False False -
wship6.dll 0x7fefd030000 0x7fefd036fff Memory Mapped File rwx False False False -
mswsock.dll 0x7fefd040000 0x7fefd094fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd0a0000 0x7fefd0b6fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd640000 0x7fefd64afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd670000 0x7fefd694fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd6a0000 0x7fefd6aefff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd750000 0x7fefd78cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd790000 0x7fefd7a3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdc50000 0x7fefdd26fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
nsi.dll 0x7fefdef0000 0x7fefdef7fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff560000 0x7feff5f8fff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
ole32.dll 0x7feff870000 0x7feffa72fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffb20000 0x7feffb6cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory rw True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory rw True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory rw True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory rw True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #8: svchost.exe
0 0
»
Information Value
ID #8
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:28, Reason: Child Process
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:58
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x2c8
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 890
0x 230
0x 598
0x 6A8
0x 618
0x 5E4
0x 5E0
0x 5DC
0x 334
0x 1E0
0x 3C4
0x 3BC
0x 3AC
0x 300
0x 2FC
0x 2EC
0x 2E4
0x 2D4
0x 2CC
0x A80
0x 410
0x 810
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
pagefile_0x0000000000140000 0x00140000 0x00141fff Pagefile Backed Memory rw True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x00160fff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x001bffff Private Memory rw True False False -
private_0x00000000001c0000 0x001c0000 0x001dffff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001fffff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
pagefile_0x0000000000400000 0x00400000 0x00587fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000590000 0x00590000 0x00710fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000720000 0x00720000 0x007dffff Pagefile Backed Memory r True False False -
pagefile_0x00000000007e0000 0x007e0000 0x00bd2fff Pagefile Backed Memory r True False False -
private_0x0000000000be0000 0x00be0000 0x00bfffff Private Memory rw True False False -
pagefile_0x0000000000c00000 0x00c00000 0x00c00fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000c10000 0x00c10000 0x00c10fff Pagefile Backed Memory r True False False -
private_0x0000000000c20000 0x00c20000 0x00c20fff Private Memory rw True False False -
private_0x0000000000c30000 0x00c30000 0x00c30fff Private Memory rw True False False -
private_0x0000000000c40000 0x00c40000 0x00cbffff Private Memory rw True False False -
private_0x0000000000cc0000 0x00cc0000 0x00d3ffff Private Memory rw True False False -
private_0x0000000000d40000 0x00d40000 0x00dbffff Private Memory rw True False False -
private_0x0000000000dc0000 0x00dc0000 0x00e3ffff Private Memory rw True False False -
pagefile_0x0000000000e40000 0x00e40000 0x00e40fff Pagefile Backed Memory rw True False False -
private_0x0000000000e50000 0x00e50000 0x00e51fff Private Memory rw True False False -
pagefile_0x0000000000e60000 0x00e60000 0x00e60fff Pagefile Backed Memory r True False False -
private_0x0000000000e70000 0x00e70000 0x00eeffff Private Memory rw True False False -
sortdefault.nls 0x00ef0000 0x011befff Memory Mapped File r False False False -
private_0x00000000011c0000 0x011c0000 0x012bffff Private Memory rw True False False -
private_0x00000000012c0000 0x012c0000 0x0133ffff Private Memory rw True False False -
private_0x0000000001340000 0x01340000 0x0134ffff Private Memory rw True False False -
private_0x0000000001380000 0x01380000 0x01387fff Private Memory rw True False False -
private_0x00000000013a0000 0x013a0000 0x0141ffff Private Memory rw True False False -
private_0x0000000001420000 0x01420000 0x0151ffff Private Memory rw True False False -
private_0x0000000001560000 0x01560000 0x015dffff Private Memory rw True False False -
private_0x0000000001620000 0x01620000 0x0169ffff Private Memory rw True False False -
private_0x00000000016c0000 0x016c0000 0x0173ffff Private Memory rw True False False -
private_0x0000000001780000 0x01780000 0x017fffff Private Memory rw True False False -
private_0x0000000001860000 0x01860000 0x018dffff Private Memory rw True False False -
private_0x0000000001900000 0x01900000 0x0197ffff Private Memory rw True False False -
private_0x0000000001980000 0x01980000 0x019fffff Private Memory rw True False False -
private_0x0000000001a50000 0x01a50000 0x01acffff Private Memory rw True False False -
winlogon.exe 0x01ad0000 0x01b31fff Memory Mapped File rwx False False False -
private_0x0000000001b40000 0x01b40000 0x01bbffff Private Memory rw True False False -
private_0x0000000001bc0000 0x01bc0000 0x01dbffff Private Memory rw True False False -
private_0x0000000001e10000 0x01e10000 0x01e8ffff Private Memory rw True False False -
private_0x0000000001f40000 0x01f40000 0x01f4ffff Private Memory rw True False False -
private_0x0000000001fb0000 0x01fb0000 0x0202ffff Private Memory rw True False False -
private_0x00000000020f0000 0x020f0000 0x024effff Private Memory rw True False False -
private_0x00000000024f0000 0x024f0000 0x028f2fff Private Memory rw True False False -
private_0x0000000002990000 0x02990000 0x02a0ffff Private Memory rw True False False -
private_0x0000000002ad0000 0x02ad0000 0x02b4ffff Private Memory rw True False False -
winmgmtr.dll 0x73f70000 0x73f72fff Memory Mapped File rwx False False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
winlogon.exe 0xff930000 0xff991fff Memory Mapped File rwx False False False -
services.exe 0xffeb0000 0xfff02fff Memory Mapped File rwx False False False -
svchost.exe 0xfff20000 0xfff2afff Memory Mapped File rwx False False False -
rasadhlp.dll 0x7fef6d60000 0x7fef6d67fff Memory Mapped File rwx False False False -
audioses.dll 0x7fef80f0000 0x7fef813efff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7fefaef0000 0x7fefaf07fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7fefaf10000 0x7fefaf20fff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x7fefafe0000 0x7fefb032fff Memory Mapped File rwx False False False -
dhcpcore6.dll 0x7fefb070000 0x7fefb0aafff Memory Mapped File rwx False False False -
dhcpcore.dll 0x7fefb0b0000 0x7fefb100fff Memory Mapped File rwx False False False -
nrpsrv.dll 0x7fefb120000 0x7fefb127fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb130000 0x7fefb13afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb140000 0x7fefb166fff Memory Mapped File rwx False False False -
lmhsvc.dll 0x7fefb170000 0x7fefb179fff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fefb300000 0x7fefb314fff Memory Mapped File rwx False False False -
pnrpnsp.dll 0x7fefb990000 0x7fefb9a8fff Memory Mapped File rwx False False False -
napinsp.dll 0x7fefb9b0000 0x7fefb9c4fff Memory Mapped File rwx False False False -
avrt.dll 0x7fefc530000 0x7fefc538fff Memory Mapped File rwx False False False -
propsys.dll 0x7fefc540000 0x7fefc66bfff Memory Mapped File rwx False False False -
mmdevapi.dll 0x7fefc670000 0x7fefc6bafff Memory Mapped File rwx False False False -
powrprof.dll 0x7fefc6c0000 0x7fefc6ebfff Memory Mapped File rwx False False False -
audiosrv.dll 0x7fefc6f0000 0x7fefc79bfff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fefc7a0000 0x7fefc7ccfff Memory Mapped File rwx False False False -
wevtsvc.dll 0x7fefc7d0000 0x7fefc965fff Memory Mapped File rwx False False False -
version.dll 0x7fefc970000 0x7fefc97bfff Memory Mapped File rwx False False False -
firewallapi.dll 0x7fefc980000 0x7fefca3afff Memory Mapped File rwx False False False -
wshtcpip.dll 0x7fefca40000 0x7fefca46fff Memory Mapped File rwx False False False -
gpapi.dll 0x7fefcb30000 0x7fefcb4afff Memory Mapped File rwx False False False -
credssp.dll 0x7fefcca0000 0x7fefcca9fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcda0000 0x7fefcde6fff Memory Mapped File rwx False False False -
dnsapi.dll 0x7fefcec0000 0x7fefcf1afff Memory Mapped File rwx False False False -
wship6.dll 0x7fefd030000 0x7fefd036fff Memory Mapped File rwx False False False -
mswsock.dll 0x7fefd040000 0x7fefd094fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd0a0000 0x7fefd0b6fff Memory Mapped File rwx False False False -
wevtapi.dll 0x7fefd2d0000 0x7fefd33cfff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd640000 0x7fefd64afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd670000 0x7fefd694fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd6a0000 0x7fefd6aefff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd750000 0x7fefd78cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd790000 0x7fefd7a3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
devobj.dll 0x7fefd970000 0x7fefd989fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fefdb00000 0x7fefdb35fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdc50000 0x7fefdd26fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
nsi.dll 0x7fefdef0000 0x7fefdef7fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
setupapi.dll 0x7feff300000 0x7feff4d6fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff4e0000 0x7feff550fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff560000 0x7feff5f8fff Memory Mapped File rwx False False False -
wldap32.dll 0x7feff600000 0x7feff651fff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
ole32.dll 0x7feff870000 0x7feffa72fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffb20000 0x7feffb6cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
private_0x000007fffff94000 0x7fffff94000 0x7fffff95fff Private Memory rw True False False -
private_0x000007fffff96000 0x7fffff96000 0x7fffff97fff Private Memory rw True False False -
private_0x000007fffff98000 0x7fffff98000 0x7fffff99fff Private Memory rw True False False -
private_0x000007fffff9a000 0x7fffff9a000 0x7fffff9bfff Private Memory rw True False False -
private_0x000007fffff9c000 0x7fffff9c000 0x7fffff9dfff Private Memory rw True False False -
private_0x000007fffff9e000 0x7fffff9e000 0x7fffff9ffff Private Memory rw True False False -
private_0x000007fffffa0000 0x7fffffa0000 0x7fffffa1fff Private Memory rw True False False -
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory rw True False False -
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory rw True False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory rw True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory rw True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory rw True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory rw True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #9: svchost.exe
0 0
»
Information Value
ID #9
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:28, Reason: Child Process
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:58
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x310
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeTcbPrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 734
0x 274
0x 5A8
0x 784
0x 764
0x 760
0x 650
0x 640
0x 15C
0x 120
0x 3F4
0x 3F0
0x 3E8
0x 3E4
0x 3D4
0x 3D0
0x 39C
0x 398
0x 388
0x 378
0x 338
0x 330
0x 318
0x 314
0x 7C0
0x 8EC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x000cffff Private Memory rw True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File r False False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
private_0x0000000000240000 0x00240000 0x0033ffff Private Memory rw True False False -
pagefile_0x0000000000340000 0x00340000 0x00341fff Pagefile Backed Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory rw True False False -
pagefile_0x0000000000360000 0x00360000 0x004e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000004f0000 0x004f0000 0x00670fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000680000 0x00680000 0x0073ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000000740000 0x00740000 0x00b32fff Pagefile Backed Memory r True False False -
private_0x0000000000b40000 0x00b40000 0x00b40fff Private Memory rw True False False -
private_0x0000000000b50000 0x00b50000 0x00b50fff Private Memory rw True False False -
pagefile_0x0000000000b60000 0x00b60000 0x00b60fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000b70000 0x00b70000 0x00b70fff Pagefile Backed Memory r True False False -
private_0x0000000000b80000 0x00b80000 0x00b80fff Private Memory rw True False False -
private_0x0000000000b90000 0x00b90000 0x00b90fff Private Memory rw True False False -
pagefile_0x0000000000ba0000 0x00ba0000 0x00ba1fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000bb0000 0x00bb0000 0x00bb1fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000bc0000 0x00bc0000 0x00bc1fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000bd0000 0x00bd0000 0x00bd0fff Pagefile Backed Memory r True False False -
private_0x0000000000be0000 0x00be0000 0x00c5ffff Private Memory rw True False False -
private_0x0000000000c60000 0x00c60000 0x00cdffff Private Memory rw True False False -
private_0x0000000000ce0000 0x00ce0000 0x00d5ffff Private Memory rw True False False -
private_0x0000000000d60000 0x00d60000 0x00d6ffff Private Memory rw True False False -
pagefile_0x0000000000d70000 0x00d70000 0x00d70fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000d80000 0x00d80000 0x00d80fff Pagefile Backed Memory r True False False -
private_0x0000000000d90000 0x00d90000 0x00e0ffff Private Memory rw True False False -
private_0x0000000000e10000 0x00e10000 0x00e8ffff Private Memory rw True False False -
sysmain.dll.mui 0x00e90000 0x00e94fff Memory Mapped File rw False False False -
private_0x0000000000ec0000 0x00ec0000 0x00f3ffff Private Memory rw True False False -
sortdefault.nls 0x00f40000 0x0120efff Memory Mapped File r False False False -
private_0x00000000012c0000 0x012c0000 0x0133ffff Private Memory rw True False False -
private_0x0000000001360000 0x01360000 0x013dffff Private Memory rw True False False -
private_0x00000000013e0000 0x013e0000 0x0145ffff Private Memory rw True False False -
private_0x00000000014a0000 0x014a0000 0x0151ffff Private Memory rw True False False -
private_0x0000000001550000 0x01550000 0x015cffff Private Memory rw True False False -
private_0x00000000015d0000 0x015d0000 0x0164ffff Private Memory rw True False False -
private_0x0000000001680000 0x01680000 0x016fffff Private Memory rw True False False -
private_0x0000000001730000 0x01730000 0x017affff Private Memory rw True False False -
private_0x00000000017d0000 0x017d0000 0x0184ffff Private Memory rw True False False -
private_0x0000000001850000 0x01850000 0x018cffff Private Memory rw True False False -
private_0x0000000001a10000 0x01a10000 0x01a8ffff Private Memory rw True False False -
private_0x0000000001a90000 0x01a90000 0x01b8ffff Private Memory rw True False False -
private_0x0000000001c00000 0x01c00000 0x01c7ffff Private Memory rw True False False -
private_0x0000000001d10000 0x01d10000 0x01d8ffff Private Memory rw True False False -
private_0x0000000001d90000 0x01d90000 0x01e8ffff Private Memory rw True False False -
private_0x0000000001ed0000 0x01ed0000 0x01f4ffff Private Memory rw True False False -
private_0x0000000001f70000 0x01f70000 0x01f7ffff Private Memory rw True False False -
private_0x0000000001f80000 0x01f80000 0x0207ffff Private Memory rw True False False -
private_0x0000000002130000 0x02130000 0x0213ffff Private Memory rw True False False -
private_0x0000000002180000 0x02180000 0x021fffff Private Memory rw True False False -
private_0x0000000002200000 0x02200000 0x022fffff Private Memory rw True False False -
private_0x0000000002340000 0x02340000 0x0234ffff Private Memory rw True False False -
private_0x00000000023b0000 0x023b0000 0x0242ffff Private Memory rw True False False -
private_0x0000000002430000 0x02430000 0x0252ffff Private Memory rw True False False -
private_0x0000000002530000 0x02530000 0x0253ffff Private Memory rw True False False -
private_0x0000000002590000 0x02590000 0x0260ffff Private Memory rw True False False -
private_0x0000000002650000 0x02650000 0x0265ffff Private Memory rw True False False -
private_0x0000000002660000 0x02660000 0x0275ffff Private Memory rw True False False -
private_0x00000000027d0000 0x027d0000 0x027dffff Private Memory rw True False False -
private_0x0000000002800000 0x02800000 0x0280ffff Private Memory rw True False False -
private_0x0000000002810000 0x02810000 0x0290ffff Private Memory rw True False False -
private_0x00000000029f0000 0x029f0000 0x029fffff Private Memory rw True False False -
private_0x0000000002a00000 0x02a00000 0x02b33fff Private Memory rw True False False -
private_0x0000000002be0000 0x02be0000 0x02c5ffff Private Memory rw True False False -
private_0x0000000002c60000 0x02c60000 0x0345ffff Private Memory rw True False False -
private_0x00000000034a0000 0x034a0000 0x0351ffff Private Memory rw True False False -
private_0x0000000003a50000 0x03a50000 0x03c4ffff Private Memory rw True False False -
private_0x0000000003c50000 0x03c50000 0x0404ffff Private Memory rw True False False -
private_0x0000000004050000 0x04050000 0x0484ffff Private Memory rw True False False -
private_0x0000000004850000 0x04850000 0x0581ffff Private Memory rw True False False -
private_0x0000000005820000 0x05820000 0x067effff Private Memory rw True False False -
sfc.dll 0x73f90000 0x73f92fff Memory Mapped File rwx False False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
svchost.exe 0xfff20000 0xfff2afff Memory Mapped File rwx False False False -
cscobj.dll 0x7fef62d0000 0x7fef630efff Memory Mapped File rwx False False False -
rasapi32.dll 0x7fef6310000 0x7fef6371fff Memory Mapped File rwx False False False -
rasdlg.dll 0x7fef6380000 0x7fef6457fff Memory Mapped File rwx False False False -
netshell.dll 0x7fef6620000 0x7fef68aafff Memory Mapped File rwx False False False -
apphlpdm.dll 0x7fef69b0000 0x7fef69bbfff Memory Mapped File rwx False False False -
portabledeviceconnectapi.dll 0x7fef69c0000 0x7fef69d6fff Memory Mapped File rwx False False False -
portabledeviceapi.dll 0x7fef6b10000 0x7fef6bccfff Memory Mapped File rwx False False False -
wpdbusenum.dll 0x7fef6bd0000 0x7fef6bf0fff Memory Mapped File rwx False False False -
hnetcfg.dll 0x7fef6df0000 0x7fef6e5afff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef7070000 0x7fef7083fff Memory Mapped File rwx False False False -
netcfgx.dll 0x7fef72d0000 0x7fef7353fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7370000 0x7fef737efff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7380000 0x7fef73a6fff Memory Mapped File rwx False False False -
fastprox.dll 0x7fef73b0000 0x7fef7491fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7690000 0x7fef7715fff Memory Mapped File rwx False False False -
trkwks.dll 0x7fef7760000 0x7fef7781fff Memory Mapped File rwx False False False -
sysmain.dll 0x7fef7790000 0x7fef793dfff Memory Mapped File rwx False False False -
wdi.dll 0x7fef7b60000 0x7fef7b78fff Memory Mapped File rwx False False False -
sfc_os.dll 0x7fef7b80000 0x7fef7b8ffff Memory Mapped File rwx False False False -
aepic.dll 0x7fef7b90000 0x7fef7ba1fff Memory Mapped File rwx False False False -
pcasvc.dll 0x7fef7bb0000 0x7fef7be1fff Memory Mapped File rwx False False False -
netman.dll 0x7fef8460000 0x7fef84bbfff Memory Mapped File rwx False False False -
wer.dll 0x7fef8860000 0x7fef88dbfff Memory Mapped File rwx False False False -
apphelp.dll 0x7fefa6c0000 0x7fefa716fff Memory Mapped File rwx False False False -
rasman.dll 0x7fefae70000 0x7fefae8bfff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb130000 0x7fefb13afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb140000 0x7fefb166fff Memory Mapped File rwx False False False -
uxsms.dll 0x7fefb190000 0x7fefb19ffff Memory Mapped File rwx False False False -
slc.dll 0x7fefb230000 0x7fefb23afff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb240000 0x7fefb24bfff Memory Mapped File rwx False False False -
atl.dll 0x7fefb260000 0x7fefb278fff Memory Mapped File rwx False False False -
mstask.dll 0x7fefb2c0000 0x7fefb2fcfff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fefb300000 0x7fefb314fff Memory Mapped File rwx False False False -
taskschd.dll 0x7fefb3f0000 0x7fefb516fff Memory Mapped File rwx False False False -
peerdist.dll 0x7fefb520000 0x7fefb54ffff Memory Mapped File rwx False False False -
cscsvc.dll 0x7fefb550000 0x7fefb5fbfff Memory Mapped File rwx False False False -
mprapi.dll 0x7fefb620000 0x7fefb659fff Memory Mapped File rwx False False False -
rtutils.dll 0x7fefb740000 0x7fefb750fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefba10000 0x7fefba20fff Memory Mapped File rwx False False False -
xmllite.dll 0x7fefbb70000 0x7fefbba4fff Memory Mapped File rwx False False False -
comctl32.dll 0x7fefc040000 0x7fefc233fff Memory Mapped File rwx False False False -
avrt.dll 0x7fefc530000 0x7fefc538fff Memory Mapped File rwx False False False -
propsys.dll 0x7fefc540000 0x7fefc66bfff Memory Mapped File rwx False False False -
mmdevapi.dll 0x7fefc670000 0x7fefc6bafff Memory Mapped File rwx False False False -
powrprof.dll 0x7fefc6c0000 0x7fefc6ebfff Memory Mapped File rwx False False False -
audiosrv.dll 0x7fefc6f0000 0x7fefc79bfff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fefc7a0000 0x7fefc7ccfff Memory Mapped File rwx False False False -
version.dll 0x7fefc970000 0x7fefc97bfff Memory Mapped File rwx False False False -
gpapi.dll 0x7fefcb30000 0x7fefcb4afff Memory Mapped File rwx False False False -
userenv.dll 0x7fefcb50000 0x7fefcb6dfff Memory Mapped File rwx False False False -
devrtl.dll 0x7fefcb70000 0x7fefcb81fff Memory Mapped File rwx False False False -
credssp.dll 0x7fefcca0000 0x7fefcca9fff Memory Mapped File rwx False False False -
pcwum.dll 0x7fefccb0000 0x7fefccbcfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcda0000 0x7fefcde6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd0a0000 0x7fefd0b6fff Memory Mapped File rwx False False False -
authz.dll 0x7fefd290000 0x7fefd2befff Memory Mapped File rwx False False False -
wevtapi.dll 0x7fefd2d0000 0x7fefd33cfff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd640000 0x7fefd64afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd670000 0x7fefd694fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd6a0000 0x7fefd6aefff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd750000 0x7fefd78cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd790000 0x7fefd7a3fff Memory Mapped File rwx False False False -
profapi.dll 0x7fefd7b0000 0x7fefd7befff Memory Mapped File rwx False False False -
msasn1.dll 0x7fefd850000 0x7fefd85efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
devobj.dll 0x7fefd970000 0x7fefd989fff Memory Mapped File rwx False False False -
For performance reasons, the remaining 48 entries are omitted.
The remaining entries can be found in flog.txt.
Process #10: svchost.exe
0 0
»
Information Value
ID #10
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k netsvcs
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:28, Reason: Child Process
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:58
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x350
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 724
0x 5C4
0x 150
0x 404
0x 43C
0x 174
0x 7B8
0x 7B4
0x 7B0
0x 748
0x 714
0x 704
0x 700
0x 6E0
0x 6CC
0x 6C4
0x 68C
0x 688
0x 670
0x 65C
0x 4C4
0x 47C
0x 478
0x 438
0x 430
0x 42C
0x 420
0x 14C
0x 3A8
0x C8
0x 3F8
0x 3EC
0x 3A0
0x 394
0x 390
0x 38C
0x 36C
0x 354
0x B74
0x B78
0x B7C
0x B80
0x B84
0x B88
0x B8C
0x B94
0x B98
0x B9C
0x BA0
0x 44C
0x 358
0x 790
0x 444
0x 5A0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x001effff Private Memory rw True False False -
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory rw True False False -
pagefile_0x0000000000200000 0x00200000 0x00200fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000210000 0x00210000 0x00210fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000220000 0x00220000 0x00220fff Pagefile Backed Memory r True False False -
private_0x0000000000230000 0x00230000 0x00230fff Private Memory rw True False False -
pagefile_0x0000000000240000 0x00240000 0x00241fff Pagefile Backed Memory r True False False -
cversions.2.db 0x00250000 0x00253fff Memory Mapped File r True False False -
pagefile_0x0000000000260000 0x00260000 0x00261fff Pagefile Backed Memory r True False False -
cversions.2.db 0x00270000 0x00273fff Memory Mapped File r True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
pagefile_0x0000000000480000 0x00480000 0x00607fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000610000 0x00610000 0x00790fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007a0000 0x007a0000 0x0085ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000000860000 0x00860000 0x00c52fff Pagefile Backed Memory r True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db 0x00c60000 0x00c8ffff Memory Mapped File r True False False -
private_0x0000000000c90000 0x00c90000 0x00c9ffff Private Memory rw True False False -
private_0x0000000000ca0000 0x00ca0000 0x00d1ffff Private Memory rw True False False -
private_0x0000000000d20000 0x00d20000 0x00d9ffff Private Memory rw True False False -
pagefile_0x0000000000da0000 0x00da0000 0x00da0fff Pagefile Backed Memory rw True False False -
private_0x0000000000db0000 0x00db0000 0x00e2ffff Private Memory rw True False False -
pagefile_0x0000000000e30000 0x00e30000 0x00e30fff Pagefile Backed Memory r True False False -
private_0x0000000000e40000 0x00e40000 0x00e4ffff Private Memory rw True False False -
private_0x0000000000e50000 0x00e50000 0x00ecffff Private Memory rw True False False -
private_0x0000000000ed0000 0x00ed0000 0x00edffff Private Memory rw True False False -
private_0x0000000000ee0000 0x00ee0000 0x00f5ffff Private Memory rw True False False -
sortdefault.nls 0x00f60000 0x0122efff Memory Mapped File r False False False -
firewallapi.dll.mui 0x01230000 0x0124bfff Memory Mapped File rw False False False -
private_0x0000000001290000 0x01290000 0x0130ffff Private Memory rw True False False -
private_0x0000000001320000 0x01320000 0x0139ffff Private Memory rw True False False -
private_0x00000000013a0000 0x013a0000 0x0141ffff Private Memory rw True False False -
private_0x0000000001460000 0x01460000 0x014dffff Private Memory rw True False False -
private_0x0000000001530000 0x01530000 0x015affff Private Memory rw True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x015b0000 0x01615fff Memory Mapped File r True False False -
private_0x0000000001620000 0x01620000 0x0169ffff Private Memory rw True False False -
private_0x0000000001710000 0x01710000 0x0178ffff Private Memory rw True False False -
private_0x00000000017b0000 0x017b0000 0x0182ffff Private Memory rw True False False -
private_0x0000000001830000 0x01830000 0x018affff Private Memory rw True False False -
private_0x00000000018d0000 0x018d0000 0x0194ffff Private Memory rw True False False -
private_0x0000000001950000 0x01950000 0x019cffff Private Memory rw True False False -
private_0x0000000001a00000 0x01a00000 0x01a7ffff Private Memory rw True False False -
private_0x0000000001aa0000 0x01aa0000 0x01b1ffff Private Memory rw True False False -
private_0x0000000001b80000 0x01b80000 0x01bfffff Private Memory rw True False False -
private_0x0000000001c30000 0x01c30000 0x01caffff Private Memory rw True False False -
private_0x0000000001cd0000 0x01cd0000 0x01d4ffff Private Memory rw True False False -
private_0x0000000001d90000 0x01d90000 0x01e0ffff Private Memory rw True False False -
private_0x0000000001e10000 0x01e10000 0x01f0ffff Private Memory rw True False False -
private_0x0000000001f30000 0x01f30000 0x01faffff Private Memory rw True False False -
pagefile_0x0000000001fb0000 0x01fb0000 0x022f2fff Pagefile Backed Memory r True False False -
private_0x0000000002310000 0x02310000 0x0238ffff Private Memory rw True False False -
private_0x00000000023b0000 0x023b0000 0x0242ffff Private Memory rw True False False -
private_0x0000000002430000 0x02430000 0x024affff Private Memory rw True False False -
private_0x00000000024d0000 0x024d0000 0x0254ffff Private Memory rw True False False -
private_0x0000000002550000 0x02550000 0x025cffff Private Memory rw True False False -
private_0x00000000025d0000 0x025d0000 0x0264ffff Private Memory rw True False False -
private_0x0000000002670000 0x02670000 0x026effff Private Memory rw True False False -
private_0x00000000027b0000 0x027b0000 0x0282ffff Private Memory rw True False False -
private_0x00000000029b0000 0x029b0000 0x02a2ffff Private Memory rw True False False -
private_0x0000000002a80000 0x02a80000 0x02afffff Private Memory rw True False False -
private_0x0000000002bd0000 0x02bd0000 0x02c4ffff Private Memory rw True False False -
private_0x0000000002cd0000 0x02cd0000 0x02dcffff Private Memory rw True False False -
private_0x0000000002e30000 0x02e30000 0x02e3ffff Private Memory rw True False False -
private_0x0000000002e40000 0x02e40000 0x02f3ffff Private Memory rw True False False -
private_0x0000000002f40000 0x02f40000 0x0303ffff Private Memory rw True False False -
private_0x00000000031a0000 0x031a0000 0x0321ffff Private Memory rw True False False -
private_0x0000000003300000 0x03300000 0x0337ffff Private Memory rw True False False -
private_0x0000000003470000 0x03470000 0x034effff Private Memory rw True False False -
private_0x00000000034f0000 0x034f0000 0x0356ffff Private Memory rw True False False -
private_0x00000000035a0000 0x035a0000 0x0361ffff Private Memory rw True False False -
private_0x0000000003670000 0x03670000 0x036effff Private Memory rw True False False -
private_0x00000000036f0000 0x036f0000 0x037effff Private Memory rw True False False -
pagefile_0x00000000037f0000 0x037f0000 0x038effff Pagefile Backed Memory rw True False False -
private_0x00000000038f0000 0x038f0000 0x0396ffff Private Memory rw True False False -
private_0x0000000003980000 0x03980000 0x039fffff Private Memory rw True False False -
private_0x0000000003a30000 0x03a30000 0x03aaffff Private Memory rw True False False -
private_0x0000000003b60000 0x03b60000 0x03bdffff Private Memory rw True False False -
private_0x0000000003c00000 0x03c00000 0x03c7ffff Private Memory rw True False False -
private_0x0000000003c80000 0x03c80000 0x03e7ffff Private Memory rw True False False -
private_0x0000000003f00000 0x03f00000 0x03f7ffff Private Memory rw True False False -
private_0x0000000004130000 0x04130000 0x041affff Private Memory rw True False False -
private_0x00000000041e0000 0x041e0000 0x0425ffff Private Memory rw True False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
svchost.exe 0xfff20000 0xfff2afff Memory Mapped File rwx False False False -
tcpipcfg.dll 0x7fef4a40000 0x7fef4a81fff Memory Mapped File rwx False False False -
rascfg.dll 0x7fef4a90000 0x7fef4aa9fff Memory Mapped File rwx False False False -
npmproxy.dll 0x7fef69e0000 0x7fef69ebfff Memory Mapped File rwx False False False -
rasadhlp.dll 0x7fef6d60000 0x7fef6d67fff Memory Mapped File rwx False False False -
netprofm.dll 0x7fef6d70000 0x7fef6de3fff Memory Mapped File rwx False False False -
hnetcfg.dll 0x7fef6df0000 0x7fef6e5afff Memory Mapped File rwx False False False -
wbemess.dll 0x7fef6e60000 0x7fef6eddfff Memory Mapped File rwx False False False -
ncobjapi.dll 0x7fef6ee0000 0x7fef6ef5fff Memory Mapped File rwx False False False -
wmiprvsd.dll 0x7fef6f00000 0x7fef6fbbfff Memory Mapped File rwx False False False -
repdrvfs.dll 0x7fef6fc0000 0x7fef7032fff Memory Mapped File rwx False False False -
wmiutils.dll 0x7fef7040000 0x7fef7065fff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7fef7070000 0x7fef7083fff Memory Mapped File rwx False False False -
esscli.dll 0x7fef7090000 0x7fef70fefff Memory Mapped File rwx False False False -
wbemcore.dll 0x7fef7100000 0x7fef722efff Memory Mapped File rwx False False False -
resutils.dll 0x7fef7230000 0x7fef7248fff Memory Mapped File rwx False False False -
clusapi.dll 0x7fef7250000 0x7fef729ffff Memory Mapped File rwx False False False -
sscore.dll 0x7fef72a0000 0x7fef72a7fff Memory Mapped File rwx False False False -
nci.dll 0x7fef72b0000 0x7fef72c9fff Memory Mapped File rwx False False False -
netcfgx.dll 0x7fef72d0000 0x7fef7353fff Memory Mapped File rwx False False False -
tschannel.dll 0x7fef7360000 0x7fef7368fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7fef7370000 0x7fef737efff Memory Mapped File rwx False False False -
ntdsapi.dll 0x7fef7380000 0x7fef73a6fff Memory Mapped File rwx False False False -
fastprox.dll 0x7fef73b0000 0x7fef7491fff Memory Mapped File rwx False False False -
browser.dll 0x7fef74e0000 0x7fef7504fff Memory Mapped File rwx False False False -
srvsvc.dll 0x7fef7510000 0x7fef754cfff Memory Mapped File rwx False False False -
wdscore.dll 0x7fef7550000 0x7fef7596fff Memory Mapped File rwx False False False -
sqmapi.dll 0x7fef75a0000 0x7fef75e1fff Memory Mapped File rwx False False False -
iphlpsvc.dll 0x7fef75f0000 0x7fef7681fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7fef7690000 0x7fef7715fff Memory Mapped File rwx False False False -
wmisvc.dll 0x7fef7720000 0x7fef775ffff Memory Mapped File rwx False False False -
vsstrace.dll 0x7fef7e80000 0x7fef7e96fff Memory Mapped File rwx False False False -
vssapi.dll 0x7fef7ea0000 0x7fef804ffff Memory Mapped File rwx False False False -
actxprxy.dll 0x7fef8c40000 0x7fef8d2dfff Memory Mapped File rwx False False False -
appinfo.dll 0x7fef9080000 0x7fef9094fff Memory Mapped File rwx False False False -
taskcomp.dll 0x7fefa720000 0x7fefa796fff Memory Mapped File rwx False False False -
ktmw32.dll 0x7fefacb0000 0x7fefacb9fff Memory Mapped File rwx False False False -
schedsvc.dll 0x7fefacc0000 0x7fefadd1fff Memory Mapped File rwx False False False -
wiarpc.dll 0x7fefade0000 0x7fefadeefff Memory Mapped File rwx False False False -
fvecerts.dll 0x7fefadf0000 0x7fefadf8fff Memory Mapped File rwx False False False -
tbs.dll 0x7fefae00000 0x7fefae08fff Memory Mapped File rwx False False False -
fveapi.dll 0x7fefae10000 0x7fefae65fff Memory Mapped File rwx False False False -
shsvcs.dll 0x7fefae90000 0x7fefaeedfff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7fefaef0000 0x7fefaf07fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7fefaf10000 0x7fefaf20fff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x7fefafe0000 0x7fefb032fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb130000 0x7fefb13afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb140000 0x7fefb166fff Memory Mapped File rwx False False False -
sens.dll 0x7fefb1a0000 0x7fefb1b3fff Memory Mapped File rwx False False False -
es.dll 0x7fefb1c0000 0x7fefb226fff Memory Mapped File rwx False False False -
slc.dll 0x7fefb230000 0x7fefb23afff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb240000 0x7fefb24bfff Memory Mapped File rwx False False False -
themeservice.dll 0x7fefb250000 0x7fefb25ffff Memory Mapped File rwx False False False -
For performance reasons, the remaining 146 entries are omitted.
The remaining entries can be found in flog.txt.
Process #11: svchost.exe
0 0
»
Information Value
ID #11
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k LocalService
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:28, Reason: Child Process
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:58
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xf0
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7AC
0x 7A8
0x 780
0x 77C
0x 758
0x 754
0x 61C
0x 158
0x 154
0x 130
0x 12C
0x 11C
0x A6C
0x 5AC
0x 324
0x 7FC
0x 8B0
0x 820
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x0017ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000000180000 0x00180000 0x00181fff Pagefile Backed Memory rw True False False -
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x00210fff Private Memory rw True False False -
private_0x0000000000220000 0x00220000 0x00220fff Private Memory rw True False False -
pagefile_0x0000000000230000 0x00230000 0x00230fff Pagefile Backed Memory r True False False -
es.dll 0x00240000 0x00250fff Memory Mapped File r False False False -
stdole2.tlb 0x00260000 0x00263fff Memory Mapped File r False False False -
pagefile_0x0000000000270000 0x00270000 0x00271fff Pagefile Backed Memory r True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
pagefile_0x0000000000480000 0x00480000 0x00480fff Pagefile Backed Memory r True False False -
private_0x0000000000490000 0x00490000 0x0049ffff Private Memory rw True False False -
pagefile_0x00000000004a0000 0x004a0000 0x00627fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000630000 0x00630000 0x007b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007c0000 0x007c0000 0x00bb2fff Pagefile Backed Memory r True False False -
private_0x0000000000c20000 0x00c20000 0x00c9ffff Private Memory rw True False False -
private_0x0000000000d00000 0x00d00000 0x00d7ffff Private Memory rw True False False -
private_0x0000000000e70000 0x00e70000 0x00eeffff Private Memory rw True False False -
private_0x0000000000ef0000 0x00ef0000 0x00f6ffff Private Memory rw True False False -
private_0x0000000000f70000 0x00f70000 0x00feffff Private Memory rw True False False -
private_0x0000000001080000 0x01080000 0x0108ffff Private Memory rw True False False -
sortdefault.nls 0x010a0000 0x0136efff Memory Mapped File r False False False -
private_0x0000000001370000 0x01370000 0x0146ffff Private Memory rw True False False -
private_0x0000000001470000 0x01470000 0x0156ffff Private Memory rw True False False -
private_0x0000000001600000 0x01600000 0x0167ffff Private Memory rw True False False -
private_0x00000000016b0000 0x016b0000 0x0172ffff Private Memory rw True False False -
private_0x0000000001790000 0x01790000 0x0180ffff Private Memory rw True False False -
private_0x0000000001870000 0x01870000 0x018effff Private Memory rw True False False -
private_0x0000000001930000 0x01930000 0x0193ffff Private Memory rw True False False -
private_0x0000000001960000 0x01960000 0x019dffff Private Memory rw True False False -
private_0x0000000001aa0000 0x01aa0000 0x01b9ffff Private Memory rw True False False -
private_0x0000000001bb0000 0x01bb0000 0x01bbffff Private Memory rw True False False -
private_0x0000000001bc0000 0x01bc0000 0x01c3ffff Private Memory rw True False False -
private_0x0000000001c40000 0x01c40000 0x01cbffff Private Memory rw True False False -
kernelbase.dll.mui 0x01cc0000 0x01d7ffff Memory Mapped File rw False False False -
private_0x0000000001db0000 0x01db0000 0x01e2ffff Private Memory rw True False False -
private_0x0000000001f30000 0x01f30000 0x01faffff Private Memory rw True False False -
private_0x0000000001fb0000 0x01fb0000 0x021affff Private Memory rw True False False -
sfc.dll 0x73f90000 0x73f92fff Memory Mapped File rwx False False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
svchost.exe 0xfff20000 0xfff2afff Memory Mapped File rwx False False False -
npmproxy.dll 0x7fef69e0000 0x7fef69ebfff Memory Mapped File rwx False False False -
perftrack.dll 0x7fef6a30000 0x7fef6b07fff Memory Mapped File rwx False False False -
rasadhlp.dll 0x7fef6d60000 0x7fef6d67fff Memory Mapped File rwx False False False -
netprofm.dll 0x7fef6d70000 0x7fef6de3fff Memory Mapped File rwx False False False -
wdi.dll 0x7fef7b60000 0x7fef7b78fff Memory Mapped File rwx False False False -
sfc_os.dll 0x7fef7b80000 0x7fef7b8ffff Memory Mapped File rwx False False False -
aepic.dll 0x7fef7b90000 0x7fef7ba1fff Memory Mapped File rwx False False False -
webio.dll 0x7fef7d00000 0x7fef7d63fff Memory Mapped File rwx False False False -
winhttp.dll 0x7fef7d70000 0x7fef7de0fff Memory Mapped File rwx False False False -
wer.dll 0x7fef8860000 0x7fef88dbfff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7fefaef0000 0x7fefaf07fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7fefaf10000 0x7fefaf20fff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x7fefafe0000 0x7fefb032fff Memory Mapped File rwx False False False -
nsisvc.dll 0x7fefb110000 0x7fefb119fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb130000 0x7fefb13afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb140000 0x7fefb166fff Memory Mapped File rwx False False False -
es.dll 0x7fefb1c0000 0x7fefb226fff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fefb300000 0x7fefb314fff Memory Mapped File rwx False False False -
pnrpnsp.dll 0x7fefb990000 0x7fefb9a8fff Memory Mapped File rwx False False False -
napinsp.dll 0x7fefb9b0000 0x7fefb9c4fff Memory Mapped File rwx False False False -
winrnr.dll 0x7fefba30000 0x7fefba3afff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fefbbb0000 0x7fefbbc7fff Memory Mapped File rwx False False False -
version.dll 0x7fefc970000 0x7fefc97bfff Memory Mapped File rwx False False False -
wshtcpip.dll 0x7fefca40000 0x7fefca46fff Memory Mapped File rwx False False False -
gpapi.dll 0x7fefcb30000 0x7fefcb4afff Memory Mapped File rwx False False False -
credssp.dll 0x7fefcca0000 0x7fefcca9fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcda0000 0x7fefcde6fff Memory Mapped File rwx False False False -
dnsapi.dll 0x7fefcec0000 0x7fefcf1afff Memory Mapped File rwx False False False -
wship6.dll 0x7fefd030000 0x7fefd036fff Memory Mapped File rwx False False False -
mswsock.dll 0x7fefd040000 0x7fefd094fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd0a0000 0x7fefd0b6fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd640000 0x7fefd64afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd670000 0x7fefd694fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd6a0000 0x7fefd6aefff Memory Mapped File rwx False False False -
sxs.dll 0x7fefd6b0000 0x7fefd740fff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd790000 0x7fefd7a3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdc50000 0x7fefdd26fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
nsi.dll 0x7fefdef0000 0x7fefdef7fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff4e0000 0x7feff550fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff560000 0x7feff5f8fff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
ole32.dll 0x7feff870000 0x7feffa72fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffb20000 0x7feffb6cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
private_0x000007fffffa0000 0x7fffffa0000 0x7fffffa1fff Private Memory rw True False False -
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory rw True False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory rw True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory rw True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory rw True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory rw True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #12: svchost.exe
0 0
»
Information Value
ID #12
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k NetworkService
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:28, Reason: Child Process
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:58
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x268
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Network Service
Enabled Privileges SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8B4
0x 840
0x 7A4
0x 7A0
0x 798
0x 794
0x 744
0x 674
0x 654
0x 608
0x 5E8
0x 41C
0x 418
0x 414
0x 3D8
0x 370
0x 2B0
0x 290
0x A70
0x 4B4
0x 918
0x 8B8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000100000 0x00100000 0x00100fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
private_0x0000000000130000 0x00130000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x001c9fff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x001d0fff Private Memory rw True False False -
pagefile_0x00000000001e0000 0x001e0000 0x001effff Pagefile Backed Memory rw True False False -
pagefile_0x00000000001f0000 0x001f0000 0x001fffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000200000 0x00200000 0x0020ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000210000 0x00210000 0x0021ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000220000 0x00220000 0x0022ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000230000 0x00230000 0x0023ffff Pagefile Backed Memory rw True False False -
private_0x0000000000240000 0x00240000 0x00240fff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0025ffff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x0045ffff Private Memory rw True False False -
private_0x0000000000460000 0x00460000 0x0046ffff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x00480fff Private Memory rw True False False -
private_0x0000000000490000 0x00490000 0x00491fff Private Memory rw True False False -
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x004b4fff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x004c0fff Private Memory rw True False False -
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory rw True False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory rw True False False -
pagefile_0x00000000004f0000 0x004f0000 0x00677fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000680000 0x00680000 0x00800fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000810000 0x00810000 0x008cffff Pagefile Backed Memory r True False False -
pagefile_0x00000000008d0000 0x008d0000 0x00cc2fff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x00cd0000 0x00d8ffff Memory Mapped File rw False False False -
private_0x0000000000d90000 0x00d90000 0x00d90fff Private Memory rw True False False -
catdb 0x00da0000 0x00daffff Memory Mapped File rw False False False -
catdb 0x00db0000 0x00dbffff Memory Mapped File rw False False False -
catdb 0x00dc0000 0x00dcffff Memory Mapped File rw False False False -
catdb 0x00dd0000 0x00ddffff Memory Mapped File rw False False False -
private_0x0000000000de0000 0x00de0000 0x00e5ffff Private Memory rw True False False -
catdb 0x00e60000 0x00e6ffff Memory Mapped File rw False False False -
catdb 0x00e70000 0x00e7ffff Memory Mapped File rw False False False -
catdb 0x00e80000 0x00e8ffff Memory Mapped File rw False False False -
catdb 0x00e90000 0x00e9ffff Memory Mapped File rw False False False -
catdb 0x00ea0000 0x00eaffff Memory Mapped File rw False False False -
private_0x0000000000eb0000 0x00eb0000 0x00f2ffff Private Memory rw True False False -
sortdefault.nls 0x00f30000 0x011fefff Memory Mapped File r False False False -
private_0x0000000001200000 0x01200000 0x0127ffff Private Memory rw True False False -
catdb 0x01280000 0x0128ffff Memory Mapped File rw False False False -
catdb 0x01310000 0x0131ffff Memory Mapped File rw False False False -
catdb 0x01320000 0x0132ffff Memory Mapped File rw False False False -
catdb 0x01330000 0x0133ffff Memory Mapped File rw False False False -
catdb 0x01340000 0x0134ffff Memory Mapped File rw False False False -
private_0x0000000001350000 0x01350000 0x0135ffff Private Memory rw True False False -
private_0x0000000001360000 0x01360000 0x013dffff Private Memory rw True False False -
pagefile_0x00000000013e0000 0x013e0000 0x013effff Pagefile Backed Memory rw True False False -
pagefile_0x00000000013f0000 0x013f0000 0x013fffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001400000 0x01400000 0x0140ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001410000 0x01410000 0x0141ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001420000 0x01420000 0x0142ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001430000 0x01430000 0x0143ffff Pagefile Backed Memory rw True False False -
private_0x0000000001440000 0x01440000 0x0144ffff Private Memory rw True False False -
private_0x0000000001450000 0x01450000 0x014cffff Private Memory rw True False False -
private_0x00000000014d0000 0x014d0000 0x014dffff Private Memory rw True False False -
private_0x00000000014e0000 0x014e0000 0x0155ffff Private Memory rw True False False -
private_0x0000000001560000 0x01560000 0x015dffff Private Memory rw True False False -
private_0x00000000015e0000 0x015e0000 0x015effff Private Memory rw True False False -
private_0x00000000015f0000 0x015f0000 0x0166ffff Private Memory rw True False False -
private_0x0000000001670000 0x01670000 0x0167ffff Private Memory rw True False False -
private_0x0000000001680000 0x01680000 0x016fffff Private Memory rw True False False -
private_0x0000000001700000 0x01700000 0x01700fff Private Memory rw True False False -
private_0x0000000001710000 0x01710000 0x01710fff Private Memory rw True False False -
private_0x0000000001720000 0x01720000 0x0172ffff Private Memory rw True False False -
private_0x0000000001760000 0x01760000 0x017dffff Private Memory rw True False False -
private_0x0000000001810000 0x01810000 0x0188ffff Private Memory rw True False False -
private_0x00000000018c0000 0x018c0000 0x019bffff Private Memory rw True False False -
private_0x0000000001a40000 0x01a40000 0x01abffff Private Memory rw True False False -
private_0x0000000001ac0000 0x01ac0000 0x01bbffff Private Memory rw True False False -
private_0x0000000001bd0000 0x01bd0000 0x01bdffff Private Memory rw True False False -
private_0x0000000001ca0000 0x01ca0000 0x01caffff Private Memory rw True False False -
private_0x0000000001cb0000 0x01cb0000 0x01daffff Private Memory rw True False False -
private_0x0000000001dd0000 0x01dd0000 0x01e4ffff Private Memory rw True False False -
private_0x0000000001f10000 0x01f10000 0x01f8ffff Private Memory rw True False False -
private_0x0000000001f90000 0x01f90000 0x0208ffff Private Memory rw True False False -
private_0x00000000020d0000 0x020d0000 0x0214ffff Private Memory rw True False False -
private_0x0000000002150000 0x02150000 0x0224ffff Private Memory rw True False False -
private_0x0000000002270000 0x02270000 0x022effff Private Memory rw True False False -
private_0x0000000002340000 0x02340000 0x023bffff Private Memory rw True False False -
private_0x00000000023d0000 0x023d0000 0x0244ffff Private Memory rw True False False -
private_0x0000000002450000 0x02450000 0x0254ffff Private Memory rw True False False -
private_0x0000000002580000 0x02580000 0x0258ffff Private Memory rw True False False -
private_0x0000000002590000 0x02590000 0x0358ffff Private Memory rw True False False -
private_0x0000000003620000 0x03620000 0x0369ffff Private Memory rw True False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
psapi.dll 0x77a30000 0x77a36fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
svchost.exe 0xfff20000 0xfff2afff Memory Mapped File rwx False False False -
esent.dll 0x7fef4520000 0x7fef4799fff Memory Mapped File rwx False False False -
rasadhlp.dll 0x7fef6d60000 0x7fef6d67fff Memory Mapped File rwx False False False -
ssdpapi.dll 0x7fef7940000 0x7fef7950fff Memory Mapped File rwx False False False -
webio.dll 0x7fef7d00000 0x7fef7d63fff Memory Mapped File rwx False False False -
winhttp.dll 0x7fef7d70000 0x7fef7de0fff Memory Mapped File rwx False False False -
ncsi.dll 0x7fef7df0000 0x7fef7e27fff Memory Mapped File rwx False False False -
nlasvc.dll 0x7fef7e30000 0x7fef7e7dfff Memory Mapped File rwx False False False -
vsstrace.dll 0x7fef7e80000 0x7fef7e96fff Memory Mapped File rwx False False False -
vssapi.dll 0x7fef7ea0000 0x7fef804ffff Memory Mapped File rwx False False False -
cryptsvc.dll 0x7fef80c0000 0x7fef80effff Memory Mapped File rwx False False False -
wkssvc.dll 0x7fef81c0000 0x7fef81dffff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7fefaef0000 0x7fefaf07fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7fefaf10000 0x7fefaf20fff Memory Mapped File rwx False False False -
dnsext.dll 0x7fefafd0000 0x7fefafd6fff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x7fefafe0000 0x7fefb032fff Memory Mapped File rwx False False False -
dnsrslvr.dll 0x7fefb040000 0x7fefb06ffff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb130000 0x7fefb13afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb140000 0x7fefb166fff Memory Mapped File rwx False False False -
es.dll 0x7fefb1c0000 0x7fefb226fff Memory Mapped File rwx False False False -
atl.dll 0x7fefb260000 0x7fefb278fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb890000 0x7fefb8a3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb8b0000 0x7fefb8c4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb8d0000 0x7fefb8dbfff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefba10000 0x7fefba20fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefbff0000 0x7fefc00cfff Memory Mapped File rwx False False False -
propsys.dll 0x7fefc540000 0x7fefc66bfff Memory Mapped File rwx False False False -
wshtcpip.dll 0x7fefca40000 0x7fefca46fff Memory Mapped File rwx False False False -
gpapi.dll 0x7fefcb30000 0x7fefcb4afff Memory Mapped File rwx False False False -
userenv.dll 0x7fefcb50000 0x7fefcb6dfff Memory Mapped File rwx False False False -
credssp.dll 0x7fefcca0000 0x7fefcca9fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7fefcce0000 0x7fefcd2bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcda0000 0x7fefcde6fff Memory Mapped File rwx False False False -
dnsapi.dll 0x7fefcec0000 0x7fefcf1afff Memory Mapped File rwx False False False -
wship6.dll 0x7fefd030000 0x7fefd036fff Memory Mapped File rwx False False False -
mswsock.dll 0x7fefd040000 0x7fefd094fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd0a0000 0x7fefd0b6fff Memory Mapped File rwx False False False -
netjoin.dll 0x7fefd1b0000 0x7fefd1e1fff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fefd210000 0x7fefd231fff Memory Mapped File rwx False False False -
wevtapi.dll 0x7fefd2d0000 0x7fefd33cfff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd640000 0x7fefd64afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd670000 0x7fefd694fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd6a0000 0x7fefd6aefff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd750000 0x7fefd78cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd790000 0x7fefd7a3fff Memory Mapped File rwx False False False -
For performance reasons, the remaining 41 entries are omitted.
The remaining entries can be found in flog.txt.
Process #13: spoolsv.exe
0 0
»
Information Value
ID #13
File Name c:\windows\system32\spoolsv.exe
Command Line C:\Windows\System32\spoolsv.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:28, Reason: Child Process
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:58
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x4a8
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeTcbPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege
Thread IDs
0x 4CC
0x 4C8
0x 4C0
0x 4BC
0x 4B4
0x 4AC
0x BC0
0x BE8
0x BEC
0x BF0
0x BF4
0x BF8
0x BFC
0x 804
0x 240
0x 304
0x 67C
0x 600
0x 3B8
0x 3C8
0x 6B8
0x 528
0x 950
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00051fff Pagefile Backed Memory rw True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory rw True False False -
private_0x0000000000070000 0x00070000 0x000affff Private Memory rw True False False -
locale.nls 0x000b0000 0x00116fff Memory Mapped File r False False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x00130fff Private Memory rw True False False -
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory r True False False -
private_0x0000000000150000 0x00150000 0x0018ffff Private Memory rw True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory r True False False -
msxml6r.dll 0x001a0000 0x001a0fff Memory Mapped File r False False False -
private_0x00000000001b0000 0x001b0000 0x001cffff Private Memory - True False False -
private_0x0000000000200000 0x00200000 0x0020ffff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0040ffff Private Memory rw True False False -
pagefile_0x0000000000410000 0x00410000 0x00597fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005a0000 0x005a0000 0x00720fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000730000 0x00730000 0x01b2ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b30000 0x01b30000 0x01f22fff Pagefile Backed Memory r True False False -
private_0x0000000001f30000 0x01f30000 0x01f6ffff Private Memory rw True False False -
private_0x0000000001f90000 0x01f90000 0x01fcffff Private Memory rw True False False -
private_0x0000000001fd0000 0x01fd0000 0x0200ffff Private Memory rw True False False -
private_0x0000000002010000 0x02010000 0x0204ffff Private Memory rw True False False -
private_0x0000000002060000 0x02060000 0x020dffff Private Memory rw True False False -
private_0x0000000002140000 0x02140000 0x0214ffff Private Memory rw True False False -
private_0x0000000002180000 0x02180000 0x021bffff Private Memory rw True False False -
private_0x0000000002230000 0x02230000 0x022affff Private Memory rw True False False -
private_0x00000000022b0000 0x022b0000 0x023b0fff Private Memory rw True False False -
private_0x00000000023d0000 0x023d0000 0x023dffff Private Memory rw True False False -
sortdefault.nls 0x023e0000 0x026aefff Memory Mapped File r False False False -
private_0x00000000026b0000 0x026b0000 0x027affff Private Memory rw True False False -
private_0x00000000027d0000 0x027d0000 0x027dffff Private Memory rw True False False -
private_0x0000000002810000 0x02810000 0x0288ffff Private Memory rw True False False -
private_0x00000000028c0000 0x028c0000 0x028fffff Private Memory rw True False False -
private_0x0000000002920000 0x02920000 0x0299ffff Private Memory rw True False False -
private_0x00000000029b0000 0x029b0000 0x02a2ffff Private Memory rw True False False -
private_0x0000000002a60000 0x02a60000 0x02a9ffff Private Memory rw True False False -
private_0x0000000002ae0000 0x02ae0000 0x02b5ffff Private Memory rw True False False -
private_0x0000000002b60000 0x02b60000 0x02b9ffff Private Memory rw True False False -
private_0x0000000002ba0000 0x02ba0000 0x02bdffff Private Memory rw True False False -
private_0x0000000002bf0000 0x02bf0000 0x02c6ffff Private Memory rw True False False -
kernelbase.dll.mui 0x02c70000 0x02d2ffff Memory Mapped File rw False False False -
private_0x0000000002d30000 0x02d30000 0x0312ffff Private Memory rw True False False -
private_0x0000000003160000 0x03160000 0x0319ffff Private Memory rw True False False -
private_0x00000000031b0000 0x031b0000 0x031effff Private Memory rw True False False -
private_0x0000000003210000 0x03210000 0x0324ffff Private Memory rw True False False -
private_0x0000000003250000 0x03250000 0x0334ffff Private Memory rw True False False -
private_0x0000000003370000 0x03370000 0x0337ffff Private Memory rw True False False -
private_0x00000000033b0000 0x033b0000 0x033effff Private Memory rw True False False -
private_0x0000000003460000 0x03460000 0x0349ffff Private Memory rw True False False -
private_0x00000000034f0000 0x034f0000 0x0352ffff Private Memory rw True False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
spoolsv.exe 0xff0c0000 0xff14bfff Memory Mapped File rwx False False False -
win32spl.dll 0x7fef3f50000 0x7fef400cfff Memory Mapped File rwx False False False -
fundisc.dll 0x7fef4010000 0x7fef4042fff Memory Mapped File rwx False False False -
webservices.dll 0x7fef4050000 0x7fef416efff Memory Mapped File rwx False False False -
wsdapi.dll 0x7fef4170000 0x7fef4200fff Memory Mapped File rwx False False False -
wsdmon.dll 0x7fef4210000 0x7fef4249fff Memory Mapped File rwx False False False -
inetpp.dll 0x7fef4370000 0x7fef439cfff Memory Mapped File rwx False False False -
localspl.dll 0x7fef43a0000 0x7fef448dfff Memory Mapped File rwx False False False -
winprint.dll 0x7fef4a00000 0x7fef4a0dfff Memory Mapped File rwx False False False -
fdpnp.dll 0x7fef4a10000 0x7fef4a1ffff Memory Mapped File rwx False False False -
wls0wndh.dll 0x7fef4a20000 0x7fef4a26fff Memory Mapped File rwx False False False -
usbmon.dll 0x7fef4a30000 0x7fef4a3efff Memory Mapped File rwx False False False -
tcpmon.dll 0x7fef4ab0000 0x7fef4ae3fff Memory Mapped File rwx False False False -
wsnmp32.dll 0x7fef4b80000 0x7fef4b93fff Memory Mapped File rwx False False False -
snmpapi.dll 0x7fef4ba0000 0x7fef4baafff Memory Mapped File rwx False False False -
spoolss.dll 0x7fef4bb0000 0x7fef4bc1fff Memory Mapped File rwx False False False -
msxml6.dll 0x7fef4c30000 0x7fef4e21fff Memory Mapped File rwx False False False -
winspool.drv 0x7fef6930000 0x7fef69a0fff Memory Mapped File rwx False False False -
fxsmon.dll 0x7fef6bd0000 0x7fef6bddfff Memory Mapped File rwx False False False -
umb.dll 0x7fef6be0000 0x7fef6bf2fff Memory Mapped File rwx False False False -
rasadhlp.dll 0x7fef6d60000 0x7fef6d67fff Memory Mapped File rwx False False False -
printisolationproxy.dll 0x7fef9020000 0x7fef902ffff Memory Mapped File rwx False False False -
cscapi.dll 0x7fef92d0000 0x7fef92defff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x7fefafe0000 0x7fefb032fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb130000 0x7fefb13afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb140000 0x7fefb166fff Memory Mapped File rwx False False False -
slc.dll 0x7fefb230000 0x7fefb23afff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb240000 0x7fefb24bfff Memory Mapped File rwx False False False -
atl.dll 0x7fefb260000 0x7fefb278fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb8d0000 0x7fefb8dbfff Memory Mapped File rwx False False False -
powrprof.dll 0x7fefc6c0000 0x7fefc6ebfff Memory Mapped File rwx False False False -
version.dll 0x7fefc970000 0x7fefc97bfff Memory Mapped File rwx False False False -
firewallapi.dll 0x7fefc980000 0x7fefca3afff Memory Mapped File rwx False False False -
wshtcpip.dll 0x7fefca40000 0x7fefca46fff Memory Mapped File rwx False False False -
gpapi.dll 0x7fefcb30000 0x7fefcb4afff Memory Mapped File rwx False False False -
userenv.dll 0x7fefcb50000 0x7fefcb6dfff Memory Mapped File rwx False False False -
devrtl.dll 0x7fefcb70000 0x7fefcb81fff Memory Mapped File rwx False False False -
spinf.dll 0x7fefcb90000 0x7fefcbaefff Memory Mapped File rwx False False False -
credssp.dll 0x7fefcca0000 0x7fefcca9fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcda0000 0x7fefcde6fff Memory Mapped File rwx False False False -
dnsapi.dll 0x7fefcec0000 0x7fefcf1afff Memory Mapped File rwx False False False -
wship6.dll 0x7fefd030000 0x7fefd036fff Memory Mapped File rwx False False False -
mswsock.dll 0x7fefd040000 0x7fefd094fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd5a0000 0x7fefd5c2fff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd640000 0x7fefd64afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd670000 0x7fefd694fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd6a0000 0x7fefd6aefff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd790000 0x7fefd7a3fff Memory Mapped File rwx False False False -
profapi.dll 0x7fefd7b0000 0x7fefd7befff Memory Mapped File rwx False False False -
msasn1.dll 0x7fefd850000 0x7fefd85efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
devobj.dll 0x7fefd970000 0x7fefd989fff Memory Mapped File rwx False False False -
crypt32.dll 0x7fefd990000 0x7fefdaf6fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fefdb00000 0x7fefdb35fff Memory Mapped File rwx False False False -
wintrust.dll 0x7fefdb40000 0x7fefdb79fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdc50000 0x7fefdd26fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
nsi.dll 0x7fefdef0000 0x7fefdef7fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
setupapi.dll 0x7feff300000 0x7feff4d6fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff4e0000 0x7feff550fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff560000 0x7feff5f8fff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
ole32.dll 0x7feff870000 0x7feffa72fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffb20000 0x7feffb6cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
private_0x000007fffff9c000 0x7fffff9c000 0x7fffff9dfff Private Memory rw True False False -
private_0x000007fffff9e000 0x7fffff9e000 0x7fffff9ffff Private Memory rw True False False -
private_0x000007fffffa0000 0x7fffffa0000 0x7fffffa1fff Private Memory rw True False False -
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory rw True False False -
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory rw True False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory rw True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory rw True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory rw True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory rw True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
For performance reasons, the remaining 2 entries are omitted.
The remaining entries can be found in flog.txt.
Process #14: taskhost.exe
0 0
»
Information Value
ID #14
File Name c:\windows\system32\taskhost.exe
Command Line "taskhost.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:28, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:01:00
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x4d0
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7F4
0x 7E0
0x 7D0
0x 7C8
0x 7C4
0x 7BC
0x 504
0x 500
0x 4F0
0x 4E4
0x 4D4
0x A74
0x 84C
0x 1C4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
private_0x0000000000030000 0x00030000 0x000affff Private Memory rw True False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b3fff Pagefile Backed Memory r True False False -
locale.nls 0x000c0000 0x00126fff Memory Mapped File r False False False -
pagefile_0x0000000000130000 0x00130000 0x00131fff Pagefile Backed Memory rw True False False -
private_0x0000000000140000 0x00140000 0x00140fff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
pagefile_0x0000000000170000 0x00170000 0x00170fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000180000 0x00180000 0x00180fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000190000 0x00190000 0x00191fff Pagefile Backed Memory rw True False False -
msutb.dll.mui 0x001a0000 0x001a1fff Memory Mapped File rw False False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory rw True False False -
pagefile_0x0000000000430000 0x00430000 0x005b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005c0000 0x005c0000 0x00740fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000750000 0x00750000 0x01b4ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001b50000 0x01b50000 0x01f42fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001f50000 0x01f50000 0x0202efff Pagefile Backed Memory r True False False -
private_0x0000000002030000 0x02030000 0x0206ffff Private Memory rw True False False -
private_0x0000000002070000 0x02070000 0x02070fff Private Memory rw True False False -
private_0x0000000002080000 0x02080000 0x020fffff Private Memory rw True False False -
private_0x0000000002100000 0x02100000 0x02100fff Private Memory rw True False False -
private_0x0000000002130000 0x02130000 0x021affff Private Memory rw True False False -
kernelbase.dll.mui 0x021b0000 0x0226ffff Memory Mapped File rw False False False -
private_0x0000000002270000 0x02270000 0x022effff Private Memory rw True False False -
private_0x0000000002330000 0x02330000 0x023affff Private Memory rw True False False -
private_0x00000000023e0000 0x023e0000 0x0245ffff Private Memory rw True False False -
private_0x00000000024a0000 0x024a0000 0x024affff Private Memory rw True False False -
private_0x0000000002620000 0x02620000 0x0269ffff Private Memory rw True False False -
private_0x00000000026a0000 0x026a0000 0x0271ffff Private Memory rw True False False -
private_0x0000000002720000 0x02720000 0x0279ffff Private Memory rw True False False -
private_0x00000000027f0000 0x027f0000 0x0286ffff Private Memory rw True False False -
private_0x00000000028b0000 0x028b0000 0x0292ffff Private Memory rw True False False -
sortdefault.nls 0x02930000 0x02bfefff Memory Mapped File r False False False -
private_0x0000000002c60000 0x02c60000 0x02cdffff Private Memory rw True False False -
private_0x0000000002d80000 0x02d80000 0x02dfffff Private Memory rw True False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskhost.exe 0xffe50000 0xffe63fff Memory Mapped File rwx False False False -
npmproxy.dll 0x7fef69e0000 0x7fef69ebfff Memory Mapped File rwx False False False -
dimsjob.dll 0x7fef6d50000 0x7fef6d5dfff Memory Mapped File rwx False False False -
netprofm.dll 0x7fef6d70000 0x7fef6de3fff Memory Mapped File rwx False False False -
winmm.dll 0x7fef8180000 0x7fef81bafff Memory Mapped File rwx False False False -
msutb.dll 0x7fef8be0000 0x7fef8c1cfff Memory Mapped File rwx False False False -
msctfmonitor.dll 0x7fef8c20000 0x7fef8c2afff Memory Mapped File rwx False False False -
hotstartuseragent.dll 0x7fef8c30000 0x7fef8c3afff Memory Mapped File rwx False False False -
playsndsrv.dll 0x7fef9170000 0x7fef9187fff Memory Mapped File rwx False False False -
slc.dll 0x7fefb230000 0x7fefb23afff Memory Mapped File rwx False False False -
dsrole.dll 0x7fefb240000 0x7fefb24bfff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fefb300000 0x7fefb314fff Memory Mapped File rwx False False False -
taskschd.dll 0x7fefb3f0000 0x7fefb516fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefba10000 0x7fefba20fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fefbbb0000 0x7fefbbc7fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7fefbf90000 0x7fefbfe5fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcda0000 0x7fefcde6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd0a0000 0x7fefd0b6fff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd670000 0x7fefd694fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd6a0000 0x7fefd6aefff Memory Mapped File rwx False False False -
winsta.dll 0x7fefd750000 0x7fefd78cfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd790000 0x7fefd7a3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdc50000 0x7fefdd26fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
nsi.dll 0x7fefdef0000 0x7fefdef7fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff4e0000 0x7feff550fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff560000 0x7feff5f8fff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
ole32.dll 0x7feff870000 0x7feffa72fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory rw True False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory rw True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory rw True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory rw True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory rw True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdefff Private Memory rw True False False -
Process #15: svchost.exe
0 0
»
Information Value
ID #15
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:28, Reason: Child Process
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:58
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x4d8
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 544
0x 778
0x 774
0x 770
0x 710
0x 634
0x 630
0x 62C
0x 628
0x 60C
0x 5F8
0x 5CC
0x 550
0x 53C
0x 51C
0x 510
0x 50C
0x 4F8
0x 4F4
0x 4E8
0x 4DC
0x A84
0x 750
0x 8A8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
firewallapi.dll.mui 0x000f0000 0x0010bfff Memory Mapped File rw False False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory r True False False -
private_0x0000000000140000 0x00140000 0x00147fff Private Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00150fff Pagefile Backed Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
pagefile_0x0000000000170000 0x00170000 0x00170fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x0000000000330000 0x00330000 0x003affff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
pagefile_0x00000000004e0000 0x004e0000 0x00667fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000670000 0x00670000 0x007f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000800000 0x00800000 0x008bffff Pagefile Backed Memory r True False False -
pagefile_0x00000000008c0000 0x008c0000 0x00cb2fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000cc0000 0x00cc0000 0x00cc1fff Pagefile Backed Memory r True False False -
private_0x0000000000ce0000 0x00ce0000 0x00d5ffff Private Memory rw True False False -
private_0x0000000000d80000 0x00d80000 0x00dfffff Private Memory rw True False False -
private_0x0000000000e00000 0x00e00000 0x00e7ffff Private Memory rw True False False -
private_0x0000000000ee0000 0x00ee0000 0x00f5ffff Private Memory rw True False False -
sortdefault.nls 0x00f60000 0x0122efff Memory Mapped File r False False False -
private_0x0000000001270000 0x01270000 0x012effff Private Memory rw True False False -
private_0x0000000001310000 0x01310000 0x0138ffff Private Memory rw True False False -
private_0x00000000013c0000 0x013c0000 0x0143ffff Private Memory rw True False False -
private_0x00000000014a0000 0x014a0000 0x0151ffff Private Memory rw True False False -
private_0x0000000001520000 0x01520000 0x0159ffff Private Memory rw True False False -
private_0x00000000015c0000 0x015c0000 0x0163ffff Private Memory rw True False False -
private_0x00000000016d0000 0x016d0000 0x0174ffff Private Memory rw True False False -
private_0x0000000001750000 0x01750000 0x0184ffff Private Memory rw True False False -
private_0x0000000001850000 0x01850000 0x018cffff Private Memory rw True False False -
private_0x0000000001960000 0x01960000 0x019dffff Private Memory rw True False False -
private_0x00000000019e0000 0x019e0000 0x01a5ffff Private Memory rw True False False -
private_0x0000000001a60000 0x01a60000 0x01b5ffff Private Memory rw True False False -
private_0x0000000001b90000 0x01b90000 0x01c0ffff Private Memory rw True False False -
private_0x0000000001c80000 0x01c80000 0x01cfffff Private Memory rw True False False -
private_0x0000000001ed0000 0x01ed0000 0x01f4ffff Private Memory rw True False False -
private_0x0000000001f50000 0x01f50000 0x0214ffff Private Memory rw True False False -
private_0x0000000002350000 0x02350000 0x023cffff Private Memory rw True False False -
private_0x0000000002400000 0x02400000 0x0247ffff Private Memory rw True False False -
private_0x0000000002480000 0x02480000 0x024fffff Private Memory rw True False False -
private_0x0000000002530000 0x02530000 0x025affff Private Memory rw True False False -
private_0x00000000025c0000 0x025c0000 0x026dffff Private Memory rw True False False -
private_0x00000000026e0000 0x026e0000 0x028e0fff Private Memory rw True False False -
private_0x0000000002a90000 0x02a90000 0x02a9ffff Private Memory rw True False False -
private_0x0000000002aa0000 0x02aa0000 0x02c9ffff Private Memory rw True False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
svchost.exe 0xfff20000 0xfff2afff Memory Mapped File rwx False False False -
npmproxy.dll 0x7fef69e0000 0x7fef69ebfff Memory Mapped File rwx False False False -
wdiasqmmodule.dll 0x7fef69f0000 0x7fef69fcfff Memory Mapped File rwx False False False -
radardt.dll 0x7fef6a00000 0x7fef6a1cfff Memory Mapped File rwx False False False -
pnpts.dll 0x7fef6a20000 0x7fef6a27fff Memory Mapped File rwx False False False -
diagperf.dll 0x7fef6c00000 0x7fef6d49fff Memory Mapped File rwx False False False -
netprofm.dll 0x7fef6d70000 0x7fef6de3fff Memory Mapped File rwx False False False -
wdi.dll 0x7fef7b60000 0x7fef7b78fff Memory Mapped File rwx False False False -
wfapigp.dll 0x7fef7bf0000 0x7fef7bf9fff Memory Mapped File rwx False False False -
dps.dll 0x7fef8050000 0x7fef807bfff Memory Mapped File rwx False False False -
mpssvc.dll 0x7fef90a0000 0x7fef916dfff Memory Mapped File rwx False False False -
bfe.dll 0x7fef9190000 0x7fef923ffff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7fefaef0000 0x7fefaf07fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7fefaf10000 0x7fefaf20fff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x7fefafe0000 0x7fefb032fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb130000 0x7fefb13afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb140000 0x7fefb166fff Memory Mapped File rwx False False False -
slc.dll 0x7fefb230000 0x7fefb23afff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fefb300000 0x7fefb314fff Memory Mapped File rwx False False False -
taskschd.dll 0x7fefb3f0000 0x7fefb516fff Memory Mapped File rwx False False False -
wtsapi32.dll 0x7fefba10000 0x7fefba20fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fefc7a0000 0x7fefc7ccfff Memory Mapped File rwx False False False -
version.dll 0x7fefc970000 0x7fefc97bfff Memory Mapped File rwx False False False -
firewallapi.dll 0x7fefc980000 0x7fefca3afff Memory Mapped File rwx False False False -
wshtcpip.dll 0x7fefca40000 0x7fefca46fff Memory Mapped File rwx False False False -
gpapi.dll 0x7fefcb30000 0x7fefcb4afff Memory Mapped File rwx False False False -
userenv.dll 0x7fefcb50000 0x7fefcb6dfff Memory Mapped File rwx False False False -
credssp.dll 0x7fefcca0000 0x7fefcca9fff Memory Mapped File rwx False False False -
pcwum.dll 0x7fefccb0000 0x7fefccbcfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcda0000 0x7fefcde6fff Memory Mapped File rwx False False False -
wship6.dll 0x7fefd030000 0x7fefd036fff Memory Mapped File rwx False False False -
mswsock.dll 0x7fefd040000 0x7fefd094fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd0a0000 0x7fefd0b6fff Memory Mapped File rwx False False False -
bcrypt.dll 0x7fefd210000 0x7fefd231fff Memory Mapped File rwx False False False -
authz.dll 0x7fefd290000 0x7fefd2befff Memory Mapped File rwx False False False -
secur32.dll 0x7fefd640000 0x7fefd64afff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd670000 0x7fefd694fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd6a0000 0x7fefd6aefff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd790000 0x7fefd7a3fff Memory Mapped File rwx False False False -
profapi.dll 0x7fefd7b0000 0x7fefd7befff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fefdb00000 0x7fefdb35fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdc50000 0x7fefdd26fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
nsi.dll 0x7fefdef0000 0x7fefdef7fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff4e0000 0x7feff550fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff560000 0x7feff5f8fff Memory Mapped File rwx False False False -
wldap32.dll 0x7feff600000 0x7feff651fff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
ole32.dll 0x7feff870000 0x7feffa72fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffb20000 0x7feffb6cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
private_0x000007fffff8c000 0x7fffff8c000 0x7fffff8dfff Private Memory rw True False False -
private_0x000007fffff8e000 0x7fffff8e000 0x7fffff8ffff Private Memory rw True False False -
private_0x000007fffff90000 0x7fffff90000 0x7fffff91fff Private Memory rw True False False -
private_0x000007fffff92000 0x7fffff92000 0x7fffff93fff Private Memory rw True False False -
private_0x000007fffff96000 0x7fffff96000 0x7fffff97fff Private Memory rw True False False -
private_0x000007fffff9a000 0x7fffff9a000 0x7fffff9bfff Private Memory rw True False False -
private_0x000007fffff9c000 0x7fffff9c000 0x7fffff9dfff Private Memory rw True False False -
private_0x000007fffff9e000 0x7fffff9e000 0x7fffff9ffff Private Memory rw True False False -
private_0x000007fffffa0000 0x7fffffa0000 0x7fffffa1fff Private Memory rw True False False -
private_0x000007fffffa2000 0x7fffffa2000 0x7fffffa3fff Private Memory rw True False False -
private_0x000007fffffa4000 0x7fffffa4000 0x7fffffa5fff Private Memory rw True False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory rw True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory rw True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory rw True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #16: taskhost.exe
0 0
»
Information Value
ID #16
File Name c:\windows\system32\taskhost.exe
Command Line taskhost.exe $(Arg0)
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:28, Reason: Child Process
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:58
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x474
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeChangeNotifyPrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 408
0x 570
0x 40C
0x 554
0x 558
0x 5D4
0x 138
0x 488
0x 470
0x 428
0x A68
0x 594
0x 834
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory rw True False False -
private_0x0000000000050000 0x00050000 0x0014ffff Private Memory rw True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
private_0x00000000001c0000 0x001c0000 0x001c0fff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x001d0fff Private Memory rw True False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001f0000 0x001f0000 0x001f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000200000 0x00200000 0x00200fff Pagefile Backed Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002affff Pagefile Backed Memory rw True False False -
msxml6r.dll 0x002b0000 0x002b0fff Memory Mapped File r False False False -
private_0x00000000002c0000 0x002c0000 0x002dffff Private Memory - True False False -
pagefile_0x00000000002e0000 0x002e0000 0x002e1fff Pagefile Backed Memory r True False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
pagefile_0x0000000000400000 0x00400000 0x00587fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000590000 0x00590000 0x00710fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000720000 0x00720000 0x007dffff Pagefile Backed Memory r True False False -
pagefile_0x00000000007e0000 0x007e0000 0x00bd2fff Pagefile Backed Memory r True False False -
private_0x0000000000be0000 0x00be0000 0x00c5ffff Private Memory rw True False False -
pagefile_0x0000000000c70000 0x00c70000 0x00c71fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000ca0000 0x00ca0000 0x00ca0fff Pagefile Backed Memory r True False False -
winsatapi.dll.mui 0x00cb0000 0x00cb1fff Memory Mapped File rw False False False -
pagefile_0x0000000000cc0000 0x00cc0000 0x00cc0fff Pagefile Backed Memory rw True False False -
private_0x0000000000cd0000 0x00cd0000 0x00cdffff Private Memory rw True False False -
private_0x0000000000ce0000 0x00ce0000 0x00d5ffff Private Memory rw True False False -
pagefile_0x0000000000d60000 0x00d60000 0x00d6ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000d70000 0x00d70000 0x00d70fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000d80000 0x00d80000 0x00d8ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000d90000 0x00d90000 0x00d90fff Pagefile Backed Memory rw True False False -
private_0x0000000000da0000 0x00da0000 0x00e1ffff Private Memory rw True False False -
pagefile_0x0000000000e20000 0x00e20000 0x00e2ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000e30000 0x00e30000 0x00e32fff Pagefile Backed Memory rw True False False -
private_0x0000000000e90000 0x00e90000 0x00f0ffff Private Memory rw True False False -
private_0x0000000000f30000 0x00f30000 0x00faffff Private Memory rw True False False -
private_0x0000000000fc0000 0x00fc0000 0x0103ffff Private Memory rw True False False -
private_0x0000000001080000 0x01080000 0x010fffff Private Memory rw True False False -
private_0x0000000001120000 0x01120000 0x0119ffff Private Memory rw True False False -
private_0x00000000011c0000 0x011c0000 0x0123ffff Private Memory rw True False False -
pagefile_0x0000000001240000 0x01240000 0x0150bfff Pagefile Backed Memory rw True False False -
private_0x0000000001510000 0x01510000 0x0158ffff Private Memory rw True False False -
private_0x00000000015c0000 0x015c0000 0x0163ffff Private Memory rw True False False -
sortdefault.nls 0x01640000 0x0190efff Memory Mapped File r False False False -
private_0x0000000001960000 0x01960000 0x019dffff Private Memory rw True False False -
kernelbase.dll.mui 0x019e0000 0x01a9ffff Memory Mapped File rw False False False -
private_0x0000000001aa0000 0x01aa0000 0x01e9ffff Private Memory rw True False False -
private_0x0000000001ed0000 0x01ed0000 0x01f4ffff Private Memory rw True False False -
private_0x0000000001f60000 0x01f60000 0x01fdffff Private Memory rw True False False -
private_0x00000000020c0000 0x020c0000 0x021bffff Private Memory rw True False False -
private_0x00000000021d0000 0x021d0000 0x0224ffff Private Memory rw True False False -
private_0x0000000002250000 0x02250000 0x0244ffff Private Memory rw True False False -
private_0x0000000002450000 0x02450000 0x0254ffff Private Memory rw True False False -
private_0x00000000025c0000 0x025c0000 0x0263ffff Private Memory rw True False False -
pagefile_0x0000000002640000 0x02640000 0x026c9fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000026d0000 0x026d0000 0x02759fff Pagefile Backed Memory rw True False False -
private_0x00000000027d0000 0x027d0000 0x0284ffff Private Memory rw True False False -
pagefile_0x0000000002850000 0x02850000 0x02b1bfff Pagefile Backed Memory rw True False False -
private_0x0000000002ba0000 0x02ba0000 0x02c1ffff Private Memory rw True False False -
private_0x0000000002c40000 0x02c40000 0x02cbffff Private Memory rw True False False -
private_0x0000000002cd0000 0x02cd0000 0x02d4ffff Private Memory rw True False False -
sfc.dll 0x73f90000 0x73f92fff Memory Mapped File rwx False False False -
msvcr90.dll 0x74170000 0x74212fff Memory Mapped File rwx False False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
taskhost.exe 0xffe50000 0xffe63fff Memory Mapped File rwx False False False -
msoxmlmf.dll 0x7fef4c10000 0x7fef4c20fff Memory Mapped File rwx False False False -
msxml6.dll 0x7fef4c30000 0x7fef4e21fff Memory Mapped File rwx False False False -
winsatapi.dll 0x7fef4e30000 0x7fef4eb4fff Memory Mapped File rwx False False False -
sqlceqp30.dll 0x7fef4ec0000 0x7fef4f90fff Memory Mapped File rwx False False False -
sqmapi.dll 0x7fef75a0000 0x7fef75e1fff Memory Mapped File rwx False False False -
sfc_os.dll 0x7fef7b80000 0x7fef7b8ffff Memory Mapped File rwx False False False -
aepic.dll 0x7fef7b90000 0x7fef7ba1fff Memory Mapped File rwx False False False -
sqlcese30.dll 0x7fef8dc0000 0x7fef8e33fff Memory Mapped File rwx False False False -
sqlceoledb30.dll 0x7fef8e40000 0x7fef8e72fff Memory Mapped File rwx False False False -
racengn.dll 0x7fef8e80000 0x7fef8ffffff Memory Mapped File rwx False False False -
dxgi.dll 0x7fefa970000 0x7fefaa16fff Memory Mapped File rwx False False False -
taskschd.dll 0x7fefb3f0000 0x7fefb516fff Memory Mapped File rwx False False False -
xmllite.dll 0x7fefbb70000 0x7fefbba4fff Memory Mapped File rwx False False False -
dwmapi.dll 0x7fefbbb0000 0x7fefbbc7fff Memory Mapped File rwx False False False -
gdiplus.dll 0x7fefbd70000 0x7fefbf84fff Memory Mapped File rwx False False False -
comctl32.dll 0x7fefc040000 0x7fefc233fff Memory Mapped File rwx False False False -
propsys.dll 0x7fefc540000 0x7fefc66bfff Memory Mapped File rwx False False False -
powrprof.dll 0x7fefc6c0000 0x7fefc6ebfff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fefc7a0000 0x7fefc7ccfff Memory Mapped File rwx False False False -
version.dll 0x7fefc970000 0x7fefc97bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcda0000 0x7fefcde6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd0a0000 0x7fefd0b6fff Memory Mapped File rwx False False False -
wevtapi.dll 0x7fefd2d0000 0x7fefd33cfff Memory Mapped File rwx False False False -
sspicli.dll 0x7fefd670000 0x7fefd694fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd6a0000 0x7fefd6aefff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd790000 0x7fefd7a3fff Memory Mapped File rwx False False False -
profapi.dll 0x7fefd7b0000 0x7fefd7befff Memory Mapped File rwx False False False -
msasn1.dll 0x7fefd850000 0x7fefd85efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
devobj.dll 0x7fefd970000 0x7fefd989fff Memory Mapped File rwx False False False -
crypt32.dll 0x7fefd990000 0x7fefdaf6fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fefdb00000 0x7fefdb35fff Memory Mapped File rwx False False False -
wintrust.dll 0x7fefdb40000 0x7fefdb79fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdc50000 0x7fefdd26fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
shell32.dll 0x7fefdf00000 0x7fefec87fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
setupapi.dll 0x7feff300000 0x7feff4d6fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff4e0000 0x7feff550fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff560000 0x7feff5f8fff Memory Mapped File rwx False False False -
wldap32.dll 0x7feff600000 0x7feff651fff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
ole32.dll 0x7feff870000 0x7feffa72fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
private_0x000007fffffa6000 0x7fffffa6000 0x7fffffa7fff Private Memory rw True False False -
private_0x000007fffffa8000 0x7fffffa8000 0x7fffffa9fff Private Memory rw True False False -
private_0x000007fffffaa000 0x7fffffaa000 0x7fffffabfff Private Memory rw True False False -
private_0x000007fffffac000 0x7fffffac000 0x7fffffadfff Private Memory rw True False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #17: ose.exe
3236 0
»
Information Value
ID #17
File Name c:\program files\common files\microsoft shared\source engine\ose.exe
Command Line "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:30, Reason: Child Process
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:56
OS Process Information
»
Information Value
PID 0x97c
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable True
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 980
0x 994
0x 998
0x 99C
0x 9A0
0x 9F0
0x A04
0x 188
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File rwx False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0008bfff Private Memory rwx True False False -
private_0x0000000000090000 0x00090000 0x000cffff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
locale.nls 0x00350000 0x003b6fff Memory Mapped File r False False False -
pagefile_0x00000000003c0000 0x003c0000 0x00547fff Pagefile Backed Memory r True False False -
private_0x0000000000550000 0x00550000 0x0055ffff Private Memory rw True False False -
pagefile_0x0000000000560000 0x00560000 0x006e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006f0000 0x006f0000 0x007affff Pagefile Backed Memory r True False False -
private_0x00000000007b0000 0x007b0000 0x007c1fff Private Memory rw True False False -
private_0x00000000007d0000 0x007d0000 0x007dffff Private Memory rw True False False -
rsaenh.dll 0x007e0000 0x0081bfff Memory Mapped File r False False False -
private_0x00000000007e0000 0x007e0000 0x007e0fff Private Memory rw True False False -
pagefile_0x00000000007e0000 0x007e0000 0x007e0fff Pagefile Backed Memory r True False False -
private_0x00000000007f0000 0x007f0000 0x007fffff Private Memory rw True False False -
pagefile_0x00000000007f0000 0x007f0000 0x007f7fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000007f0000 0x007f0000 0x007f0fff Pagefile Backed Memory rw True False False -
private_0x0000000000800000 0x00800000 0x0083ffff Private Memory rw True False False -
pagefile_0x0000000000840000 0x00840000 0x00847fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000840000 0x00840000 0x00840fff Pagefile Backed Memory r True False False -
ose.exe 0x00860000 0x00882fff Memory Mapped File rwx True True False
...
private_0x0000000000940000 0x00940000 0x0094ffff Private Memory rw True False False -
private_0x0000000000970000 0x00970000 0x009affff Private Memory rw True False False -
private_0x00000000009c0000 0x009c0000 0x009fffff Private Memory rw True False False -
private_0x0000000000a00000 0x00a00000 0x00a0ffff Private Memory rw True False False -
private_0x0000000000a10000 0x00a10000 0x00adffff Private Memory rw True False False -
private_0x0000000000a80000 0x00a80000 0x00abffff Private Memory rw True False False -
private_0x0000000000ad0000 0x00ad0000 0x00adffff Private Memory rw True False False -
private_0x0000000000ae0000 0x00ae0000 0x00bdffff Private Memory rw True False False -
private_0x0000000000c10000 0x00c10000 0x00c4ffff Private Memory rw True False False -
private_0x0000000000c90000 0x00c90000 0x00ccffff Private Memory rw True False False -
private_0x0000000000ce0000 0x00ce0000 0x00ddffff Private Memory rw True False False -
sortdefault.nls 0x00de0000 0x010aefff Memory Mapped File r False False False -
private_0x0000000001110000 0x01110000 0x0120ffff Private Memory rw True False False -
private_0x0000000001310000 0x01310000 0x0140ffff Private Memory rw True False False -
private_0x0000000001420000 0x01420000 0x0151ffff Private Memory rw True False False -
private_0x00000000015b0000 0x015b0000 0x016affff Private Memory rw True False False -
private_0x00000000017e0000 0x017e0000 0x018dffff Private Memory rw True False False -
wow64cpu.dll 0x74f80000 0x74f87fff Memory Mapped File rwx False False False -
wow64win.dll 0x74f90000 0x74febfff Memory Mapped File rwx False False False -
wow64.dll 0x74ff0000 0x7502efff Memory Mapped File rwx False False False -
profapi.dll 0x75120000 0x7512afff Memory Mapped File rwx False False False -
rsaenh.dll 0x75130000 0x7516afff Memory Mapped File rwx False False False -
cryptsp.dll 0x75170000 0x75185fff Memory Mapped File rwx False False False -
userenv.dll 0x75190000 0x751a6fff Memory Mapped File rwx False False False -
gdiplus.dll 0x751b0000 0x7533ffff Memory Mapped File rwx False False False -
comctl32.dll 0x75340000 0x753c3fff Memory Mapped File rwx False False False -
winmm.dll 0x753d0000 0x75401fff Memory Mapped File rwx False False False -
oledlg.dll 0x75410000 0x7542bfff Memory Mapped File rwx False False False -
winspool.drv 0x75430000 0x75480fff Memory Mapped File rwx False False False -
cryptbase.dll 0x75590000 0x7559bfff Memory Mapped File rwx False False False -
sspicli.dll 0x755a0000 0x755fffff Memory Mapped File rwx False False False -
msvcrt.dll 0x75660000 0x7570bfff Memory Mapped File rwx False False False -
lpk.dll 0x75710000 0x75719fff Memory Mapped File rwx False False False -
crypt32.dll 0x75720000 0x7583cfff Memory Mapped File rwx False False False -
sechost.dll 0x75a60000 0x75a78fff Memory Mapped File rwx False False False -
gdi32.dll 0x75a80000 0x75b0ffff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75b10000 0x75bfffff Memory Mapped File rwx False False False -
msasn1.dll 0x75c60000 0x75c6bfff Memory Mapped File rwx False False False -
shell32.dll 0x75cc0000 0x76909fff Memory Mapped File rwx False False False -
msctf.dll 0x76b30000 0x76bfbfff Memory Mapped File rwx False False False -
imm32.dll 0x76c00000 0x76c5ffff Memory Mapped File rwx False False False -
ole32.dll 0x76e30000 0x76f8bfff Memory Mapped File rwx False False False -
advapi32.dll 0x76f90000 0x7702ffff Memory Mapped File rwx False False False -
user32.dll 0x771d0000 0x772cffff Memory Mapped File rwx False False False -
shlwapi.dll 0x77350000 0x773a6fff Memory Mapped File rwx False False False -
kernel32.dll 0x773b0000 0x774bffff Memory Mapped File rwx False False False -
usp10.dll 0x77550000 0x775ecfff Memory Mapped File rwx False False False -
kernelbase.dll 0x775f0000 0x77635fff Memory Mapped File rwx False False False -
private_0x0000000077640000 0x77640000 0x77739fff Private Memory rwx True False False -
private_0x0000000077740000 0x77740000 0x7785efff Private Memory rwx True False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
psapi.dll 0x77a10000 0x77a14fff Memory Mapped File rwx False False False -
ntdll.dll 0x77a40000 0x77bbffff Memory Mapped File rwx False False False -
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory rw True False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory rw True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory rw True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory rw True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory r True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory rw True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory rw True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory rw True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory rw True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory rw True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory r True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE 128.50 KB MD5: 5e4d33770945fab4c48bedf329c7ce5c
SHA1: 54a6e4d0ca09af93a96eb3ee22085759da63902b
SHA256: c65df5ec5152af018ff362039351255ba7b59ea844639619f73d96ea135ab1f0
SSDeep: 3072:drpyXTfAqsqJ6FHoZfsMoQQNglC1Omz8spl+9dVKj+4:Zpy4OBVQGCMmzRpIVKj+ 		False
...
C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab.locked 10.00 MB MD5: 2aa4a1f277596686a24f98e5ec92f2fc
SHA1: eabbcba0dee9cf276f02a69cc7414487a6f208eb
SHA256: ba36805b970001a77a39c9dfc9fdb2875bca375ceaf3c9c62fab242adc8bace5
SSDeep: 196608:N5gcmQRCW+SlDIlTytuej7VuwyigvWEc/yI41nHQRLK41cO0dJI:x5ROIIl+tuo7tyxWEcO1wRLKUcO0dJI 		False
...
C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt 1.11 KB MD5: cd44a3076aaf434b39dac285d9b936cf
SHA1: 028e70a863473ad6035997ba00135fe7f822f1c5
SHA256: 42c035c5935686d45b73a73bb4970e3c5ef69f621f2dacd478df999a855cc073
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHW53NSKHfcVv:xzSsf9FjfiHZW5irkhtWfHWRNSFv 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab.readme_txt 1.11 KB MD5: c3b1b3835ce6ee34009ed4a7b4ca664a
SHA1: 55eb8529dbcced58bda46b7f70f2c1363fa3429d
SHA256: 42c539c31162e3ba3554250783af600b8e74a1b01f7d41f31c06614ddc60c5a9
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWPcw0OR8NS:xzSsf9FjfiHZW5irkhtWfHWPcB3Y 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi.readme_txt 1.11 KB MD5: 19d91ec337598d55422ecf3be992198a
SHA1: 404e73efc090de595632b569d99096465402c2a5
SHA256: e1511243875380e7a2154c2e31a3a2a5d6410d8c9a3e782ec5bbdc52cf2abd18
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWLnDHDf/SN:xzSsf9FjfiHZW5irkhtWfHWLnDHbSN 		False
...
C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt 1.11 KB MD5: fde07352a0bb361ade69ad2303df5d0f
SHA1: 3e504e0bb0cd3de8e3ba3af05898a28c2d6c4acc
SHA256: 6fab4316fa40b855071dbe4430eac8430c6709bf3a1bd5ca32ac809475e80341
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWNyIdIXE:xzSsf9FjfiHZW5irkhtWfHWNya 		False
...
C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi.readme_txt 1.11 KB MD5: 599996a6790253fc18534b7378a36db5
SHA1: 4bae69d9103f055749d626cab8d9503b238c6fda
SHA256: 3ea0f2c01f2d4408cb66feaaf4ab11788a04c7cd7176b7baeb44dfbcd6cb8619
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWqA8StGirv:xzSsf9FjfiHZW5irkhtWfHWqArGi7 		False
...
C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.readme_txt 1.11 KB MD5: 61ae554772d5626cf3ef8d9d2a89cfe2
SHA1: b6f870f5b8a7956c450d4b2465e9723935b936b9
SHA256: f5e579866eac20e62ff6db88457e42e816bacb9c67d52d198e3770fd380f0a66
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWMLhAv63s4n:xzSsf9FjfiHZW5irkhtWfHW9v6P 		False
...
C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab.readme_txt 1.11 KB MD5: d67173176bf7725b268dead8e7f4572d
SHA1: d6a45c7aaf277bf52dba3535a34b628cf7908994
SHA256: 174a70ba1296d52fe0ca3f63041f96dd8f12f29970ac761905c5006fbf8bcd51
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWY1QD2jEPu:xzSsf9FjfiHZW5irkhtWfHWY1QM 		False
...
C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml.readme_txt 1.11 KB MD5: 3ab1599d6184a3868d6a5f8f16439db6
SHA1: 81fc90cedd5db619d647b418009720a034def17c
SHA256: 01a891f443bb7d0a802fe19fa188c06421279802cad76de448f12ebd557df1aa
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWaNjrBYgyYUD:xzSsf9FjfiHZW5irkhtWfHWa99YgyYk 		False
...
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml.readme_txt 1.11 KB MD5: b4930bcf1b19a88533b6ff0e99283aed
SHA1: 74d5bcb1767b44fd406567c28b7583a6558e048f
SHA256: 07c15ae197aec1ca0e6908d5b0ec76669b6e98c8ff8c5917c8cf75bc12df70fa
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWkMfGRPtY:xzSsf9FjfiHZW5irkhtWfHWkMfYS 		False
...
C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.readme_txt 1.11 KB MD5: a274b72aa37c6b8e748f64a520dd8a73
SHA1: cec705e99072d5755ccffc2bb39a701c563cd074
SHA256: 83672a2a5a03f525da8ec885fa71f2ef94e54348e734d1b52d4e9b9a79061fca
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWr8WdM3:xzSsf9FjfiHZW5irkhtWfHWoWdM 		False
...
C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi.readme_txt 1.11 KB MD5: 6b2129c7a24c288fbc58d0778961b4d5
SHA1: 865999f515538fe901e3af1bba15bcc5b744f5c7
SHA256: a696b340804bc4167e574bacc8e7843f2b6db79248e81f4f4611b222608ac088
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWNU8qo5Wtc0rrV:xzSsf9FjfiHZW5irkhtWfHWNU8zItc09 		False
...
C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.msi.readme_txt 1.11 KB MD5: 9a68ae0ae29ba78e5f6369b17ca6bc59
SHA1: 90246a1cc1527c9d54b64016add364cc5e6c3c1e
SHA256: de326b0b0485b64499e2bf1ad3e473eff2cf327ba1f04bfd13cd7be0cf011f66
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWgwMB:xzSsf9FjfiHZW5irkhtWfHWY 		False
...
C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab.readme_txt 1.11 KB MD5: 7993b67eeace980a55d2f8b45552ad81
SHA1: 7d99e1fb750720c56c37ec5a5f8fe6faa1f12b65
SHA256: 27680e13f4ce28771d0fd8f96bf622e822061ffed79ec6565bab55f82a329561
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWn9IQxcp:xzSsf9FjfiHZW5irkhtWfHWn9IQK 		False
...
C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab.readme_txt 1.11 KB MD5: b3640bf7056174f0af3780e1456b56e5
SHA1: 252b22afeae5b70cea957269139be159b26d54ce
SHA256: e5b55862397d8ecee6e94d6c5de8d328a1cf408878feb32d3f6ea89c4cbbd1ad
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHW9tdd5ZFg1:xzSsf9FjfiHZW5irkhtWfHW9tdLU1 		False
...
C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml.readme_txt 1.11 KB MD5: 01f6624341f02b302d3278e35205fe8c
SHA1: 2ea46afe7ea052e28ba33253795eaa7d87a4a3d9
SHA256: 5c7a8feacee7b15009663f12de485956a511f7df4ade92fc26cbab909d334cae
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWsdPx2yN:xzSsf9FjfiHZW5irkhtWfHWAx2yN 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab.readme_txt 1.11 KB MD5: 8478e1d20014f4054ac1e50d593199a0
SHA1: a97ac40ff3aebdaf6bc7e5f1cadbb242a844bb53
SHA256: c47d0b6078985922acc1f7bbdbae94e22238b7d084e41666f196ae5f71f579e0
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHW2QCfzvxfLE:xzSsf9FjfiHZW5irkhtWfHW2QCvxfo 		False
...
C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt 1.11 KB MD5: 77f31a805fc18474f3549553e4bd1966
SHA1: fb9325a2c1037d5c2e557990ca2a27056b70e84c
SHA256: 2f614e63da9ed3ef146195602477df40e51af5b0a3c6117393ce5eb217b2b956
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWeTVX/n:xzSsf9FjfiHZW5irkhtWfHWeN/n 		False
...
C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi.locked 2.41 MB MD5: d7831a28eb789c80f4a3e1d56f39639d
SHA1: cf6670cc589c3aeeeb9e03f4560460c3168886cb
SHA256: ef513ca4bcf9fa9ef59d2e66f1a6d78883c4b3a2585ef34df275bb37401c1647
SSDeep: 49152:0FThnX5pPpx+ZiS0I6DXdnrDot39dcgnQz9TwtbdqQEMZNTYmvxqN4Rwzjxre:0FThnJ7xDSm6bnnQzqJdqCZH8N4mJe 		False
...
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm.readme_txt 1.11 KB MD5: 769d8730f9a8d09855d002b2617c8e1a
SHA1: b1b20cc22af9c09fe6b6e7a34f8265b3d5ed568f
SHA256: b0039f2121978ea3cc1e706aeffd615362a17be86793eb45677643999f5f9092
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHW9dUW2Nxw:xzSsf9FjfiHZW5irkhtWfHWkW2vw 		False
...
C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt 1.11 KB MD5: 8173c40101e9709f2b49f071e7bfa743
SHA1: ea9ff67baa75261ee92b66d6a72059da7da8c931
SHA256: e0954de4bdd0bf5471160444e621b0d6111fb910035e0e60163de9336a6cedf7
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWxmPBIoqek:xzSsf9FjfiHZW5irkhtWfHWQ5Iuk 		False
...
C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml.readme_txt 1.11 KB MD5: 472eb39fa2a9d0d2cbd5115904e98595
SHA1: ecb6e81ec01ffa88566bfd2f62ce0246f9540a3d
SHA256: 37cb71d5ce5be30e1fb829faa05cada91305558910880ee14f2b96b05731ab3c
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWBJqONK2:xzSsf9FjfiHZW5irkhtWfHWBJ1t 		False
...
C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab.readme_txt 1.11 KB MD5: 4580b7ab1fb50f77078b84a9d41b8b48
SHA1: 7bc479e073de3c3ada2d5c450d994e278d155717
SHA256: f1e19ba76677d45f102e44f637a30b9f6f7d1bbe81568a71b1e8a3a0cbb78d02
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWrkW7hqTokdk:xzSsf9FjfiHZW5irkhtWfHWrd7qk 		False
...
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml.readme_txt 1.11 KB MD5: f1102b7ca8fedfdfe08292613785de9b
SHA1: 22d6a74ff013f6a5f7e6574f4b0460e6e6263d55
SHA256: 805dd2405be593f131cbe163edf264ba77431d6018e8be52f3e3a3d640f9737c
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHW882:xzSsf9FjfiHZW5irkhtWfHWd2 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml.locked 1.42 KB MD5: c2b8597cad9fe3a755fc78debe277222
SHA1: e0f4a1e09b7d7a9d911eb319889e80aa12a0241e
SHA256: 795576d002cb4f83059ad748128398a331fc5bf6cc7680b4bd17c2fd1dc0fb20
SSDeep: 24:Wrg3/t8vOgTxGp8X5SdCMYS/tsaevPemO5hB4ymHVbM3Rsihdorw4ERefmvOKyAZ:WraR/8pICDS/tpouhB4ymHVb6Kihd+NS 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml.readme_txt 1.11 KB MD5: c801775ffe418f142a00aa57c44aa439
SHA1: 38a46f7e47137eb83977a04360abb20633c08331
SHA256: 9b2d6461af0b288fa6da4afdb222a6b28274d8a7f26e9951d1b006893032c6ee
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWt6KZDfK:xzSsf9FjfiHZW5irkhtWfHWtz4 		False
...
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.msi.readme_txt 1.11 KB MD5: 2d84d0849743927ade605ee99e0d25d5
SHA1: 6d0613b84e87ff649902faf7346d1855ec84b9b7
SHA256: 21fcefa16cf5b4dce9875cfe8b86fd01f1ab3f7b63b5a43f04f2540c1269516e
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWbYck3CXOX/u01:xzSsf9FjfiHZW5irkhtWfHWkyePH1 		False
...
C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml.locked 1.57 KB MD5: 19da4f6711394d7a31e7523e285dae3d
SHA1: 528540d264c61f044f00bcd4938c4aedca62882d
SHA256: dd930e15e8664189129ca9e0e1f068f90f42bfe525b89f2e9e6a6c1baf641852
SSDeep: 24:pgI/enomofeU8CRwVWu1/lp/tnaaC1i2j+Ec/bATjmkgEVyhsdUClDA:pvEofeYRwH1aaCo2j+lufysUCBA 		False
...
C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml.locked 4.11 KB MD5: 6a54d261943b87ad6835ae1e1f739531
SHA1: d6bf1b609959f45c3be33298f1b7e7b9e3a37872
SHA256: a9439ffcebed0056599662e22a8658379851cfd359039b2b5ff0f4b8c18a9013
SSDeep: 48:JlLw7pE15AsR2JghphSdriqY8G7kNYm7sDRmzWUimHJUFcv+a+cNgr169QRA98Zi:fDwVgv8u98//AeWhmHJ2W/QAaX93Ax/ 		False
...
C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml.readme_txt 1.11 KB MD5: 091e307764f607d68a5a2085145ed507
SHA1: 17e6515cfd9cc33d884a250a1a6a0597fa5f1885
SHA256: 9337731be8d843a9670573ab2c807bcf7cc3efc6f16b1689f981244a38701e5d
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWcZgxoWxfBan:xzSsf9FjfiHZW5irkhtWfHWmgxoQIn 		False
...
C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab.readme_txt 1.11 KB MD5: 51c72deccd8b09e4f35b9744ee6a29e7
SHA1: 125a29c1167ca72f539be565bf60bce349f23cbf
SHA256: 5d3300971fa2b80f8914c87b52940ae7c5e344865774ec75e5c04738ddb05666
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHW/gFa9MlI5zi5cR:xzSsf9FjfiHZW5irkhtWfHWV9Jzi5cJf 		False
...
C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi.readme_txt 1.11 KB MD5: b89daecf8dca8ed4c42d8391e49e1bda
SHA1: 1a5feb934e644633552f78a3e723a0f228686bb2
SHA256: 5be30e897367a39a32a61c0180f462ba77d0c1754aee5a7986c805daf752541b
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWQRaE0Siugb:xzSsf9FjfiHZW5irkhtWfHWYfixb 		False
...
C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml.readme_txt 1.11 KB MD5: 92156c88bcae03d8c34c394fdccb33cf
SHA1: db0343b017729c6446bd823e9223aad0c7d903d1
SHA256: 7abda68bd6e051bba82494e740993ed31d950351906066ddc9c86e68e006283a
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHW1EYPjV:xzSsf9FjfiHZW5irkhtWfHWmg 		False
...
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt 1.11 KB MD5: c3cc5c0e3374d1ef30d9c4bda19fecbb
SHA1: 92831573138ad5f98317819183ff9f8972fdec15
SHA256: 73155367ff4731783fd82c8f5b38847dc7a371880ad8c8f3afad175d4c31bb39
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWFedJOgPlIsCC:xzSsf9FjfiHZW5irkhtWfHWFYJOct 		False
...
C:\Users\5P5NRG~1\AppData\Roaming\mov7tWJUGg 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3:: 		False
...
C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt 1.11 KB MD5: 950b7762fa0d3d878e9a750eeeb17e24
SHA1: ce5a1c9fd8583133d5d71941be54868a2f7421dc
SHA256: 81739bd734f526bc5525f985c5f097efea3ca283f9740a078339c7bd88c5fa6a
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWre6yTnCEDG2m:xzSsf9FjfiHZW5irkhtWfHWRyTzDG2m 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi.locked 860.50 KB MD5: 3ec5890d3db23be5d9c8069b2955d764
SHA1: 1308663fd6098f569f9a8e5d63018d3243014d9c
SHA256: 715ac256ba30b11d3912b12a0d50ae95536754937e794e35cc579b9b261fdbcb
SSDeep: 12288:dpMI8NkETdOk/ua5iAA+Siqb+PNFTUa1SZ+qXmE3efSDjFlSra3E9p6wBry5dr06:d+I8dOk/ap+BPnoaMsqWyeGSKSJ5u 		False
...
C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt 1.11 KB MD5: 912a95a29c7d550a70eaaaa5bf43a791
SHA1: 2ae6093181f2e8062b7d614f8366ad9ff684a342
SHA256: 77c5c5a09b622e9943ed804277f5eb295e348a7fedb4a06c42a8fbe915124397
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWHiKwGc:xzSsf9FjfiHZW5irkhtWfHWHpwGc 		False
...
C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml.readme_txt 1.11 KB MD5: d376dda45f3a898382a2b8342a9c267d
SHA1: 3e18fe2f372dda36cc8761080e59657e1f69134d
SHA256: f08b1e1db708b976ff7bc5dd03d45ca35645644f97eb58500d55edd97e7f0d54
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWuleGc2Jq9H:xzSsf9FjfiHZW5irkhtWfHWrwm 		False
...
C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab.readme_txt 1.11 KB MD5: 55476d53b32c3f7f8a35821993b5023c
SHA1: c5edd710068e8898f999d787f4940e3ce6fd0f0f
SHA256: e692a2436e16e1d2aca5e62a10c330ecd3495d09748913d32c5cc7f81a697226
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWfWU:xzSsf9FjfiHZW5irkhtWfHWuU 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi.locked 865.00 KB MD5: 52e00456bcc8dc9176ac1914fb5a3352
SHA1: f596e52c397a69251e78d8b81e3f1dea097f0c86
SHA256: d4db5022fc4ec15dac22f4ea6b2c1cd61e3abbf0fb2f7417fd49a7201a38e7e8
SSDeep: 24576:/G40L0gYHI73f7o+l3lfIVEEIdyY3v796HFRwtdJs2Kq1:oLsI7PV/IVJY/h6GAM 		False
...
C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.msi.readme_txt 1.11 KB MD5: 2dcb55d9893d71db4e9efb5baede4708
SHA1: aff9b3a7186184e7a44af524446c6d3695be54a6
SHA256: 81076a9f5554fd91353aadcf3b1f22abc85eef3a6faba11a9ceda95e8a0e632b
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWipKXK:xzSsf9FjfiHZW5irkhtWfHWipz 		False
...
C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml.readme_txt 1.11 KB MD5: 4898d711922ae960b3f8c96afae90372
SHA1: 6f2584d4dff29b6b74fb4d8859a7c5bb4c8401b7
SHA256: b03ee945152d52e7f9e9fdad9f2c600bada2dbebdc9e99d19d1845a909a36860
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWTXXNtIF53y:xzSsf9FjfiHZW5irkhtWfHWTnNaq 		False
...
C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml.locked 1.84 KB MD5: 05759498d75c6d07f255936315bb152f
SHA1: 4d232c50d14335a8383568121bf34fb881dc545d
SHA256: 839e2b6b6f39a0a46475fa64da194ccef5528d6ce6f2d448b1711bda6d4701b5
SSDeep: 48:1YWvc5w6K7x7zxSTGYhFvk8+jO4HWN/gyOCbbTCQMMoylf0:S0Yy7xzdYhFfUfH2/gy9bbJ5M 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt 1.11 KB MD5: 78b03277f7ad304a877e9557be32410a
SHA1: c3405db741439ede4fd9a6625edb66c67046a294
SHA256: 16b0a5183fbb6ccbc0650d137a1ca3f2df5cc472a35f8054c0f555c452754e4e
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWXtLCcV:xzSsf9FjfiHZW5irkhtWfHWXt1 		False
...
C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi.readme_txt 1.11 KB MD5: cf9d67009e57fb2f2626bfde003c2eba
SHA1: ec938bd835a5c20f81c33192ff5dae41738a911a
SHA256: a3e5584079eedca344767b8fcc22d5caca0d5695512ca3fe1911e8bcf84c1edc
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHW6qFuZPz6L:xzSsf9FjfiHZW5irkhtWfHWnQ+ 		False
...
C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml.readme_txt 1.11 KB MD5: 85c1a114f051bc18a0cb1a52eded3ab2
SHA1: 29b86bc0d045c81d7382f0abb9a48012d8e48b6e
SHA256: 8e36218dfece9204e8f5dde00cf2a43ca0d52a6fd06af6e2c80b6392d25ff7dc
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWt50kNHPf:xzSsf9FjfiHZW5irkhtWfHWtim3 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi.locked 855.00 KB MD5: 0d17a0b14e7b00a5a8d276be3b7dcf74
SHA1: d8b8dd9513f69c2f763c4f5d7b9541b24efc04e3
SHA256: 88175d09b6bea7aad312f9771f61dfe3a39a2703f51c93a35f1ecb18745657d5
SSDeep: 24576:2ZrQqLzLA+ZdFqZ6Tr46+iFxEH9wliBf8lm+Cj:YLzXFNTrmi8H9wRm+e 		False
...
C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml.locked 1.76 KB MD5: c546671f153d0dfd3ce460ea8b764bc3
SHA1: b025ed21e7c3ebca450d8a0aab5d96c4ce816c58
SHA256: 739966c69c4537187c6497cb76c8fd66533592cac7fdf871ea356afc5201fafb
SSDeep: 48:Uqmhfs4H6/pk4P9nhBpC2wkie6v2krjAAc/9uQAG:UVf16/pk69hRzAMPAG 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml.readme_txt 1.11 KB MD5: c7340d1507912fbe38a571467b930ae1
SHA1: 6c25775a2f77a1d327e04a6bf4f642529ebb52d3
SHA256: 6a3e44a847a9a4b6e4de8b516d7855c55e304abf51c2f7c92a885503687521ff
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWIt6yDsGAIw:xzSsf9FjfiHZW5irkhtWfHWItRjAIw 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml.locked 5.75 KB MD5: c4922dd79983f6d387599e50bd2ebb43
SHA1: 1f6031fd2b5bd206d6209096606d688027bb7923
SHA256: 5f241e51cf8c57532cf9574fccab987e26be9ca3428f6770be1eadb5c4038e2a
SSDeep: 96:NXtr7PQ4u/DTvgDX0tNDHbUF3qptnWfdIkcouXLGx7RvkfqHvmRB4Z0Srcx6Uaas:7cXgwDDHwF7VDcS7SfqODLMcx7e 		False
...
C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml.readme_txt 1.11 KB MD5: 7326b60c55da0f2a468771f116140de1
SHA1: 2dff3d6d96035cfb1d639844bef17eac4bcf0f81
SHA256: 6ac7a777659a3d45d6b367d361278552b1c9590476a98214db3ec2c2b7f024b2
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWOSCSk+Il3U:xzSsf9FjfiHZW5irkhtWfHWOyDIZU 		False
...
C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml.readme_txt 1.11 KB MD5: 948b26063d76225549503f5289f44df3
SHA1: df59bb7fe058d4970469ac4690b8b5b22c78e572
SHA256: 8c765807b75196696d645ddc44b1ae7c229524b3b0a585179e730b8f6457fcfd
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWfp31v90U:xzSsf9FjfiHZW5irkhtWfHWBlvd 		False
...
C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi.readme_txt 1.11 KB MD5: 87678435dab5385c6a51b222e119ed78
SHA1: 4aea284d906afdc7ce8fe439836ab3f52410c570
SHA256: c84c0e7f44a46216d3be3b1c97607615b8a88334405b2c6ba46d799c91f91f6b
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWKjl7hmc2Qah:xzSsf9FjfiHZW5irkhtWfHW6lmc25 		False
...
C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab.locked 2.79 MB MD5: 10e7d49c587ee5cdf369f1770309745d
SHA1: 8a901b640b2fef2a31c2141a44faef600458d019
SHA256: a109d217115f875b072de2b00b2424e9cae56e2a64207a255259be2850a87035
SSDeep: 49152:omoGF1t5TZQvafHnMC/EXjuxo8VruQn7h3OVce9OuOHgE9UnVuc:b9LZQifHG0v17WceDOApVB 		False
...
C:\Users\5P5NRG~1\AppData\Roaming\\8DAT2H~1 36.00 KB MD5: 55e37ceadd68e3acc571269af0f89be8
SHA1: 549be64325b2609e67307de82ba6e74f455e95e9
SHA256: 9375d56bdc5f2cadf3d047c0ebdc231d60a6a78db2ab4b11251b56b34f659b15
SSDeep: 768:psz1SuCiLS3+hBTILkNuOh4UU1JJqT7/pXk:uSuhZOkNu8e1e 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi.locked 848.50 KB MD5: 07f6669544e9a8fe3378774fc520fe36
SHA1: 130d950a5bbf13c361a8211b7bb9c53750ab5703
SHA256: a626967b7bdaf5ee116cfcc3543eb39d5eb095522148494c65479f61afc98094
SSDeep: 12288:vtYfKo9E2hRhPvqANrxU0QdLj0Vj+rP2K5Yg1oayv+OkAER9nuv1tW:kXE4VvqAxC0GLj2+rP2KPg+OjSnoW 		False
...
C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi.readme_txt 1.11 KB MD5: 11155e8ebd22398a43f5b078354542d7
SHA1: 8d5af28b186300216f2451521fcdf85d1d5c545b
SHA256: 933c41d4e15dc4433eb21229ad6e7730a5ab7d1ef57a3bd2f201a72e34259d6e
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWjKsXyaujR:xzSsf9FjfiHZW5irkhtWfHWjPCj 		False
...
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.msi.readme_txt 1.11 KB MD5: db76dc77fec364f0118270b3c96b2f4e
SHA1: 84faa3c7e669ded839cfe1d66cae83e2fdd08d7a
SHA256: ff59437c4ed48c82031e5e4dafafc8c3077581e6417b92ea2db43184b559e21b
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHW8CrYRfO:xzSsf9FjfiHZW5irkhtWfHWJUxO 		False
...
C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt 1.11 KB MD5: 39bffc4243d1053dda98b61cbf073d3f
SHA1: 791c1a4b87f27838b096733d331632e52095198d
SHA256: 1cb0e4230c889c7fe2c5e18033505b463514dcd43547fbbec9ae9fa532a63fbe
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHW4BFKz:xzSsf9FjfiHZW5irkhtWfHWmF0 		False
...
C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml.readme_txt 1.11 KB MD5: b2d8828ed4c27d2fe991f46778f18ed2
SHA1: e67aa3bf9b4a4b062b8ca7598b222952a580dd43
SHA256: be766412e3220cb7a2c991e98eea5b709f97d6835441b7fcccbe355763683fe5
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWD4GGRnf:xzSsf9FjfiHZW5irkhtWfHWpGRf 		False
...
C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt 1.11 KB MD5: 593032acf5ba961f63485005f0c896a5
SHA1: 6a5e08b4839af010bd4dd1ddb9ecfa6e9d2f193a
SHA256: 05dab9e57416f7c7219c9f385f17bc7646d53647e05ba1f1bf0f5b490a039758
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWTFuU4Q82V:xzSsf9FjfiHZW5irkhtWfHWZRsq 		False
...
C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi.locked 2.73 MB MD5: 7cef9fad4d423d9b8beb3133aa6a850a
SHA1: 1e60c3952865e6476e66a89f26b97bd8e565d9dd
SHA256: d2125c14bc4f11e78b3b4d69117da28e2b268f5335a441b0a85105648111424a
SSDeep: 49152:CbcQNbSQoHH7SuIoJ9rdPvd5WzPWHnHf561QG8MLA4CjvoM:SPSQsbZJB9duWnf561Q7UejQM 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi.readme_txt 1.11 KB MD5: 6d4090c298e4db69c26b76e77a1544ff
SHA1: fb7813b0fe6a3ccfdc6690d03900d9aefd4831a1
SHA256: c53f387148e530ecfc0292f3b00069e7b1dd814facee81963220fbace3ea1950
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWFwKNQ0yry:xzSsf9FjfiHZW5irkhtWfHWFm06y 		False
...
C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.msi.readme_txt 1.11 KB MD5: 3fef04f533d05b5179df5357ad340d10
SHA1: f17bdc2695ae92339fad4dc9dc8820d2bf25589a
SHA256: 88f26732172f91918a0c9182c88fd3b905881b4e78f2ec147767f2cec1e61798
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWBb:xzSsf9FjfiHZW5irkhtWfHWBb 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml.locked 1.42 KB MD5: 46c15313918f49889a31734844cf3c2a
SHA1: b2db3910116c5d4528cd805c8cc9c2ffc3034771
SHA256: 3cef9a483847345f849fa64d10793207717aaeffd71727df2efdb52a4aa3c8f8
SSDeep: 24:0DHW3aCccmI+aBNO+3LVTWg9/HlJRX3hYtGKhDsXOlK7BRi/BczU/CqmaM:r3Gcmza3LV6g9/3rYtzgmEBs/B9CZ/ 		False
...
C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml.readme_txt 1.11 KB MD5: e0771ba934f23ccd8dac721d1df5d388
SHA1: 80ababa6ea87c00c8ea51ebcd36c14e7a686183c
SHA256: 2ff4a59b3f796c42754f54ce47e79b4ddffb765f45b0d824124d457bf0d8af06
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWXpReqn4:xzSsf9FjfiHZW5irkhtWfHWO 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi.readme_txt 1.11 KB MD5: daf253f3aa3345b11fd7d518302161b9
SHA1: bd8cd22d19780c5bbc2a025ce511607cd05964e1
SHA256: a4ab6be3e5e72e2a1bb1cba0efb78ea76660b783146cbfc3bca8f5d9e85a616b
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWdU2/:xzSsf9FjfiHZW5irkhtWfHWdUW 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab.readme_txt 1.11 KB MD5: f4252225596b11d48c5f4b380fa7d6f6
SHA1: 03e4ed6f888b8798a712e26c9d35bd3901bd8135
SHA256: 840ced25d99b1ed7ead1a04917198db60e6527eb72bd67a1499f0d9d395c3a72
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWbQJTv1XnMOb:xzSsf9FjfiHZW5irkhtWfHWbQb7b 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml.locked 1.32 KB MD5: fedf49ac8c97bf0315c47d687da04d61
SHA1: ff05a4315039def8a22781e75c40b8f39449a0b3
SHA256: 06999c34022794beaa79cf5f4d139a4c2212ae0ce130c7e2d2ecd8faa6c08681
SSDeep: 24:7BJA583D8nZITZV6xp8WzDW+Gnfo5iiivsDOO044drY/UkMAgeAXjkcOX:7rA2z8aTr4pdzi+J5igDmNlNJXofX 		False
...
C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi.locked 2.39 MB MD5: 6cdcdc9ce14079c4dc6d86eb6ce721ae
SHA1: f86e1933e4d6a7b1a7defd710ee94ce237e23c19
SHA256: 01a1e5193246dcfad5e70afa792e2bb04950d21ad2ec65446a9d0228ce5e5a40
SSDeep: 49152:WMjkGbgwOFFEoq9361fOVQnd0Dtukoqj2KA65ViE2DAa35IX0AMKKfsNT:VjkGkFEoqJ6lOKndqs5K7H2DikA5 		False
...
C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml.locked 1.35 KB MD5: f95055a8a463eca57d7d35171e25693b
SHA1: 0cdf35e3a2f7955033520b164e58223d61f3db4d
SHA256: 88078d0aad8a521122dbd9d07154e0cfa87c7dbc566275175e4e21838704817c
SSDeep: 24:8mOBs0qyzE7oGJ8RRDgZPRgJqyONbJrmMhHJXilcc7hc4I3sa0rYZ4gK:8fBKMauDgZP7yCVrJ5Rnc1c+aS+a 		False
...
C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\OWOW32WW.cab.readme_txt 1.11 KB MD5: 8c7f87d00a9c54fe8c84ea19d0243d3b
SHA1: 174858cfd7ef728557bbfbc6b93218ad5f43e92d
SHA256: b7f11f38a93d26c2d23bc5f417cf1825296b3068a92a97b10037026591e1f4be
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWcq/aMRvo:xzSsf9FjfiHZW5irkhtWfHW3aovo 		False
...
C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml.locked 1.53 KB MD5: bec808415f3c92ecf13d2cff39b5da8c
SHA1: e399d9a0d61ed5e7a6f9ff073a1b27d6ac288767
SHA256: 07821a3b587c125dc107bacaddac3a4f8ec5ac21e786109efafcb49467316ef4
SSDeep: 24:+1UJVLeIiRqt1eoGUqGbPJPLQlrpTm5xzx4UbYgyxaurBDeVCl3GXJCb:+1UHLeIiADGGRPCgdTkggl3rb 		False
...
C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab.readme_txt 1.11 KB MD5: ca1c48ede2fd890b1aaac1f5c66dd0ca
SHA1: 1974d9771ee88e2b2f46e915cedfe457a22aee91
SHA256: 8750563eaf1cfd73b33b51b1a74bb3346615c58d2461b8eb0b3ed8e79a98ea6e
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWbMA7NSR7w:xzSsf9FjfiHZW5irkhtWfHWbM6w0 		False
...
C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml.locked 1.42 KB MD5: 666c2437dc1070458d4d674aac98cf36
SHA1: 2c0c05211be9ce747e0e4ec51e6c429ebdc1ed4c
SHA256: 7e88900118a510222e8955aa8eeb90afa27201b6661eb1f857a757c8bdeb7253
SSDeep: 24:L1WDmt4K74+GoprFgFoM9RzaDg4WVNg6bG9Dsd3Z8z+iJeRY98T8DFWvmVuPG:xWDmrsoprFgF79ULWDZmOpm5cW68skmG 		False
...
C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml.locked 1.42 KB MD5: 0432274d7d98e9f27e09f493b6140d8a
SHA1: 3ac96d7c29ea7ae8275548b51bd804e03bef5418
SHA256: 998c73ec1168d6d3e205c865340b3b4516e8a6d836f2ed0cf8e011365f8188b3
SSDeep: 24:ApD1nKbWY8u19GkNYXGORPDIaMUM8WRTmNWzU03/jfYS0kc1HDcp/Le09D/rtEKC:IDBKiu3GkNgGMPwUhWRlzU03/jYSmdDj 		False
...
C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.readme_txt 1.11 KB MD5: e388ead1fec35d0648e6ea6ef7900782
SHA1: f45195c775ca744fcf93cadb7be8a71f9d5059d7
SHA256: 045cb93903d79e9a80a6d90efa1bc874a63aee9f8c7dbf4a7a00bfdddca8b637
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWBjMR6jeAfJi:xzSsf9FjfiHZW5irkhtWfHWBjMzAf0 		False
...
C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi.readme_txt 1.11 KB MD5: 08cfc5ff9bb699ed829055f4f2008e20
SHA1: 42b69f060f2b1672bfc17f55d7785c3fa63e9272
SHA256: 5785008d7eb8938a09edcc0590d229fb6f6e3bb830b10d0817014f383f7d3517
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHW578Clx+UOA5Mh:xzSsf9FjfiHZW5irkhtWfHW57Vlt7yh 		False
...
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm.readme_txt 1.11 KB MD5: 7593abf3496eb32b7a08dd8cd5f130fb
SHA1: 2c7e40c3dff65656dd4698bed50590f857b048ac
SHA256: 0b2455cdf43b84296f5789fc2fb21bd03bdde6a27c221e0447a84051c8747d43
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWU1tnS6:xzSsf9FjfiHZW5irkhtWfHWanR 		False
...
C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi.locked 853.50 KB MD5: 01150f3c465486f6671846c803ba7039
SHA1: 711afbcb77b1ce1820a8abe6634ebd4c129e4c25
SHA256: a94783c7da754bedb582187bd65d095e5349f76ea73641aa588f410536389bd4
SSDeep: 24576:TMV0fMRnomzaFaEJckGWxMdS3MrCnRB96cwO/R:AVJnZzJm+vdIQCRXwO/R 		False
...
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml.readme_txt 1.11 KB MD5: c4f74befc41ba06740ace2c8a651053d
SHA1: 605eae12b47d98c238ed47369ee820a634e8357e
SHA256: 4e4a760fd7c457d3b92c680b9754c2fe22dd12195a90f7db1666ff8633f14171
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWzzbRyfXtLEs:xzSsf9FjfiHZW5irkhtWfHWffs 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi.readme_txt 1.11 KB MD5: ab079fc59c2eca46c2b480c14ddf4168
SHA1: 8aa2808a07a3bf06043fd23c9d76ebeaf5fae1e6
SHA256: a8db530c7c1cb404a53942d2b2ed5060fa31787bc66d82d96448e69a7495a09b
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHW1PJ1:xzSsf9FjfiHZW5irkhtWfHW1PJ1 		False
...
C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab.readme_txt 1.11 KB MD5: 60facc227378e0aad97f435fb105a5e9
SHA1: ca06d518667e87b9b7aedff049215552bf49f891
SHA256: 24538e5bdb4ccd9651e6f659feedc07833195b5de20af869ec18e77c845708d1
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWjKmDNVq2J:xzSsf9FjfiHZW5irkhtWfHWjpD+2J 		False
...
C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml.locked 2.37 KB MD5: a89d1360be99eb508f8ecbb0a3d4c880
SHA1: df285d42b3fba8a5f8f13b48eaef0e63323c1a45
SHA256: 6545f4cc59de84f284f6f7a30045fe9c3fe32639ddb3220817ea8512f417fced
SSDeep: 48:h9jbXG0XhO26HZ1lwNGv83F2DPlZy/q/PTk1:vHlR9GaFkP6Uw 		False
...
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab.readme_txt 1.11 KB MD5: f6e5f39526c4661a5b7d1149d053c24b
SHA1: c24c189adea44222834476a605cf3dab59708623
SHA256: 45dff93014f573f0921dcfe367a2150be2c1bf7b8877dc82c3d0407598ed87f6
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWivXFfFhcLyzn:xzSsf9FjfiHZW5irkhtWfHWiPfuG 		False
...
C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi.locked 2.40 MB MD5: f392e3fb79467facb1b557467f47dbb1
SHA1: 1a7df1eadb221a478b69352c4880b64598dbae4c
SHA256: 53ac4f22344b4dc44e91f1c49a579d5334c3a93407a21fc3f6e62c36a7c4a30e
SSDeep: 49152:V4b9l7I8XNBlc7PT43ggr5NobEV2b4mv7pLXPk3BWMCNFRmU8:V4bHkkNBlEk3gg1NobEEcubekPBs 		False
...
C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab.readme_txt 1.11 KB MD5: a0ae07f723082a9069bc7690ea9fe53d
SHA1: 31b5a5013e8ff302bd03ab1f934a683fe8f38da4
SHA256: e69dffd33245e095b9080da48a057e2f7bef464d728138b75abdc636dc32a766
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWNnDt5GCU:xzSsf9FjfiHZW5irkhtWfHWBDnlU 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml.locked 0.79 KB MD5: 749598b8b517c455397a8cb1261a1b8b
SHA1: 67f3592614d89c24b6762dd0b23b7f315a76bc5c
SHA256: a24a1fbfd040e69505b0beae148ebaf05857c71e7d495c12c5bfa8d54ac51ed8
SSDeep: 24:sahh4gfqf+XSDLsyu6FRYPrbX7u0hhqd5X3ujf/Oj3:s4hsMSMyu6Afzhhqd5X+jf/Oj3 		False
...
C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt 1.11 KB MD5: b2292dee4e86e5ab76ced66c797ab966
SHA1: 843ff08cc71f18817f101589e5cd22e11786ed53
SHA256: d1219226d5c3fafbcd0ddb2abe5b5da8b1e754a36fa725e93570df240224b9f0
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWSTe0XJd7OrECjF:xzSsf9FjfiHZW5irkhtWfHWZ0jO/jF 		False
...
C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab.locked 429.84 KB MD5: e88b2ac70c39f7310a51eda64c3b7717
SHA1: fd20382a9ccba60f7703683c808622f97c0ade35
SHA256: bf920cff198d175ee05a2325bd6f928d1ac1378f9522cc092308fecb2c6f9f90
SSDeep: 12288:xhOFWdMQjpcf0mLbWFyhroTunDyGwJcn+CFidO2Z:x0WdMAS0MWFy1ykLw+nZidO2Z 		False
...
C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi.readme_txt 1.11 KB MD5: d66164da0d07c476446901db80419868
SHA1: 161797d8b41e6467052d3a2a8665d7362039733b
SHA256: 883757aa79b263566c4c812a7bd3052d404013c089e5c624bd9333fe607a3d33
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHW4N8O:xzSsf9FjfiHZW5irkhtWfHW4Nt 		False
...
C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml.locked 2.24 KB MD5: 05f4b8dee712bcb57d4c131fe4c792ec
SHA1: 78a4e8dcf5e4d9e5dfbb4b83755317ab2da7610c
SHA256: 443ecdc5e39a31d14d29937bb1b1ead99ce1786664fb4260b56ef17d8dc4d4e9
SSDeep: 48:F+n7ABxmV+gScLLJuYLI9fGmFYps1EdgaazHZelBjS4Y04NWNmt:FQ7OmV+gS0Ju+I9uKYhdXazklB24Z4NP 		False
...
C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml.readme_txt 1.11 KB MD5: 9114ef408e4cf76c572c2cc6cdfff819
SHA1: 9adc0c9705a4ba7f16abca57507d21106ded67db
SHA256: 837a1ac12fe49899e1f4903200619acb067389701407b64921652fa62784778a
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWtLtpA:xzSsf9FjfiHZW5irkhtWfHWtLtq 		False
...
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\ShellUI.MST.readme_txt 1.11 KB MD5: db92369748ca16f02a446fbf5a84e583
SHA1: 9a2a6e7eff854763097871f85fea96e9f2627a2a
SHA256: 6bf7e2d0f41108d10da1ba992e923591e1d23ae303e3fc225c734c74349e0894
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWXePioWxY9d:xzSsf9FjfiHZW5irkhtWfHWXxxY9d 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab.locked 10.00 MB MD5: fea1c770b86198154f5efb7a2c267880
SHA1: 75b607d122a07a46f272b21b6f7dba3476e19212
SHA256: 610c070fd50965f395e3d18d72b6286364222fb0ebca09b1cdc95b91722e7355
SSDeep: 196608:+jqOJh4z/CyaHYj5Ilr2j8T+aqpkvjoNB3IHS5xKp6UerqRPQVd:+jqOMz/Cujf4jmw76haPQVd 		False
...
C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.msi.readme_txt 1.11 KB MD5: cae69c980810d6e0e426bce3e314528c
SHA1: 520dea866d6b6890335befa388693c3d38da476b
SHA256: 476a19f18dfbd995ec9cbfa1303f38a5b2b4f09316f08c4d021cc9a4b7551e5b
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWdh72R:xzSsf9FjfiHZW5irkhtWfHWn7y 		False
...
C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt 1.11 KB MD5: d58808e6f32bedeaf2c27a687179cfa7
SHA1: f4c047f976c646f8417e8df37183dbb142a20b87
SHA256: d4e3a6dc637a9bb2028a73772ff12f550fd6817f07a7649e69ac92f19a57fddb
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWahjB82O:xzSsf9FjfiHZW5irkhtWfHWaRB82O 		False
...
C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml.locked 2.31 KB MD5: d514a199b82200fd3d745c6630204ab4
SHA1: 8edaa5c91d7ada9f16978c5b404df3197b10c965
SHA256: a63eb7a7fa15a50ee1431f22be91f2cdedff3bd0a2f03bbbee6cd8cf4647246a
SSDeep: 48:8hC3gPDG7z4KNxLNDasEjy+OB6JnjobdaACLk:8w3gPE4KqX1oRaA0k 		False
...
C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt 1.11 KB MD5: 2dc66cdb1ebfbb4a5456148dc9e9378d
SHA1: ba1838ac07324137f839682a852edfc33c3c70aa
SHA256: 0c6e7badc73445ae9c95ee7b9d4a293de6d8e3f2298b4c4083d87e808c3d7e93
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWzGhDRbNUPOy:xzSsf9FjfiHZW5irkhtWfHWzYeH 		False
...
C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi.readme_txt 1.11 KB MD5: cd2e88c5ce99b1f8727fc29dcaae97c9
SHA1: 45f12d57d8bfac71d14d40205ef923232f00552e
SHA256: ff6a2841f9146c6ac78bdcec4cce3b03bedc3f81a1c2c1b4b10acbe56026086b
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWxx:xzSsf9FjfiHZW5irkhtWfHW7 		False
...
C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab.readme_txt 1.11 KB MD5: 83ab0cffc31cef147cd60ca4bee812af
SHA1: a6f9be6b03521053b23ad7ca63f00fef2ddc7616
SHA256: 087a980c5aa21f31b2ca9182460e788e349b236eee09567091d5ccb0b26868ae
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWflJr:xzSsf9FjfiHZW5irkhtWfHWdJr 		False
...
C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt 1.11 KB MD5: b02503eadc368f7f64cf45785ddac56a
SHA1: b7b0993c43b489f1f75060f7594aca1488dc4f97
SHA256: 005648fb6a6f8bfdf99377ce892594a55166c06e5c88d42b5f72027fac41a20a
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWITgrS2WwX90lws:xzSsf9FjfiHZW5irkhtWfHWIMS2WwXkZ 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml.readme_txt 1.11 KB MD5: 4eeb4cb8d5ec4fdda7cfb5eee6599f11
SHA1: 02dc0d96e13f4909d0b9e33f8dd5324a4fa84605
SHA256: 60c2ef1d9b25cd0ef82df9b95f0e1ff36775ef0585ba30f22f7a1712cb45ace1
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWQ0mQG8+t15V:xzSsf9FjfiHZW5irkhtWfHWQtQxK 		False
...
C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi.locked 2.39 MB MD5: 1ec7810fb0cc64a7f64a611badeb21b8
SHA1: a369b105b67f541961f07618327070e0c24ccbd3
SHA256: 5e4aa92b67c4bfbd907d67e0e6f25711446d7d61970da726ced948efb530061f
SSDeep: 49152:5QisaWBM6+5q6W7oO3x4JM8uAXsyLO2aE5n6FFNlTBBHmzj:mBM6+5pWN3x426jLO2aC6F7lfHm3 		False
...
C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab.locked 10.00 MB MD5: ecec573f8c35bb2713241707dd07fd3e
SHA1: d16ae4f07eeb23a1ff29865f15389f3b7ee9c69e
SHA256: 926d27d16cb11cc47270786b4287d098b2a9ff1a2357aa9f3900c9c7198e1108
SSDeep: 196608:LztpxzBBNo0iVCosqe78OT5GPmHe0qK7YLVTQ2eqvGhiKoUeQcmYdYbGvA1r:LhRrDPdVamHbqkYZTxeOGSUeQcmYdYbB 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab.locked 10.00 MB MD5: d4f3ba9417919b86c0987233dde813ce
SHA1: 989d71581b51b443d4ab30197e18ace8a8e3eda1
SHA256: 35d74bd6f52ebf57a2eb04bf9c219d911548502c627069f3a45684460dabdb70
SSDeep: 196608:x3o+K/59mNYZWWWXk/yE1DKbKer3aCwEjFGAoDk9S5uic6H2W8WDXth1+EHocqk:Vs59mgKDj8wDQ5zc6HRtbV 		False
...
C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml.readme_txt 1.11 KB MD5: 62c54e2788c878f8b94cfabae9ec9622
SHA1: cfb9cd55c09e05f27af5b1f6d14ca98a4746b727
SHA256: 9c7405ed6025e312a3ef5e997293fe463d51ef3a154a2ab7e8960c62de3c0c49
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHW2NmedoCXc/L:xzSsf9FjfiHZW5irkhtWfHW2/tXC 		False
...
C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab.locked 10.00 MB MD5: a00f3364501c0a977805824aea78110e
SHA1: c29bb23797352da766c378bd86def3e6d9be7472
SHA256: a667d44f8fb05bf2b93f98aeaa760a47b92471a5cba36f2104c126660361ecec
SSDeep: 196608:w7/PoQlzZIk5Z+As4C19LsxkFJayyCAFb1YeS9uI11wCHlM:MoQxZIkD5C9LqAJaXdFB5CL1wCHa 		False
...
C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi.readme_txt 1.11 KB MD5: d3b3d412539641bcd38e755ab5aad114
SHA1: 3a8ca4573a0c8d4f83e56e79d8587cfd2af7f75e
SHA256: 76201f74460b83b5d90d1d16a981600649515985be57bc55607d4f82cbe2cc84
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWwhKFEIn:xzSsf9FjfiHZW5irkhtWfHW0Kpn 		False
...
C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab.readme_txt 1.11 KB MD5: ca77a58004e901989d4e1444a2954836
SHA1: 0221ec87934bea45914e42b5b14e4676fddaacab
SHA256: 127f0fbac92ea917e06d5a68f3840ef376548d2330862eee70f5a2fa716ded16
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHW0XPQ9E:xzSsf9FjfiHZW5irkhtWfHW0/Qu 		False
...
C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab.locked 9.50 MB MD5: 3eb0d85bb6a8a786c982ae08a27de804
SHA1: 91a2a1c010a21c34acc0fc3286280b76444a1580
SHA256: 36f0e17fd5bbd868206ecfe494f6998e23c03a3e50fe79a43f4e2de1f426bf85
SSDeep: 196608:gSv2/ELkYQ7TTMCBu/oRJHD6aVJ/kz+NN3AOmMYKJZqQ62iAgAOOX9DFAohmD:gBHYQ7TYCwcJGikrIqi5j9D7hmD 		False
...
C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab.readme_txt 1.11 KB MD5: a8d5cdbb0752888a8ab416051fbc4cc9
SHA1: db08c89ae60d5f6ed661a0b6d1bba47f4b2d9c24
SHA256: 6886b3ff264c24f47ee5a63adafeca3038ee7fa8a01d7b39826426d3d1e7afeb
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWzJMMtfh9:xzSsf9FjfiHZW5irkhtWfHWzLfh9 		False
...
C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml.readme_txt 1.11 KB MD5: b98aa5e6f8c08da23e983db8502448c5
SHA1: 33b80d3395e5b5de687d05c8e926b17336445260
SHA256: 42e46b72383870aa63220a73dbd83ffac25d07ad4ada45a07e98d2af11cf4224
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWt7qi0GVYoWG+6V:xzSsf9FjfiHZW5irkhtWfHWt7Ov6V 		False
...
C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml.locked 3.11 KB MD5: b04427ad20d14f8c82954501f185eedb
SHA1: 7e01c1573375c4783ba5be7dbcc3556da365091b
SHA256: 97db188cbae642df6219be6a1dec602a85244f17fcb58056d1e75001a997a930
SSDeep: 96:0X3d6TqI2pNaUgUcskEBqP/uAvqFC4++Ah:8t6Tq+XNEBGPbn 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml.readme_txt 1.11 KB MD5: 5aa7173661a2320842f5d203313c562f
SHA1: a9faa003c6b2e4cb0fff823c971a764a74c18353
SHA256: 0d23a7d673385b217e9c6f58c4d338ec48e7d79c57571c1736b0371bdc3b4636
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWkpDC:xzSsf9FjfiHZW5irkhtWfHWkBC 		False
...
C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab.locked 10.00 MB MD5: cd295b175a439bf08233d75f5d57a46d
SHA1: 26289535c6ec2f31524f7dea92bf3cfd043ad84d
SHA256: 6b89247e97c0e4a837af073f157263914bc8cfcd144139a4d2286f9659f27d00
SSDeep: 196608:MvC9UQQctcGU2Fe72/FgltiTZcLoyv9uMnFfkpvMYKH5NOkW:MvkUOtw2sltiTkJv9uMFfkpv28 		False
...
C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab.locked 10.00 MB MD5: 7b8c00c932c5e0ec3b79af04e73b175f
SHA1: e719c5422da9ffc1efae345127d2f488cfaca87d
SHA256: 61a2e50acda32ff3e8cbf44663b3f268d33aa25ded6ac17718196a13b4d41320
SSDeep: 196608:Dt1eYop4m7hxo2tYcO/b5KmxuocWvMVj/VNXB85cQVMSvlWQXi:5TeKiYDb5KrocWvMVRgXOfQXi 		False
...
C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.readme_txt 1.11 KB MD5: 323f87120be74449432c5917b01241b7
SHA1: b288bcfe99ef6384a394063bfec742d60ebb2d08
SHA256: 6ebf9496d521af481498b495986d4e7bd19e9b760ddfdc403829aeb634620174
SSDeep: 24:iVezHysf9F2Ob/8pqvKHHBA1+y39FXIvjBJk1YspzLiQtC7fHWpmz3nOC:xzSsf9FjfiHZW5irkhtWfHW03OC 		False
...
Modified Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE 128.50 KB MD5: 5e4d33770945fab4c48bedf329c7ce5c
SHA1: 54a6e4d0ca09af93a96eb3ee22085759da63902b
SHA256: c65df5ec5152af018ff362039351255ba7b59ea844639619f73d96ea135ab1f0
SSDeep: 3072:drpyXTfAqsqJ6FHoZfsMoQQNglC1Omz8spl+9dVKj+4:Zpy4OBVQGCMmzRpIVKj+ 		False
...
Host Behavior
File (897)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\\8DaT2hw8LGIxi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Create C:\Windows\system32\SecEdit.exe desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Roaming\\8DAT2H~1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Create C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Roaming\\8DAT2H~1:bin desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN True 1
Fn
Create C:\$Recycle.Bin desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\BCD desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\cs-CZ desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\cs-CZ\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\da-DK desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\da-DK\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\de-DE desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\de-DE\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\el-GR desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\el-GR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\en-US desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\en-US\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\en-US\memtest.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\es-ES desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\es-ES\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\fi-FI desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\fi-FI\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\Fonts\chs_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\cht_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\jpn_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\kor_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\Fonts\wgl4_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\fr-FR desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\fr-FR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\hu-HU desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\hu-HU\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\it-IT desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\it-IT\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ja-JP desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\ja-JP\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ko-KR desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\ko-KR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\nb-NO desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\nb-NO\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\nl-NL desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\nl-NL\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\pl-PL desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\pl-PL\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\pt-BR desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\pt-BR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\pt-PT desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\pt-PT\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\ru-RU desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\ru-RU\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\sv-SE desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\sv-SE\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\tr-TR desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\tr-TR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\zh-CN desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\zh-CN\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\zh-HK desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\zh-HK\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Boot\zh-TW desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\zh-TW\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Config.Msi desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Documents and Settings desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\MSOCache desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\ShellUI.MST desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\ShellUI.MST.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\1033 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\OWOW32WW.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\OWOW32WW.cab.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.msi.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml.readme_txt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPrWW.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\\8DaT2hw8LGIxi type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\\8DaT2hw8LGIxi type = file_attributes True 1
Fn
Get Info C:\Windows\system32\SecEdit.exe type = file_attributes True 1
Fn
Get Info C:\Windows\system32\SecEdit.exe type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Roaming\\8DAT2H~1 type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE type = file_attributes True 1
Fn
Get Info C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Roaming\\8DAT2H~1:bin type = file_attributes False 1
Fn
Get Info C:\bootmgr type = file_attributes True 2
Fn
Get Info C:\BOOTSECT.BAK type = file_attributes True 2
Fn
Get Info C:\hiberfil.sys type = file_attributes False 1
Fn
Get Info C:\pagefile.sys type = file_attributes False 1
Fn
Get Info C:\$Recycle.Bin type = file_attributes True 1
Fn
Get Info C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000 type = file_attributes True 1
Fn
Get Info C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\desktop.ini type = file_attributes True 2
Fn
Get Info C:\Boot type = file_attributes True 1
Fn
Get Info C:\Boot\BCD type = file_attributes True 3
Fn
Get Info C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000 type = file_type False 4
Fn
Get Info C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000 type = file_type True 3
Fn
Get Info - type = file_type True 88
Fn
Get Info - type = file_type False 16
Fn
Get Info - type = file_type True 112
Fn
Get Info - type = file_type True 6
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml type = time True 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\ShellUI.MST.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\OWOW32WW.cab.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.msi.readme_txt type = file_attributes False 1
Fn
Get Info C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml.readme_txt type = file_attributes False 1
Fn
Move C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml.locked source_filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.locked source_filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest True 1
Fn
Move C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.msi.locked source_filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm.locked source_filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm True 1
Fn
Move C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm.locked source_filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm True 1
Fn
Move C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\ShellUI.MST.locked source_filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\ShellUI.MST True 1
Fn
Move C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.msi.locked source_filename = C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.locked source_filename = C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi True 1
Fn
Move C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml True 1
Fn
Move C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab.locked source_filename = C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab True 1
Fn
Move C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml.locked source_filename = C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml True 1
Fn
Move C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.msi.locked source_filename = C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.msi True 1
Fn
Move C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml.locked source_filename = C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml True 1
Fn
Move C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\OWOW32WW.cab.locked source_filename = C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\OWOW32WW.cab True 1
Fn
Move C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.locked source_filename = C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms True 1
Fn
Move C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.msi.locked source_filename = C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.msi True 1
Fn
Move C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml.locked source_filename = C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml True 1
Fn
Read C:\Windows\system32\SecEdit.exe size = 36864, size_out = 36864 True 1
Fn
Data
Read C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE size = 131584, size_out = 131584 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab size = 10485760, size_out = 10485760 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab size = 6487227, size_out = 6487227 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi size = 2506240, size_out = 2506240 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml size = 1565, size_out = 1565 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml size = 2296, size_out = 2296 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi size = 2503680, size_out = 2503680 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml size = 1450, size_out = 1450 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab size = 10485760, size_out = 10485760 True 6
Fn
Read C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab size = 7447184, size_out = 7447184 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml size = 1886, size_out = 1886 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi size = 2513920, size_out = 2513920 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml size = 1450, size_out = 1450 True 1
Fn
Data
Read C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab size = 9958388, size_out = 9958388 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml size = 1608, size_out = 1608 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab size = 10485760, size_out = 10485760 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab size = 4333516, size_out = 4333516 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi size = 2865664, size_out = 2865664 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml size = 3186, size_out = 3186 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml size = 4207, size_out = 4207 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml size = 2424, size_out = 2424 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab size = 10485760, size_out = 10485760 True 4
Fn
Read C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab size = 1863101, size_out = 1863101 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi size = 2522624, size_out = 2522624 True 1
Fn
Read C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml size = 1800, size_out = 1800 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi size = 868864, size_out = 868864 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml size = 811, size_out = 811 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml size = 5884, size_out = 5884 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab size = 10485760, size_out = 10485760 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab size = 996845, size_out = 996845 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi size = 875520, size_out = 875520 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml size = 1347, size_out = 1347 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab size = 10485760, size_out = 10485760 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab size = 3156714, size_out = 3156714 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi size = 881152, size_out = 881152 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml size = 1457, size_out = 1457 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab size = 10485760, size_out = 10485760 True 2
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab size = 93012, size_out = 93012 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi size = 885760, size_out = 885760 True 1
Fn
Read C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml size = 1458, size_out = 1458 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi size = 873984, size_out = 873984 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml size = 1383, size_out = 1383 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab size = 2928955, size_out = 2928955 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml size = 2362, size_out = 2362 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab size = 10485760, size_out = 10485760 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab size = 8389124, size_out = 8389124 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi size = 3124224, size_out = 3124224 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml size = 1231, size_out = 1231 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml size = 1852, size_out = 1852 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml size = 6241, size_out = 6241 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab size = 10485760, size_out = 10485760 True 4
Fn
Read C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab size = 8880349, size_out = 8880349 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi size = 2797568, size_out = 2797568 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml size = 9503, size_out = 9503 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi size = 2503680, size_out = 2503680 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml size = 1606, size_out = 1606 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab size = 10485760, size_out = 10485760 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab size = 6970872, size_out = 6970872 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml size = 1988, size_out = 1988 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi size = 2511872, size_out = 2511872 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml size = 1452, size_out = 1452 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab size = 8265165, size_out = 8265165 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml size = 1872, size_out = 1872 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab size = 4095519, size_out = 4095519 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.msi size = 2507776, size_out = 2507776 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml size = 913, size_out = 913 True 1
Fn
Read C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml size = 1452, size_out = 1452 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml size = 596341, size_out = 596341 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest size = 1857, size_out = 1857 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab size = 10485760, size_out = 10485760 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab size = 3641986, size_out = 3641986 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.msi size = 3702272, size_out = 3702272 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml size = 5557, size_out = 5557 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.msi size = 868864, size_out = 868864 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml size = 819, size_out = 819 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm size = 27195, size_out = 27195 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm size = 67190, size_out = 67190 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml size = 9352, size_out = 9352 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\ShellUI.MST size = 3584, size_out = 3584 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.msi size = 868864, size_out = 868864 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml size = 819, size_out = 819 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml size = 2624, size_out = 2624 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi size = 2517504, size_out = 2517504 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml size = 1349, size_out = 1349 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab size = 10485760, size_out = 10485760 True 2
Fn
Read C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab size = 7044756, size_out = 7044756 True 1
Fn
Read C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml size = 596341, size_out = 596341 True 1
Fn
Read C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.msi size = 1992192, size_out = 1992192 True 1
Fn
Read C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml size = 4274, size_out = 4274 True 1
Fn
Read C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\OWOW32WW.cab size = 10485760, size_out = 10485760 True 3
Fn
Read C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\OWOW32WW.cab size = 4775772, size_out = 4775772 True 1
Fn
Read C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms size = 715834, size_out = 715834 True 1
Fn
Read C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.msi size = 10485760, size_out = 10485760 True 2
Fn
Read C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.msi size = 6560768, size_out = 6560768 True 1
Fn
Read C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml size = 16852, size_out = 16852 True 1
Fn
Read C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPrWW.cab size = 10485760, size_out = 10485760 True 3
Fn
Read C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPrWW.cab size = 10485760 False 1
Fn
Write C:\Users\5P5NRG~1\AppData\Roaming\\8DAT2H~1 size = 36864 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Roaming\\8DAT2H~1:bin size = 131584 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab.readme_txt size = 932 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi.readme_txt size = 932 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml.readme_txt size = 932 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 932 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi.readme_txt size = 932 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml.readme_txt size = 932 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab.readme_txt size = 932 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 932 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi.readme_txt size = 932 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml.readme_txt size = 932 True 1
Fn
Data
Write C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.msi.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlookMUI.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordLR.cab.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.msi.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\WordMUI.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.msi.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proofing.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.cab.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.msi.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Proof.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.cab.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.msi.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Proof.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.cab.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.msi.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Proof.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.msi.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Office32MUI.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\OWOW32LR.cab.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfLR.cab.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.msi.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\InfoPathMUI.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioLR.cab.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.msi.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\VisioMUI.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.msi.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OneNoteMUI.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\OnoteLR.cab.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.msi.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjectMUI.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\ProjLR.cab.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveLR.cab.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.msi.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\GrooveMUI.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\branding.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeLR.cab.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.msi.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUI.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.msi.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\OfficeMUISet.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\pss10r.chm.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\setup.chm.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\ShellUI.MST.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.msi.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\AccessMUISet.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Setup.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\AccLR.cab.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\branding.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.msi.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Office32WW.xml.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\OWOW32WW.cab.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.msi.readme_txt size = 932 True 1
Fn
Write C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\ProPlusrWW.xml.readme_txt size = 932 True 1
Fn
Delete C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\\8DaT2hw8LGIxi - True 1
Fn
Registry (213)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Duplicate Key - - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - False 1
Fn
Process (197)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\5P5NRG~1\AppData\Roaming\\8DAT2H~1:bin os_pid = 0x9cc, show_window = SW_HIDE True 1
Fn
Get filename System - False 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\smss.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\wininit.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\services.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\lsass.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\lsm.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\svchost.exe True 16
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\audiodg.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\dwm.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\spoolsv.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\taskhost.exe True 4
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\taskeng.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\explorer.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Microsoft Sync Framework\connectionsdecade.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files (x86)\Reference Assemblies\spectrum fs.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files (x86)\Common Files\amounts_under.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files (x86)\Java\emergency_limitation.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files (x86)\Windows Mail\partnerships.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files (x86)\MSBuild\fit.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files (x86)\Windows Mail\ob reid.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Internet Explorer\antonio_done_cultures.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files (x86)\Java\norfolk_trance_directive.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Uninstall Information\cheese-further-reads.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Microsoft Analysis Services\walking.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Windows Photo Viewer\happiness.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files (x86)\Windows Media Player\clubs_mobility_dive.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files (x86)\Mozilla Maintenance Service\completing.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Windows Journal\polished expressed.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Reference Assemblies\need result.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Microsoft Sync Framework\spring.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files (x86)\MSBuild\marvel.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Windows Media Player\clicks plc.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\DVD Maker\inter-angle.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Windows Portable Devices\admit cellular.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files (x86)\Microsoft Analysis Services\contractor.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Microsoft Office\theta.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\csrss.exe True 3
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\conhost.exe True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE True 2
Fn
Get filename System file_name = \Device\HarddiskVolume1\Windows\System32\VSSVC.exe True 2
Fn
Get Info System type = PROCESS_SESSION_INFORMATION True 95
Fn
Open System desired_access = PROCESS_QUERY_INFORMATION False 2
Fn
Open System desired_access = PROCESS_QUERY_LIMITED_INFORMATION True 2
Fn
Memory (84)
»
Operation Process Additional Information Success Count Logfile
Get Info System address = 0x776c2000, allocation_type = MEM_FREE, size_out = 0 True 1
Fn
Get Info System address = 0x776d2000, allocation_type = MEM_RESERVE, size_out = 0 True 1
Fn
Get Info System address = 0x776d4000, allocation_type = MEM_RESERVE, MEM_DECOMMIT, MEM_PRIVATE, MEM_MAPPED, size_out = 0 True 1
Fn
Get Info System address = 0x7773a000, allocation_type = MEM_RESERVE, MEM_DECOMMIT, size_out = 0 True 1
Fn
Get Info System address = 0x77740000, allocation_type = MEM_COMMIT, size_out = 0 True 1
Fn
Get Info System address = 0x6a True 1
Fn
Get Info System address = 0x777dc000, allocation_type = MEM_RESERVE, MEM_DECOMMIT, MEM_RELEASE, MEM_PRIVATE, MEM_MAPPED, size_out = 0 True 1
Fn
Get Info System address = 0x7784a000, allocation_type = MEM_RESERVE, size_out = 0 True 1
Fn
Get Info System address = 0x7784c000, allocation_type = MEM_COMMIT, MEM_RESERVE, MEM_FREE, size_out = 0 True 1
Fn
Get Info System address = 0x7785f000, allocation_type = MEM_COMMIT, size_out = 0 True 1
Fn
Get Info System address = 0x77860000, allocation_type = MEM_COMMIT, size_out = 0 True 1
Fn
Get Info System address = 0x64 True 1
Fn
Get Info System address = 0x77963000, allocation_type = MEM_COMMIT, MEM_RESERVE, MEM_DECOMMIT, MEM_RELEASE, MEM_PRIVATE, size_out = 0 True 1
Fn
Get Info System address = 0x77992000, allocation_type = MEM_COMMIT, size_out = 0 True 1
Fn
Get Info System address = 0x77993000, allocation_type = MEM_COMMIT, size_out = 0 True 1
Fn
Get Info System address = 0x77994000, allocation_type = MEM_COMMIT, size_out = 0 True 1
Fn
Get Info System address = 0x77995000, allocation_type = MEM_RESERVE, size_out = 0 True 1
Fn
Get Info System address = 0x77997000, allocation_type = MEM_COMMIT, size_out = 0 True 1
Fn
Get Info System address = 0x77998000, allocation_type = MEM_COMMIT, size_out = 0 True 1
Fn
Get Info System address = 0x77999000, allocation_type = MEM_RESERVE, size_out = 0 True 1
Fn
Get Info System address = 0x7799b000, allocation_type = MEM_COMMIT, MEM_RESERVE, size_out = 0 True 1
Fn
Get Info System address = 0x7799e000, allocation_type = MEM_COMMIT, MEM_RESERVE, MEM_RELEASE, MEM_PRIVATE, MEM_MAPPED, size_out = 0 True 1
Fn
Get Info System address = 0x77a09000, size_out = 0 True 1
Fn
Get Info System address = 0x7efe0000, allocation_type = MEM_COMMIT, MEM_DECOMMIT, size_out = 0 True 1
Fn
Get Info System - False 1
Fn
Get Info System address = 0x7efe5000, allocation_type = MEM_COMMIT, MEM_RESERVE, MEM_RELEASE, MEM_FREE, MEM_PRIVATE, MEM_MAPPED, MEM_RESET, size_out = 0 True 1
Fn
Get Info System address = 0x7f0e0000, allocation_type = MEM_TOP_DOWN, MEM_WRITE_WATCH, MEM_PHYSICAL, MEM_ROTATE, size_out = 0 True 1
Fn
Get Info System address = 0x7ffe0000, allocation_type = MEM_COMMIT, size_out = 0 True 1
Fn
Get Info System address = 0x7ffe1000, allocation_type = MEM_COMMIT, MEM_RESERVE, MEM_DECOMMIT, MEM_RELEASE, size_out = 0 True 1
Fn
Get Info System address = 0x7fff0000, size_out = 0 True 1
Fn
Get Info System address = 0xfd6a0000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0x6c True 1
Fn
Get Info System address = 0xfd6ab000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0xfd6ac000, allocation_type = MEM_COMMIT, MEM_RESERVE, size_out = 2046 True 1
Fn
Get Info System address = 0xfd6af000, allocation_type = MEM_COMMIT, size_out = 0 True 1
Fn
Get Info System address = 0xfd6b0000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0x60 True 1
Fn
Get Info System address = 0xfd713000, allocation_type = MEM_COMMIT, MEM_DECOMMIT, MEM_PRIVATE, size_out = 2046 True 1
Fn
Get Info System address = 0xfd738000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0xfd739000, allocation_type = MEM_RELEASE, size_out = 2046 True 1
Fn
Get Info System address = 0xfd741000, allocation_type = MEM_COMMIT, MEM_RESERVE, MEM_DECOMMIT, MEM_RELEASE, MEM_FREE, MEM_PRIVATE, MEM_MAPPED, size_out = 0 True 1
Fn
Get Info System address = 0xfd7c0000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0x66 True 1
Fn
Get Info System address = 0xfd94a000, allocation_type = MEM_RESERVE, MEM_DECOMMIT, MEM_FREE, size_out = 2046 True 1
Fn
Get Info System address = 0xfd960000, allocation_type = MEM_RESERVE, size_out = 2046 True 1
Fn
Get Info System address = 0xfd962000, allocation_type = MEM_COMMIT, MEM_RELEASE, size_out = 2046 True 1
Fn
Get Info System address = 0xfd96b000, allocation_type = MEM_COMMIT, MEM_DECOMMIT, MEM_FREE, MEM_WRITE_WATCH, size_out = 0 True 1
Fn
Get Info System address = 0xfdb80000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0x64 True 1
Fn
Get Info System address = 0xfdc03000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0xfdc04000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0xfdc05000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0xfdc06000, allocation_type = MEM_COMMIT, MEM_RESERVE, MEM_MAPPED, size_out = 2046 True 1
Fn
Get Info System address = 0xfdc49000, allocation_type = MEM_COMMIT, MEM_RESERVE, MEM_DECOMMIT, MEM_PRIVATE, MEM_MAPPED, MEM_RESET, size_out = 0 True 1
Fn
Get Info System address = 0xfdd30000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0x60 True 1
Fn
Get Info System address = 0xfdd38000, allocation_type = MEM_RESERVE, size_out = 2046 True 1
Fn
Get Info System address = 0xfdd3a000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0xfdd3b000, allocation_type = MEM_COMMIT, MEM_RESERVE, size_out = 2046 True 1
Fn
Get Info System address = 0xfdd3e000, allocation_type = MEM_RESERVE, MEM_FREE, MEM_MAPPED, MEM_RESET, MEM_TOP_DOWN, MEM_WRITE_WATCH, MEM_PHYSICAL, MEM_ROTATE, size_out = 0 True 1
Fn
Get Info System address = 0xfed10000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0x64 True 1
Fn
Get Info System address = 0xfed62000, allocation_type = MEM_RESERVE, MEM_RELEASE, size_out = 2046 True 1
Fn
Get Info System address = 0xfed6c000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0xfed6d000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0xfed6e000, allocation_type = MEM_COMMIT, MEM_RELEASE, size_out = 2046 True 1
Fn
Get Info System address = 0xfed77000, allocation_type = MEM_COMMIT, MEM_RELEASE, MEM_FREE, MEM_MAPPED, MEM_PHYSICAL, size_out = 0 True 1
Fn
Get Info System address = 0xff1d0000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0x66 True 1
Fn
Get Info System address = 0xff2b3000, allocation_type = MEM_DECOMMIT, MEM_RELEASE, MEM_PRIVATE, size_out = 2046 True 1
Fn
Get Info System address = 0xff2df000, allocation_type = MEM_RESERVE, size_out = 2046 True 1
Fn
Get Info System address = 0xff2e1000, allocation_type = MEM_DECOMMIT, MEM_RELEASE, MEM_FREE, size_out = 2046 True 1
Fn
Get Info System address = 0xff2fd000, allocation_type = MEM_COMMIT, MEM_RESERVE, MEM_RESET, MEM_TOP_DOWN, MEM_WRITE_WATCH, MEM_PHYSICAL, size_out = 0 True 1
Fn
Get Info System address = 0xffa80000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0x66 True 1
Fn
Get Info System address = 0xffafa000, allocation_type = MEM_COMMIT, MEM_RESERVE, MEM_DECOMMIT, MEM_FREE, size_out = 2046 True 1
Fn
Get Info System address = 0xffb11000, allocation_type = MEM_RESERVE, size_out = 2046 True 1
Fn
Get Info System address = 0xffb13000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0xffb14000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0xffb15000, allocation_type = MEM_RESERVE, size_out = 2046 True 1
Fn
Get Info System address = 0xffb17000, allocation_type = MEM_RELEASE, size_out = 2046 True 1
Fn
Get Info System address = 0xffb1f000, allocation_type = MEM_COMMIT, MEM_PRIVATE, MEM_MAPPED, size_out = 0 True 1
Fn
Get Info System address = 0xffb80000, allocation_type = MEM_COMMIT, size_out = 2046 True 1
Fn
Get Info System address = 0x72 True 1
Fn
Module (138)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.dll base_address = 0x773b0000 True 1
Fn
Load crypt32.dll base_address = 0x0 True 1
Fn
Load psapi.dll base_address = 0x0 True 1
Fn
Get Filename - process_name = c:\program files\common files\microsoft shared\source engine\ose.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE, size = 4096 True 1
Fn
Get Filename crypt32.dll process_name = c:\program files\common files\microsoft shared\source engine\ose.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE, size = 512 True 1
Fn
Get Filename psapi.dll process_name = c:\program files\common files\microsoft shared\source engine\ose.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE, size = 512 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringA, address_out = 0x773eb2b7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapValidate, address_out = 0x773db17b True 1
Fn
Map - process_name = c:\program files\common files\microsoft shared\source engine\ose.exe, desired_access = FILE_MAP_READ True 19
Fn
Map - process_name = c:\program files\common files\microsoft shared\source engine\ose.exe, desired_access = FILE_MAP_READ False 111
Fn
Service (480)
»
Operation Additional Information Success Count Logfile
Enumerate database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Get Info service_name = AdobeFlashPlayerUpdateSvc False 1
Fn
Get Info service_name = AdobeFlashPlayerUpdateSvc True 1
Fn
Get Info service_name = AeLookupSvc False 1
Fn
Get Info service_name = AeLookupSvc True 1
Fn
Get Info service_name = ALG False 1
Fn
Get Info service_name = ALG True 1
Fn
Get Info service_name = AppIDSvc False 1
Fn
Get Info service_name = AppIDSvc True 1
Fn
Get Info service_name = Appinfo False 1
Fn
Get Info service_name = Appinfo True 1
Fn
Get Info service_name = AppMgmt False 1
Fn
Get Info service_name = AppMgmt True 1
Fn
Get Info service_name = aspnet_state False 1
Fn
Get Info service_name = aspnet_state True 1
Fn
Get Info service_name = AudioEndpointBuilder False 1
Fn
Get Info service_name = AudioEndpointBuilder True 1
Fn
Get Info service_name = AudioSrv False 1
Fn
Get Info service_name = AudioSrv True 1
Fn
Get Info service_name = AxInstSV False 1
Fn
Get Info service_name = AxInstSV True 1
Fn
Get Info service_name = BDESVC False 1
Fn
Get Info service_name = BDESVC True 1
Fn
Get Info service_name = BFE False 1
Fn
Get Info service_name = BFE True 1
Fn
Get Info service_name = BITS False 1
Fn
Get Info service_name = BITS True 1
Fn
Get Info service_name = Browser False 1
Fn
Get Info service_name = Browser True 1
Fn
Get Info service_name = bthserv False 1
Fn
Get Info service_name = bthserv True 1
Fn
Get Info service_name = CertPropSvc False 1
Fn
Get Info service_name = CertPropSvc True 1
Fn
Get Info service_name = clr_optimization_v2.0.50727_32 False 1
Fn
Get Info service_name = clr_optimization_v2.0.50727_32 True 1
Fn
Get Info service_name = clr_optimization_v2.0.50727_64 False 1
Fn
Get Info service_name = clr_optimization_v2.0.50727_64 True 1
Fn
Get Info service_name = clr_optimization_v4.0.30319_32 False 1
Fn
Get Info service_name = clr_optimization_v4.0.30319_32 True 1
Fn
Get Info service_name = clr_optimization_v4.0.30319_64 False 1
Fn
Get Info service_name = clr_optimization_v4.0.30319_64 True 1
Fn
Get Info service_name = COMSysApp False 1
Fn
Get Info service_name = COMSysApp True 1
Fn
Get Info service_name = CryptSvc False 1
Fn
Get Info service_name = CryptSvc True 1
Fn
Get Info service_name = CscService False 1
Fn
Get Info service_name = CscService True 1
Fn
Get Info service_name = DcomLaunch False 1
Fn
Get Info service_name = DcomLaunch True 1
Fn
Get Info service_name = defragsvc False 1
Fn
Get Info service_name = defragsvc True 1
Fn
Get Info service_name = Dhcp False 1
Fn
Get Info service_name = Dhcp True 1
Fn
Get Info service_name = Dnscache False 1
Fn
Get Info service_name = Dnscache True 1
Fn
Get Info service_name = dot3svc False 1
Fn
Get Info service_name = dot3svc True 1
Fn
Get Info service_name = DPS False 1
Fn
Get Info service_name = DPS True 1
Fn
Get Info service_name = EapHost False 1
Fn
Get Info service_name = EapHost True 1
Fn
Get Info service_name = EFS False 1
Fn
Get Info service_name = EFS True 1
Fn
Get Info service_name = ehRecvr False 1
Fn
Get Info service_name = ehRecvr True 1
Fn
Get Info service_name = ehSched False 1
Fn
Get Info service_name = ehSched True 1
Fn
Get Info service_name = eventlog False 1
Fn
Get Info service_name = eventlog True 1
Fn
Get Info service_name = EventSystem False 1
Fn
Get Info service_name = EventSystem True 1
Fn
Get Info service_name = Fax False 1
Fn
Get Info service_name = Fax True 1
Fn
Get Info service_name = fdPHost False 1
Fn
Get Info service_name = fdPHost True 1
Fn
Get Info service_name = FDResPub False 1
Fn
Get Info service_name = FDResPub True 1
Fn
Get Info service_name = FontCache False 1
Fn
Get Info service_name = FontCache True 1
Fn
Get Info service_name = FontCache3.0.0.0 False 1
Fn
Get Info service_name = FontCache3.0.0.0 True 1
Fn
Get Info service_name = gpsvc False 1
Fn
Get Info service_name = gpsvc True 1
Fn
Get Info service_name = gupdate False 1
Fn
Get Info service_name = gupdate True 1
Fn
Get Info service_name = gupdatem False 1
Fn
Get Info service_name = gupdatem True 1
Fn
Get Info service_name = hidserv False 1
Fn
Get Info service_name = hidserv True 1
Fn
Get Info service_name = hkmsvc False 1
Fn
Get Info service_name = hkmsvc True 1
Fn
Get Info service_name = HomeGroupListener False 1
Fn
Get Info service_name = HomeGroupListener True 1
Fn
Get Info service_name = HomeGroupProvider False 1
Fn
Get Info service_name = HomeGroupProvider True 1
Fn
Get Info service_name = idsvc False 1
Fn
Get Info service_name = idsvc True 1
Fn
Get Info service_name = IKEEXT False 1
Fn
Get Info service_name = IKEEXT True 1
Fn
Get Info service_name = IPBusEnum False 1
Fn
Get Info service_name = IPBusEnum True 1
Fn
Get Info service_name = iphlpsvc False 1
Fn
Get Info service_name = iphlpsvc True 1
Fn
Get Info service_name = KeyIso False 1
Fn
Get Info service_name = KeyIso True 1
Fn
Get Info service_name = KtmRm False 1
Fn
Get Info service_name = KtmRm True 1
Fn
Get Info service_name = LanmanServer False 1
Fn
Get Info service_name = LanmanServer True 1
Fn
Get Info service_name = LanmanWorkstation False 1
Fn
Get Info service_name = LanmanWorkstation True 1
Fn
Get Info service_name = lltdsvc False 1
Fn
Get Info service_name = lltdsvc True 1
Fn
Get Info service_name = lmhosts False 1
Fn
Get Info service_name = lmhosts True 1
Fn
Get Info service_name = Mcx2Svc False 1
Fn
Get Info service_name = Mcx2Svc True 1
Fn
Get Info service_name = Microsoft SharePoint Workspace Audit Service False 1
Fn
Get Info service_name = Microsoft SharePoint Workspace Audit Service True 1
Fn
Get Info service_name = MMCSS False 1
Fn
Get Info service_name = MMCSS True 1
Fn
Get Info service_name = MozillaMaintenance False 1
Fn
Get Info service_name = MozillaMaintenance True 1
Fn
Get Info service_name = MpsSvc False 1
Fn
Get Info service_name = MpsSvc True 1
Fn
Get Info service_name = MSDTC False 1
Fn
Get Info service_name = MSDTC True 1
Fn
Get Info service_name = MSiSCSI False 1
Fn
Get Info service_name = MSiSCSI True 1
Fn
Get Info service_name = msiserver False 1
Fn
Get Info service_name = msiserver True 1
Fn
Get Info service_name = napagent False 1
Fn
Get Info service_name = napagent True 1
Fn
Get Info service_name = Netlogon False 1
Fn
Get Info service_name = Netlogon True 1
Fn
Get Info service_name = Netman False 1
Fn
Get Info service_name = Netman True 1
Fn
Get Info service_name = NetMsmqActivator False 1
Fn
Get Info service_name = NetMsmqActivator True 1
Fn
Get Info service_name = NetPipeActivator False 1
Fn
Get Info service_name = NetPipeActivator True 1
Fn
Get Info service_name = netprofm False 1
Fn
Get Info service_name = netprofm True 1
Fn
Get Info service_name = NetTcpActivator False 1
Fn
Get Info service_name = NetTcpActivator True 1
Fn
Get Info service_name = NetTcpPortSharing False 1
Fn
Get Info service_name = NetTcpPortSharing True 1
Fn
Get Info service_name = NlaSvc False 1
Fn
Get Info service_name = NlaSvc True 1
Fn
Get Info service_name = nsi False 1
Fn
Get Info service_name = nsi True 1
Fn
Get Info service_name = ose64 False 1
Fn
Get Info service_name = ose64 True 1
Fn
Get Info service_name = osppsvc False 1
Fn
Get Info service_name = osppsvc True 1
Fn
Get Info service_name = p2pimsvc False 1
Fn
Get Info service_name = p2pimsvc True 1
Fn
Get Info service_name = p2psvc False 1
Fn
Get Info service_name = p2psvc True 1
Fn
Get Info service_name = PcaSvc False 1
Fn
Get Info service_name = PcaSvc True 1
Fn
Get Info service_name = PeerDistSvc False 1
Fn
Get Info service_name = PeerDistSvc True 1
Fn
Get Info service_name = PerfHost False 1
Fn
Get Info service_name = PerfHost True 1
Fn
Get Info service_name = pla False 1
Fn
Get Info service_name = pla True 1
Fn
Get Info service_name = PlugPlay False 1
Fn
Get Info service_name = PlugPlay True 1
Fn
Get Info service_name = PNRPAutoReg False 1
Fn
Get Info service_name = PNRPAutoReg True 1
Fn
Get Info service_name = PNRPsvc False 1
Fn
Get Info service_name = PNRPsvc True 1
Fn
Get Info service_name = PolicyAgent False 1
Fn
Get Info service_name = PolicyAgent True 1
Fn
Get Info service_name = Power False 1
Fn
Get Info service_name = Power True 1
Fn
Get Info service_name = ProfSvc False 1
Fn
Get Info service_name = ProfSvc True 1
Fn
Get Info service_name = ProtectedStorage False 1
Fn
Get Info service_name = ProtectedStorage True 1
Fn
Get Info service_name = QWAVE False 1
Fn
Get Info service_name = QWAVE True 1
Fn
Get Info service_name = RasAuto False 1
Fn
Get Info service_name = RasAuto True 1
Fn
Get Info service_name = RasMan False 1
Fn
Get Info service_name = RasMan True 1
Fn
Get Info service_name = RemoteAccess False 1
Fn
Get Info service_name = RemoteAccess True 1
Fn
Get Info service_name = RemoteRegistry False 1
Fn
Get Info service_name = RemoteRegistry True 1
Fn
Get Info service_name = RpcEptMapper False 1
Fn
Get Info service_name = RpcEptMapper True 1
Fn
Get Info service_name = RpcLocator False 1
Fn
Get Info service_name = RpcLocator True 1
Fn
Get Info service_name = RpcSs False 1
Fn
Get Info service_name = RpcSs True 1
Fn
Get Info service_name = SamSs False 1
Fn
Get Info service_name = SamSs True 1
Fn
Get Info service_name = SCardSvr False 1
Fn
Get Info service_name = SCardSvr True 1
Fn
Get Info service_name = Schedule False 1
Fn
Get Info service_name = Schedule True 1
Fn
Get Info service_name = SCPolicySvc False 1
Fn
Get Info service_name = SCPolicySvc True 1
Fn
Get Info service_name = SDRSVC False 1
Fn
Get Info service_name = SDRSVC True 1
Fn
Get Info service_name = seclogon False 1
Fn
Get Info service_name = seclogon True 1
Fn
Get Info service_name = SENS False 1
Fn
Get Info service_name = SENS True 1
Fn
Get Info service_name = SensrSvc False 1
Fn
Get Info service_name = SensrSvc True 1
Fn
Get Info service_name = SessionEnv False 1
Fn
Get Info service_name = SessionEnv True 1
Fn
Get Info service_name = SharedAccess False 1
Fn
Get Info service_name = SharedAccess True 1
Fn
Get Info service_name = ShellHWDetection False 1
Fn
Get Info service_name = ShellHWDetection True 1
Fn
Get Info service_name = SNMPTRAP False 1
Fn
Get Info service_name = SNMPTRAP True 1
Fn
Get Info service_name = Spooler False 1
Fn
Get Info service_name = Spooler True 1
Fn
Get Info service_name = sppsvc False 1
Fn
Get Info service_name = sppsvc True 1
Fn
Get Info service_name = sppuinotify False 1
Fn
Get Info service_name = sppuinotify True 1
Fn
Get Info service_name = SSDPSRV False 1
Fn
Get Info service_name = SSDPSRV True 1
Fn
Get Info service_name = SstpSvc False 1
Fn
Get Info service_name = SstpSvc True 1
Fn
Get Info service_name = stisvc False 1
Fn
Get Info service_name = stisvc True 1
Fn
Get Info service_name = StorSvc False 1
Fn
Get Info service_name = StorSvc True 1
Fn
Get Info service_name = swprv False 1
Fn
Get Info service_name = swprv True 1
Fn
Get Info service_name = SysMain False 1
Fn
Get Info service_name = SysMain True 1
Fn
Get Info service_name = TabletInputService False 1
Fn
Get Info service_name = TabletInputService True 1
Fn
Get Info service_name = TapiSrv False 1
Fn
Get Info service_name = TapiSrv True 1
Fn
Get Info service_name = TBS False 1
Fn
Get Info service_name = TBS True 1
Fn
Get Info service_name = TermService False 1
Fn
Get Info service_name = TermService True 1
Fn
Get Info service_name = Themes False 1
Fn
Get Info service_name = Themes True 1
Fn
Get Info service_name = THREADORDER False 1
Fn
Get Info service_name = THREADORDER True 1
Fn
Get Info service_name = TrkWks False 1
Fn
Get Info service_name = TrkWks True 1
Fn
Get Info service_name = TrustedInstaller False 1
Fn
Get Info service_name = TrustedInstaller True 1
Fn
Get Info service_name = UI0Detect False 1
Fn
Get Info service_name = UI0Detect True 1
Fn
Get Info service_name = UmRdpService False 1
Fn
Get Info service_name = UmRdpService True 1
Fn
Get Info service_name = upnphost False 1
Fn
Get Info service_name = upnphost True 1
Fn
Get Info service_name = UxSms False 1
Fn
Get Info service_name = UxSms True 1
Fn
Get Info service_name = VaultSvc False 1
Fn
Get Info service_name = VaultSvc True 1
Fn
Get Info service_name = vds False 1
Fn
Get Info service_name = vds True 1
Fn
Get Info service_name = VSS False 1
Fn
Get Info service_name = VSS True 1
Fn
Get Info service_name = W32Time False 1
Fn
Get Info service_name = W32Time True 1
Fn
Get Info service_name = wbengine False 1
Fn
Get Info service_name = wbengine True 1
Fn
Get Info service_name = WbioSrvc False 1
Fn
Get Info service_name = WbioSrvc True 1
Fn
Get Info service_name = wcncsvc False 1
Fn
Get Info service_name = wcncsvc True 1
Fn
Get Info service_name = WcsPlugInService False 1
Fn
Get Info service_name = WcsPlugInService True 1
Fn
Get Info service_name = WdiServiceHost False 1
Fn
Get Info service_name = WdiServiceHost True 1
Fn
Get Info service_name = WdiSystemHost False 1
Fn
Get Info service_name = WdiSystemHost True 1
Fn
Get Info service_name = WebClient False 1
Fn
Get Info service_name = WebClient True 1
Fn
Get Info service_name = Wecsvc False 1
Fn
Get Info service_name = Wecsvc True 1
Fn
Get Info service_name = wercplsupport False 1
Fn
Get Info service_name = wercplsupport True 1
Fn
Get Info service_name = WerSvc False 1
Fn
Get Info service_name = WerSvc True 1
Fn
Get Info service_name = WinDefend False 1
Fn
Get Info service_name = WinDefend True 1
Fn
Get Info service_name = WinHttpAutoProxySvc False 1
Fn
Get Info service_name = WinHttpAutoProxySvc True 1
Fn
Get Info service_name = Winmgmt False 1
Fn
Get Info service_name = Winmgmt True 1
Fn
Get Info service_name = WinRM False 1
Fn
Get Info service_name = WinRM True 1
Fn
Get Info service_name = Wlansvc False 1
Fn
Get Info service_name = Wlansvc True 1
Fn
Get Info service_name = wmiApSrv False 1
Fn
Get Info service_name = wmiApSrv True 1
Fn
Get Info service_name = WMPNetworkSvc False 1
Fn
Get Info service_name = WMPNetworkSvc True 1
Fn
Get Info service_name = WPCSvc False 1
Fn
Get Info service_name = WPCSvc True 1
Fn
Get Info service_name = WPDBusEnum False 1
Fn
Get Info service_name = WPDBusEnum True 1
Fn
Get Info service_name = wscsvc False 1
Fn
Get Info service_name = wscsvc True 1
Fn
Get Info service_name = WSearch False 1
Fn
Get Info service_name = WSearch True 1
Fn
Get Info service_name = wuauserv False 1
Fn
Get Info service_name = wuauserv True 1
Fn
Get Info service_name = wudfsvc False 1
Fn
Get Info service_name = wudfsvc True 1
Fn
Get Info service_name = WwanSvc False 1
Fn
Get Info service_name = WwanSvc True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Register Handler - True 1
Fn
Driver (50)
»
Operation Driver Additional Information Success Count Logfile
Control C:\$Recycle.Bin control_code = 0x900a8 False 1
Fn
Control C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000 control_code = 0x900a8 False 1
Fn
Control C:\Boot control_code = 0x900a8 False 1
Fn
Control C:\Boot\cs-CZ control_code = 0x900a8 False 1
Fn
Control C:\Boot\da-DK control_code = 0x900a8 False 1
Fn
Control C:\Boot\de-DE control_code = 0x900a8 False 1
Fn
Control C:\Boot\el-GR control_code = 0x900a8 False 1
Fn
Control C:\Boot\en-US control_code = 0x900a8 False 1
Fn
Control C:\Boot\es-ES control_code = 0x900a8 False 1
Fn
Control C:\Boot\fi-FI control_code = 0x900a8 False 1
Fn
Control C:\Boot\Fonts control_code = 0x900a8 False 1
Fn
Control C:\Boot\fr-FR control_code = 0x900a8 False 1
Fn
Control C:\Boot\hu-HU control_code = 0x900a8 False 1
Fn
Control C:\Boot\it-IT control_code = 0x900a8 False 1
Fn
Control C:\Boot\ja-JP control_code = 0x900a8 False 1
Fn
Control C:\Boot\ko-KR control_code = 0x900a8 False 1
Fn
Control C:\Boot\nb-NO control_code = 0x900a8 False 1
Fn
Control C:\Boot\nl-NL control_code = 0x900a8 False 1
Fn
Control C:\Boot\pl-PL control_code = 0x900a8 False 1
Fn
Control C:\Boot\pt-BR control_code = 0x900a8 False 1
Fn
Control C:\Boot\pt-PT control_code = 0x900a8 False 1
Fn
Control C:\Boot\ru-RU control_code = 0x900a8 False 1
Fn
Control C:\Boot\sv-SE control_code = 0x900a8 False 1
Fn
Control C:\Boot\tr-TR control_code = 0x900a8 False 1
Fn
Control C:\Boot\zh-CN control_code = 0x900a8 False 1
Fn
Control C:\Boot\zh-HK control_code = 0x900a8 False 1
Fn
Control C:\Boot\zh-TW control_code = 0x900a8 False 1
Fn
Control C:\Config.Msi control_code = 0x900a8 False 1
Fn
Control C:\MSOCache control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\1033 control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us control_code = 0x900a8 False 1
Fn
Control C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C control_code = 0x900a8 False 1
Fn
System (268)
»
Operation Additional Information Success Count Logfile
Sleep duration = -1 (infinite) True 249
Fn
Get Time type = Ticks, time = 95394 True 10
Fn
Get Info type = Operating System True 6
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Wow64 Directory, result_out = C:\Windows\SysWOW64 True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Mutex (5)
»
Operation Additional Information Success Count Logfile
Create - True 1
Fn
Open mutex_name = Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E} False 2
Fn
Open mutex_name = Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E}, desired_access = SYNCHRONIZE True 1
Fn
Release - True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = COMPUTERNAME, result_out = XDUWTFONO True 1
Fn
Process #18: vssvc.exe
0 0
»
Information Value
ID #18
File Name c:\windows\system32\vssvc.exe
Command Line C:\Windows\system32\vssvc.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:35, Reason: Child Process
Unmonitor End Time: 00:01:34, Reason: Self Terminated
Monitor Duration 00:00:59
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9ac
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 9B0
0x 9B4
0x 9B8
0x 9BC
0x 9C0
0x 9C4
0x 9C8
0x 9DC
0x A00
0x 88C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c1fff Pagefile Backed Memory rw True False False -
vssvc.exe.mui 0x000d0000 0x000e0fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory r True False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory rw True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x0032ffff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x00637fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000640000 0x00640000 0x007c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007d0000 0x007d0000 0x0088ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000000890000 0x00890000 0x00c82fff Pagefile Backed Memory r True False False -
private_0x0000000000d10000 0x00d10000 0x00d8ffff Private Memory rw True False False -
private_0x0000000000de0000 0x00de0000 0x00e5ffff Private Memory rw True False False -
private_0x0000000000ea0000 0x00ea0000 0x00f1ffff Private Memory rw True False False -
private_0x0000000001030000 0x01030000 0x010affff Private Memory rw True False False -
sortdefault.nls 0x010b0000 0x0137efff Memory Mapped File r False False False -
private_0x0000000001490000 0x01490000 0x0150ffff Private Memory rw True False False -
private_0x0000000001540000 0x01540000 0x015bffff Private Memory rw True False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
vssvc.exe 0xff4c0000 0xff64afff Memory Mapped File rwx False False False -
catsrvut.dll 0x7fef4af0000 0x7fef4b74fff Memory Mapped File rwx False False False -
resutils.dll 0x7fef7230000 0x7fef7248fff Memory Mapped File rwx False False False -
clusapi.dll 0x7fef7250000 0x7fef729ffff Memory Mapped File rwx False False False -
vsstrace.dll 0x7fef7e80000 0x7fef7e96fff Memory Mapped File rwx False False False -
vssapi.dll 0x7fef7ea0000 0x7fef804ffff Memory Mapped File rwx False False False -
vss_ps.dll 0x7fef9000000 0x7fef9013fff Memory Mapped File rwx False False False -
mfcsubs.dll 0x7fef9030000 0x7fef903bfff Memory Mapped File rwx False False False -
xolehlp.dll 0x7fef9040000 0x7fef9053fff Memory Mapped File rwx False False False -
fltlib.dll 0x7fef9060000 0x7fef9068fff Memory Mapped File rwx False False False -
virtdisk.dll 0x7fef9070000 0x7fef9079fff Memory Mapped File rwx False False False -
es.dll 0x7fefb1c0000 0x7fefb226fff Memory Mapped File rwx False False False -
atl.dll 0x7fefb260000 0x7fefb278fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb890000 0x7fefb8a3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb8b0000 0x7fefb8c4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb8d0000 0x7fefb8dbfff Memory Mapped File rwx False False False -
netapi32.dll 0x7fefb8e0000 0x7fefb8f5fff Memory Mapped File rwx False False False -
samlib.dll 0x7fefbff0000 0x7fefc00cfff Memory Mapped File rwx False False False -
propsys.dll 0x7fefc540000 0x7fefc66bfff Memory Mapped File rwx False False False -
version.dll 0x7fefc970000 0x7fefc97bfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcda0000 0x7fefcde6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd0a0000 0x7fefd0b6fff Memory Mapped File rwx False False False -
authz.dll 0x7fefd290000 0x7fefd2befff Memory Mapped File rwx False False False -
cryptdll.dll 0x7fefd340000 0x7fefd353fff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd5a0000 0x7fefd5c2fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd6a0000 0x7fefd6aefff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd790000 0x7fefd7a3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
devobj.dll 0x7fefd970000 0x7fefd989fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7fefdb00000 0x7fefdb35fff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdc50000 0x7fefdd26fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
setupapi.dll 0x7feff300000 0x7feff4d6fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7feff4e0000 0x7feff550fff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff560000 0x7feff5f8fff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
ole32.dll 0x7feff870000 0x7feffa72fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #19: 8dat2h~1:bin
352 0
»
Information Value
ID #19
File Name c:\users\5p5nrg~1\appdata\roaming\8dat2h~1:bin
Command Line C:\Users\5P5NRG~1\AppData\Roaming\\8DAT2H~1:bin
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:36, Reason: Child Process
Unmonitor End Time: 00:01:24, Reason: Self Terminated
Monitor Duration 00:00:48
OS Process Information
»
Information Value
PID 0x9cc
Parent PID 0x97c (c:\program files\common files\microsoft shared\source engine\ose.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9D0
0x 9FC
0x AA0
0x 5B8
0x 5EC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File rwx False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory r True False False -
private_0x0000000000070000 0x00070000 0x0008bfff Private Memory rwx True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x001cffff Private Memory rw True False False -
locale.nls 0x001d0000 0x00236fff Memory Mapped File r False False False -
private_0x0000000000240000 0x00240000 0x00251fff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x002affff Private Memory rw True False False -
rsaenh.dll 0x002b0000 0x002ebfff Memory Mapped File r False False False -
private_0x0000000000310000 0x00310000 0x0034ffff Private Memory rw True False False -
8dat2h~1 0x00350000 0x00372fff Memory Mapped File rwx True True False
...
private_0x00000000003a0000 0x003a0000 0x0049ffff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x004bffff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x0053ffff Private Memory rw True False False -
private_0x0000000000540000 0x00540000 0x005effff Private Memory rw True False False -
private_0x0000000000570000 0x00570000 0x005affff Private Memory rw True False False -
private_0x00000000005e0000 0x005e0000 0x005effff Private Memory rw True False False -
private_0x00000000005f0000 0x005f0000 0x0062ffff Private Memory rw True False False -
private_0x0000000000680000 0x00680000 0x0077ffff Private Memory rw True False False -
pagefile_0x0000000000780000 0x00780000 0x00907fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000910000 0x00910000 0x00a90fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000aa0000 0x00aa0000 0x01e9ffff Pagefile Backed Memory r True False False -
private_0x0000000001ea0000 0x01ea0000 0x01f9ffff Private Memory rw True False False -
private_0x0000000002060000 0x02060000 0x0206ffff Private Memory rw True False False -
private_0x0000000002070000 0x02070000 0x0224ffff Private Memory rw True False False -
private_0x0000000002070000 0x02070000 0x0216ffff Private Memory rw True False False -
private_0x0000000002240000 0x02240000 0x0224ffff Private Memory rw True False False -
sortdefault.nls 0x02250000 0x0251efff Memory Mapped File r False False False -
private_0x00000000026e0000 0x026e0000 0x027dffff Private Memory rw True False False -
private_0x00000000028f0000 0x028f0000 0x029effff Private Memory rw True False False -
wow64cpu.dll 0x74f80000 0x74f87fff Memory Mapped File rwx False False False -
wow64win.dll 0x74f90000 0x74febfff Memory Mapped File rwx False False False -
wow64.dll 0x74ff0000 0x7502efff Memory Mapped File rwx False False False -
ntmarta.dll 0x750f0000 0x75110fff Memory Mapped File rwx False False False -
rsaenh.dll 0x75130000 0x7516afff Memory Mapped File rwx False False False -
cryptsp.dll 0x75170000 0x75185fff Memory Mapped File rwx False False False -
gdiplus.dll 0x751b0000 0x7533ffff Memory Mapped File rwx False False False -
comctl32.dll 0x75340000 0x753c3fff Memory Mapped File rwx False False False -
winmm.dll 0x753d0000 0x75401fff Memory Mapped File rwx False False False -
oledlg.dll 0x75410000 0x7542bfff Memory Mapped File rwx False False False -
winspool.drv 0x75430000 0x75480fff Memory Mapped File rwx False False False -
cryptbase.dll 0x75590000 0x7559bfff Memory Mapped File rwx False False False -
sspicli.dll 0x755a0000 0x755fffff Memory Mapped File rwx False False False -
msvcrt.dll 0x75660000 0x7570bfff Memory Mapped File rwx False False False -
lpk.dll 0x75710000 0x75719fff Memory Mapped File rwx False False False -
crypt32.dll 0x75720000 0x7583cfff Memory Mapped File rwx False False False -
sechost.dll 0x75a60000 0x75a78fff Memory Mapped File rwx False False False -
gdi32.dll 0x75a80000 0x75b0ffff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75b10000 0x75bfffff Memory Mapped File rwx False False False -
msasn1.dll 0x75c60000 0x75c6bfff Memory Mapped File rwx False False False -
wldap32.dll 0x75c70000 0x75cb4fff Memory Mapped File rwx False False False -
shell32.dll 0x75cc0000 0x76909fff Memory Mapped File rwx False False False -
msctf.dll 0x76b30000 0x76bfbfff Memory Mapped File rwx False False False -
imm32.dll 0x76c00000 0x76c5ffff Memory Mapped File rwx False False False -
ole32.dll 0x76e30000 0x76f8bfff Memory Mapped File rwx False False False -
advapi32.dll 0x76f90000 0x7702ffff Memory Mapped File rwx False False False -
user32.dll 0x771d0000 0x772cffff Memory Mapped File rwx False False False -
shlwapi.dll 0x77350000 0x773a6fff Memory Mapped File rwx False False False -
kernel32.dll 0x773b0000 0x774bffff Memory Mapped File rwx False False False -
usp10.dll 0x77550000 0x775ecfff Memory Mapped File rwx False False False -
kernelbase.dll 0x775f0000 0x77635fff Memory Mapped File rwx False False False -
private_0x0000000077640000 0x77640000 0x77739fff Private Memory rwx True False False -
private_0x0000000077740000 0x77740000 0x7785efff Private Memory rwx True False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
ntdll.dll 0x77a40000 0x77bbffff Memory Mapped File rwx False False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory rw True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory rw True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory r True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory rw True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory rw True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory rw True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory rw True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory rw True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory r True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Windows\TEMP\EtcB3F9.tmp 0.09 KB MD5: a6ba8e0370f83b101efaead1ffe56ba3
SHA1: 52aa83c47c570d7df33575bfc06a161dd91cbb73
SHA256: b28fa7dfe5b277f9056c095bf93d5545b1c29c3766189fbce791520244f2e62e
SSDeep: 3:cPGKhARtucmJhpozzlLq3QRtt7hX4an:oGKWbTwhp4oAbt6a 		False
...
C:\Users\5P5NRG~1\AppData\Roaming\mov7tWJUGg 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3:: 		False
...
C:\Windows\TEMP\zBA72.tmp 0.27 KB MD5: 48dc487b4efeae7397cf3de8ad52b857
SHA1: c02eaa43c144a37abc36f11bde2400c80ad26bb0
SHA256: 5d12da043c8ef4de78510423075ad0f5761bdcb474a3acef5db643f1246616a4
SSDeep: 6:oGKWbTwhpdBMW+hFa5urYs0D5FFW3vyQuvskEcNIov:oWfw7d5Pu0vD5FFW3vyQu0kdIy 		False
...
C:\Windows\TEMP\wLaB291.tmp 0.06 KB MD5: 58f0b5925675e4be77420b9d29c24c04
SHA1: e728cd694a3fee1e04e0124e86da05d7db5c1c54
SHA256: 1e81e0f55d5da3c062050676bb452f68b5c4cc944fddedebad1bfdb180e483b5
SSDeep: 3:qiTmJh1k5RAkSZv:7wh+5mfR 		False
...
C:\Windows\TEMP\MPBA73.tmp 0.10 KB MD5: 9a042997fea2f144df904de527694e58
SHA1: bebffe9adc332738333887230f1eec81ce8742ab
SHA256: f95584715df74f908b483323d278e9573e5b75adf0dd5d848859e849ebcdbcf7
SSDeep: 3:cMLH6+W4RKGzUTTFk3QWWALV2RHIZJVFBX/:cMj6b4RvzI9WHLoRo3VFBX/ 		False
...
C:\Windows\TEMP\XA9AED7.tmp 0.06 KB MD5: 44ab1155051f70b414b12b027f92fce8
SHA1: 83cf1732eb1c826953880ef2f800409b00f20818
SHA256: ba00146ddfc63902906c6fe74901c94ae285a832ac095aeaa07857dedda55ea4
SSDeep: 3:qiTmJhGqIA5RAkSZv:7whGzA5mfR 		False
...
C:\Windows\TEMP\jPEAEC7.tmp 0.04 KB MD5: 605866a66fd890d4efa389a56fb183a4
SHA1: a367e27150a9a1902d7bbd65e63f683fe45f8f61
SHA256: 96dfbfffa039f5f9bce909a750cc90d5b1d1b4ccc4a515b2687a10c89f234047
SSDeep: 3:cPGKhARtucmJhpov:oGKWbTwhpy 		False
...
Host Behavior
File (71)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\TEMP\qFA91A.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\4A91B.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\qFA91A.tmp desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\jPEAEC7.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\XA9AED7.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\jPEAEC7.tmp desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\OolB290.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\wLaB291.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\OolB290.tmp desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\EtcB3F9.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\cDB3FA.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\EtcB3F9.tmp desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\UAfB81F.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\vB820.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\UAfB81F.tmp desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\zBA72.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\MPBA73.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\zBA72.tmp desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\3cBD61.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\2RzBD72.tmp desired_access = FILE_APPEND_DATA, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\TEMP\3cBD61.tmp desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create Temp File C:\Windows\TEMP\qFA91A.tmp path = C:\Windows\TEMP, prefix = qF True 1
Fn
Create Temp File C:\Windows\TEMP\4A91B.tmp path = C:\Windows\TEMP, prefix = 4 True 1
Fn
Create Temp File C:\Windows\TEMP\jPEAEC7.tmp path = C:\Windows\TEMP, prefix = jPE True 1
Fn
Create Temp File C:\Windows\TEMP\XA9AED7.tmp path = C:\Windows\TEMP, prefix = XA9 True 1
Fn
Create Temp File C:\Windows\TEMP\OolB290.tmp path = C:\Windows\TEMP, prefix = Ool True 1
Fn
Create Temp File C:\Windows\TEMP\wLaB291.tmp path = C:\Windows\TEMP, prefix = wLa True 1
Fn
Create Temp File C:\Windows\TEMP\EtcB3F9.tmp path = C:\Windows\TEMP, prefix = Etc True 1
Fn
Create Temp File C:\Windows\TEMP\cDB3FA.tmp path = C:\Windows\TEMP, prefix = cD True 1
Fn
Create Temp File C:\Windows\TEMP\UAfB81F.tmp path = C:\Windows\TEMP, prefix = UAf True 1
Fn
Create Temp File C:\Windows\TEMP\vB820.tmp path = C:\Windows\TEMP, prefix = v True 1
Fn
Create Temp File C:\Windows\TEMP\zBA72.tmp path = C:\Windows\TEMP, prefix = z True 1
Fn
Create Temp File C:\Windows\TEMP\MPBA73.tmp path = C:\Windows\TEMP, prefix = MP True 1
Fn
Create Temp File C:\Windows\TEMP\3cBD61.tmp path = C:\Windows\TEMP, prefix = 3c True 1
Fn
Create Temp File C:\Windows\TEMP\2RzBD72.tmp path = C:\Windows\TEMP, prefix = 2Rz True 1
Fn
Get Info C:\Windows\TEMP\qFA91A.tmp type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\TEMP\4A91B.tmp type = file_attributes True 1
Fn
Get Info C:\Windows\TEMP\jPEAEC7.tmp type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\TEMP\XA9AED7.tmp type = file_attributes True 1
Fn
Get Info C:\Windows\TEMP\OolB290.tmp type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\TEMP\wLaB291.tmp type = file_attributes True 1
Fn
Get Info C:\Windows\TEMP\EtcB3F9.tmp type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\TEMP\cDB3FA.tmp type = file_attributes True 1
Fn
Get Info C:\Windows\TEMP\UAfB81F.tmp type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\TEMP\vB820.tmp type = file_attributes True 1
Fn
Get Info C:\Windows\TEMP\zBA72.tmp type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\TEMP\MPBA73.tmp type = file_attributes True 1
Fn
Get Info C:\Windows\TEMP\3cBD61.tmp type = size, size_out = 0 True 1
Fn
Get Info C:\Windows\TEMP\2RzBD72.tmp type = file_attributes True 1
Fn
Read C:\Windows\TEMP\qFA91A.tmp size = 377, size_out = 377 True 1
Fn
Data
Read C:\Windows\TEMP\jPEAEC7.tmp size = 43, size_out = 43 True 1
Fn
Data
Read C:\Windows\TEMP\OolB290.tmp size = 43, size_out = 43 True 1
Fn
Data
Read C:\Windows\TEMP\EtcB3F9.tmp size = 92, size_out = 92 True 1
Fn
Data
Read C:\Windows\TEMP\UAfB81F.tmp size = 43, size_out = 43 True 1
Fn
Data
Read C:\Windows\TEMP\zBA72.tmp size = 275, size_out = 275 True 1
Fn
Data
Read C:\Windows\TEMP\3cBD61.tmp size = 0, size_out = 0 True 1
Fn
Delete C:\Windows\TEMP\qFA91A.tmp - True 1
Fn
Delete C:\Windows\TEMP\4A91B.tmp - True 1
Fn
Delete C:\Windows\TEMP\jPEAEC7.tmp - True 1
Fn
Delete C:\Windows\TEMP\XA9AED7.tmp - True 1
Fn
Delete C:\Windows\TEMP\OolB290.tmp - True 1
Fn
Delete C:\Windows\TEMP\wLaB291.tmp - True 1
Fn
Delete C:\Windows\TEMP\EtcB3F9.tmp - True 1
Fn
Delete C:\Windows\TEMP\cDB3FA.tmp - True 1
Fn
Delete C:\Windows\TEMP\UAfB81F.tmp - True 1
Fn
Delete C:\Windows\TEMP\vB820.tmp - True 1
Fn
Delete C:\Windows\TEMP\zBA72.tmp - True 1
Fn
Delete C:\Windows\TEMP\MPBA73.tmp - True 1
Fn
Delete C:\Windows\TEMP\3cBD61.tmp - True 1
Fn
Delete C:\Windows\TEMP\2RzBD72.tmp - True 1
Fn
Delete C:\Users\5P5NRG~1\AppData\Roaming\8DAT2H~1 - True 1
Fn
Registry (213)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Duplicate Key - - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - False 1
Fn
Process (7)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\arp.exe os_pid = 0xaa8, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\nslookup.exe os_pid = 0xac8, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\nslookup.exe os_pid = 0xae0, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\nslookup.exe os_pid = 0xaf8, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\nslookup.exe os_pid = 0xb14, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\nslookup.exe os_pid = 0xb30, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Create C:\Windows\system32\net.exe os_pid = 0xb4c, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
Module (5)
»
Operation Module Additional Information Success Count Logfile
Load KERNEL32.dll base_address = 0x773b0000 True 1
Fn
Load crypt32.dll base_address = 0x0 True 1
Fn
Get Filename - process_name = c:\users\5p5nrg~1\appdata\roaming\8dat2h~1:bin, file_name_orig = C:\Users\5P5NRG~1\AppData\Roaming\8DAT2H~1:bin, size = 4096 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringA, address_out = 0x773eb2b7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapValidate, address_out = 0x773db17b True 1
Fn
System (19)
»
Operation Additional Information Success Count Logfile
Get Time type = Ticks, time = 99591 True 10
Fn
Get Info type = Operating System True 6
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Wow64 Directory, result_out = C:\Windows\SysWOW64 True 1
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Mutex (6)
»
Operation Additional Information Success Count Logfile
Create - True 1
Fn
Open mutex_name = Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E} False 2
Fn
Open mutex_name = Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E}, desired_access = SYNCHRONIZE True 1
Fn
Release - True 1
Fn
Release mutex_name = Global\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E} False 1
Fn
Process #20: svchost.exe
0 0
»
Information Value
ID #20
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\System32\svchost.exe -k swprv
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:36, Reason: Child Process
Unmonitor End Time: 00:01:31, Reason: Self Terminated
Monitor Duration 00:00:55
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9d4
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 9D8
0x 9E0
0x 9E4
0x 9E8
0x 9EC
0x 9F4
0x 894
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x0017ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000000180000 0x00180000 0x00181fff Pagefile Backed Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x0022ffff Private Memory rw True False False -
private_0x0000000000230000 0x00230000 0x00230fff Private Memory rw True False False -
pagefile_0x0000000000240000 0x00240000 0x00240fff Pagefile Backed Memory r True False False -
private_0x0000000000260000 0x00260000 0x002dffff Private Memory rw True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory rw True False False -
private_0x00000000005b0000 0x005b0000 0x0062ffff Private Memory rw True False False -
private_0x0000000000650000 0x00650000 0x006cffff Private Memory rw True False False -
private_0x0000000000700000 0x00700000 0x0077ffff Private Memory rw True False False -
sortdefault.nls 0x00780000 0x00a4efff Memory Mapped File r False False False -
pagefile_0x0000000000a50000 0x00a50000 0x00bd7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000be0000 0x00be0000 0x00d60fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000d70000 0x00d70000 0x01162fff Pagefile Backed Memory r True False False -
private_0x0000000001170000 0x01170000 0x011effff Private Memory rw True False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
svchost.exe 0xfff20000 0xfff2afff Memory Mapped File rwx False False False -
swprv.dll 0x7fef4490000 0x7fef4511fff Memory Mapped File rwx False False False -
vsstrace.dll 0x7fef7e80000 0x7fef7e96fff Memory Mapped File rwx False False False -
vssapi.dll 0x7fef7ea0000 0x7fef804ffff Memory Mapped File rwx False False False -
vss_ps.dll 0x7fef9000000 0x7fef9013fff Memory Mapped File rwx False False False -
fltlib.dll 0x7fef9060000 0x7fef9068fff Memory Mapped File rwx False False False -
virtdisk.dll 0x7fef9070000 0x7fef9079fff Memory Mapped File rwx False False False -
atl.dll 0x7fefb260000 0x7fefb278fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7fefcda0000 0x7fefcde6fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7fefd0a0000 0x7fefd0b6fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd6a0000 0x7fefd6aefff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd790000 0x7fefd7a3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7fefdc50000 0x7fefdd26fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7feff560000 0x7feff5f8fff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
ole32.dll 0x7feff870000 0x7feffa72fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd3000 0x7fffffd3000 0x7fffffd4fff Private Memory rw True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #21: arp.exe
0 0
»
Information Value
ID #21
File Name c:\windows\system32\arp.exe
Command Line C:\Windows\system32\arp.exe -a
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:46, Reason: Child Process
Unmonitor End Time: 00:00:48, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaa8
Parent PID 0x9cc (c:\users\5p5nrg~1\appdata\roaming\8dat2h~1:bin)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AAC
0x AC0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
arp.exe.mui 0x000e0000 0x000e1fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory rw True False False -
private_0x0000000000410000 0x00410000 0x0050ffff Private Memory rw True False False -
pagefile_0x0000000000510000 0x00510000 0x00697fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006a0000 0x006a0000 0x00820fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000830000 0x00830000 0x01c2ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01c30000 0x01efefff Memory Mapped File r False False False -
private_0x0000000002080000 0x02080000 0x020fffff Private Memory rw True False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7fff0fff Private Memory rw True False False -
arp.exe 0xff310000 0xff319fff Memory Mapped File rwx False False False -
inetmib1.dll 0x7fef4bf0000 0x7fef4c03fff Memory Mapped File rwx False False False -
snmpapi.dll 0x7fef9020000 0x7fef902afff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7fefaef0000 0x7fefaf07fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7fefaf10000 0x7fefaf20fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb130000 0x7fefb13afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb140000 0x7fefb166fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
nsi.dll 0x7fefdef0000 0x7fefdef7fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffb20000 0x7feffb6cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #22: nslookup.exe
11 11
»
Information Value
ID #22
File Name c:\windows\system32\nslookup.exe
Command Line C:\Windows\system32\nslookup.exe 192.168.0.1
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:48, Reason: Child Process
Unmonitor End Time: 00:00:48, Reason: Self Terminated
Monitor Duration 00:00:00
OS Process Information
»
Information Value
PID 0xac8
Parent PID 0x9cc (c:\users\5p5nrg~1\appdata\roaming\8dat2h~1:bin)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x ACC
0x ADC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
nslookup.exe.mui 0x000e0000 0x000e4fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory rw True False False -
private_0x0000000000450000 0x00450000 0x0045ffff Private Memory rw True False False -
pagefile_0x0000000000460000 0x00460000 0x005e7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00770fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000780000 0x00780000 0x01b7ffff Pagefile Backed Memory r True False False -
private_0x0000000001b80000 0x01b80000 0x01c7ffff Private Memory rw True False False -
private_0x0000000001b80000 0x01b80000 0x01c3ffff Private Memory rw True False False -
private_0x0000000001c70000 0x01c70000 0x01c7ffff Private Memory rw True False False -
private_0x0000000001cd0000 0x01cd0000 0x01d4ffff Private Memory rw True False False -
sortdefault.nls 0x01d50000 0x0201efff Memory Mapped File r False False False -
private_0x00000000020d0000 0x020d0000 0x0214ffff Private Memory rw True False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff9000 0x7fff9000 0x7fff9fff Private Memory rw True False False -
nslookup.exe 0xff230000 0xff256fff Memory Mapped File rwx True False False -
wsock32.dll 0x7fef9020000 0x7fef9028fff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7fefaef0000 0x7fefaf07fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7fefaf10000 0x7fefaf20fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb130000 0x7fefb13afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb140000 0x7fefb166fff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fefb300000 0x7fefb314fff Memory Mapped File rwx False False False -
pnrpnsp.dll 0x7fefb990000 0x7fefb9a8fff Memory Mapped File rwx False False False -
napinsp.dll 0x7fefb9b0000 0x7fefb9c4fff Memory Mapped File rwx False False False -
winrnr.dll 0x7fefba30000 0x7fefba3afff Memory Mapped File rwx False False False -
wshtcpip.dll 0x7fefca40000 0x7fefca46fff Memory Mapped File rwx False False False -
dnsapi.dll 0x7fefcec0000 0x7fefcf1afff Memory Mapped File rwx False False False -
mswsock.dll 0x7fefd040000 0x7fefd094fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
nsi.dll 0x7fefdef0000 0x7fefdef7fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffb20000 0x7feffb6cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (1)
»
Operation Filename Additional Information Success Count Logfile
Write STD_ERROR_HANDLE size = 57 True 1
Fn
Data
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\nslookup.exe base_address = 0xff230000 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-01-18 08:45:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 111150 True 1
Fn
Network Behavior
DNS (1)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = XDuwTfOno True 1
Fn
UDP Sessions (2)
»
Information Value
Total Data Sent 84 bytes
Total Data Received 143 bytes
Contacted Host Count 1
Contacted Hosts 192.168.0.1:53
UDP Session #1
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address 0.0.0.0
Local Port 56004
Data Sent 42 bytes
Data Received 101 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 True 1
Fn
Send flags = NO_FLAG_SET, size = 42, size_out = 42 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 101 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address 0.0.0.0
Local Port 56004
Data Sent 42 bytes
Data Received 42 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 True 1
Fn
Send flags = NO_FLAG_SET, size = 42, size_out = 42 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 42 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #23: nslookup.exe
11 11
»
Information Value
ID #23
File Name c:\windows\system32\nslookup.exe
Command Line C:\Windows\system32\nslookup.exe 192.168.0.255
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:48, Reason: Child Process
Unmonitor End Time: 00:00:50, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xae0
Parent PID 0x9cc (c:\users\5p5nrg~1\appdata\roaming\8dat2h~1:bin)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AE4
0x AF4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x001bffff Private Memory rw True False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory rw True False False -
nslookup.exe.mui 0x001e0000 0x001e4fff Memory Mapped File rw False False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0028ffff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x002fffff Private Memory rw True False False -
private_0x00000000003d0000 0x003d0000 0x004cffff Private Memory rw True False False -
pagefile_0x00000000004d0000 0x004d0000 0x00657fff Pagefile Backed Memory r True False False -
private_0x00000000006c0000 0x006c0000 0x006cffff Private Memory rw True False False -
pagefile_0x00000000006d0000 0x006d0000 0x00850fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000860000 0x00860000 0x01c5ffff Pagefile Backed Memory r True False False -
private_0x0000000001ce0000 0x01ce0000 0x01d5ffff Private Memory rw True False False -
private_0x0000000001dc0000 0x01dc0000 0x01e3ffff Private Memory rw True False False -
sortdefault.nls 0x01e40000 0x0210efff Memory Mapped File r False False False -
private_0x0000000002110000 0x02110000 0x0230ffff Private Memory rw True False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007ffff000 0x7ffff000 0x7fffffff Private Memory rw True False False -
nslookup.exe 0xff0b0000 0xff0d6fff Memory Mapped File rwx True False False -
wsock32.dll 0x7fef4c00000 0x7fef4c08fff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7fefaef0000 0x7fefaf07fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7fefaf10000 0x7fefaf20fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb130000 0x7fefb13afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb140000 0x7fefb166fff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fefb300000 0x7fefb314fff Memory Mapped File rwx False False False -
pnrpnsp.dll 0x7fefb990000 0x7fefb9a8fff Memory Mapped File rwx False False False -
napinsp.dll 0x7fefb9b0000 0x7fefb9c4fff Memory Mapped File rwx False False False -
winrnr.dll 0x7fefba30000 0x7fefba3afff Memory Mapped File rwx False False False -
wshtcpip.dll 0x7fefca40000 0x7fefca46fff Memory Mapped File rwx False False False -
dnsapi.dll 0x7fefcec0000 0x7fefcf1afff Memory Mapped File rwx False False False -
mswsock.dll 0x7fefd040000 0x7fefd094fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
nsi.dll 0x7fefdef0000 0x7fefdef7fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffb20000 0x7feffb6cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdbfff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (1)
»
Operation Filename Additional Information Success Count Logfile
Write STD_ERROR_HANDLE size = 59 True 1
Fn
Data
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\nslookup.exe base_address = 0xff0b0000 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-01-18 08:45:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 111415 True 1
Fn
Network Behavior
DNS (1)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = XDuwTfOno True 1
Fn
UDP Sessions (2)
»
Information Value
Total Data Sent 86 bytes
Total Data Received 145 bytes
Contacted Host Count 1
Contacted Hosts 192.168.0.1:53
UDP Session #1
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address 0.0.0.0
Local Port 56004
Data Sent 42 bytes
Data Received 42 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 True 1
Fn
Send flags = NO_FLAG_SET, size = 42, size_out = 42 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 42 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address 0.0.0.0
Local Port 56004
Data Sent 44 bytes
Data Received 103 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 True 1
Fn
Send flags = NO_FLAG_SET, size = 44, size_out = 44 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 103 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #24: nslookup.exe
10 11
»
Information Value
ID #24
File Name c:\windows\system32\nslookup.exe
Command Line C:\Windows\system32\nslookup.exe 224.0.0.22
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:49, Reason: Child Process
Unmonitor End Time: 00:00:50, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xaf8
Parent PID 0x9cc (c:\users\5p5nrg~1\appdata\roaming\8dat2h~1:bin)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AFC
0x B10
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
nslookup.exe.mui 0x000e0000 0x000e4fff Memory Mapped File rw False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x001cffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory rw True False False -
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory rw True False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory rw True False False -
pagefile_0x0000000000510000 0x00510000 0x00697fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006a0000 0x006a0000 0x00820fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000830000 0x00830000 0x01c2ffff Pagefile Backed Memory r True False False -
private_0x0000000001cc0000 0x01cc0000 0x01d3ffff Private Memory rw True False False -
sortdefault.nls 0x01d40000 0x0200efff Memory Mapped File r False False False -
private_0x0000000002010000 0x02010000 0x020effff Private Memory rw True False False -
private_0x00000000020f0000 0x020f0000 0x021fffff Private Memory rw True False False -
private_0x0000000002140000 0x02140000 0x021bffff Private Memory rw True False False -
private_0x00000000021f0000 0x021f0000 0x021fffff Private Memory rw True False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff1000 0x7fff1000 0x7fff1fff Private Memory rw True False False -
nslookup.exe 0xffa20000 0xffa46fff Memory Mapped File rwx True False False -
wsock32.dll 0x7fef9020000 0x7fef9028fff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7fefaef0000 0x7fefaf07fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7fefaf10000 0x7fefaf20fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb130000 0x7fefb13afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb140000 0x7fefb166fff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fefb300000 0x7fefb314fff Memory Mapped File rwx False False False -
pnrpnsp.dll 0x7fefb990000 0x7fefb9a8fff Memory Mapped File rwx False False False -
napinsp.dll 0x7fefb9b0000 0x7fefb9c4fff Memory Mapped File rwx False False False -
winrnr.dll 0x7fefba30000 0x7fefba3afff Memory Mapped File rwx False False False -
wshtcpip.dll 0x7fefca40000 0x7fefca46fff Memory Mapped File rwx False False False -
dnsapi.dll 0x7fefcec0000 0x7fefcf1afff Memory Mapped File rwx False False False -
mswsock.dll 0x7fefd040000 0x7fefd094fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
nsi.dll 0x7fefdef0000 0x7fefdef7fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffb20000 0x7feffb6cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\nslookup.exe base_address = 0xffa20000 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-01-18 08:45:41 (UTC) True 1
Fn
Get Time type = Ticks, time = 111665 True 1
Fn
Network Behavior
DNS (1)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = XDuwTfOno True 1
Fn
UDP Sessions (2)
»
Information Value
Total Data Sent 83 bytes
Total Data Received 111 bytes
Contacted Host Count 1
Contacted Hosts 192.168.0.1:53
UDP Session #1
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address 0.0.0.0
Local Port 56004
Data Sent 42 bytes
Data Received 42 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 True 1
Fn
Send flags = NO_FLAG_SET, size = 42, size_out = 42 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 42 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address 0.0.0.0
Local Port 56004
Data Sent 41 bytes
Data Received 69 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 True 1
Fn
Send flags = NO_FLAG_SET, size = 41, size_out = 41 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 69 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #25: nslookup.exe
11 11
»
Information Value
ID #25
File Name c:\windows\system32\nslookup.exe
Command Line C:\Windows\system32\nslookup.exe 224.0.0.252
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:50, Reason: Child Process
Unmonitor End Time: 00:00:51, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xb14
Parent PID 0x9cc (c:\users\5p5nrg~1\appdata\roaming\8dat2h~1:bin)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B18
0x B2C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
nslookup.exe.mui 0x00070000 0x00074fff Memory Mapped File rw False False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
private_0x0000000000180000 0x00180000 0x0027ffff Private Memory rw True False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory rw True False False -
private_0x00000000003a0000 0x003a0000 0x0040ffff Private Memory rw True False False -
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory rw True False False -
pagefile_0x0000000000530000 0x00530000 0x006b7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006c0000 0x006c0000 0x00840fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000850000 0x00850000 0x01c4ffff Pagefile Backed Memory r True False False -
private_0x0000000001dd0000 0x01dd0000 0x01e4ffff Private Memory rw True False False -
sortdefault.nls 0x01e50000 0x0211efff Memory Mapped File r False False False -
private_0x0000000002120000 0x02120000 0x022bffff Private Memory rw True False False -
private_0x0000000002150000 0x02150000 0x021cffff Private Memory rw True False False -
private_0x00000000022b0000 0x022b0000 0x022bffff Private Memory rw True False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff5000 0x7fff5000 0x7fff5fff Private Memory rw True False False -
nslookup.exe 0xffa40000 0xffa66fff Memory Mapped File rwx True False False -
wsock32.dll 0x7fef4c00000 0x7fef4c08fff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7fefaef0000 0x7fefaf07fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7fefaf10000 0x7fefaf20fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb130000 0x7fefb13afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb140000 0x7fefb166fff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fefb300000 0x7fefb314fff Memory Mapped File rwx False False False -
pnrpnsp.dll 0x7fefb990000 0x7fefb9a8fff Memory Mapped File rwx False False False -
napinsp.dll 0x7fefb9b0000 0x7fefb9c4fff Memory Mapped File rwx False False False -
winrnr.dll 0x7fefba30000 0x7fefba3afff Memory Mapped File rwx False False False -
wshtcpip.dll 0x7fefca40000 0x7fefca46fff Memory Mapped File rwx False False False -
dnsapi.dll 0x7fefcec0000 0x7fefcf1afff Memory Mapped File rwx False False False -
mswsock.dll 0x7fefd040000 0x7fefd094fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
nsi.dll 0x7fefdef0000 0x7fefdef7fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffb20000 0x7feffb6cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (1)
»
Operation Filename Additional Information Success Count Logfile
Write STD_ERROR_HANDLE size = 57 True 1
Fn
Data
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\nslookup.exe base_address = 0xffa40000 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-01-18 08:45:42 (UTC) True 1
Fn
Get Time type = Ticks, time = 112757 True 1
Fn
Network Behavior
DNS (1)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = XDuwTfOno True 1
Fn
UDP Sessions (2)
»
Information Value
Total Data Sent 84 bytes
Total Data Received 141 bytes
Contacted Host Count 1
Contacted Hosts 192.168.0.1:53
UDP Session #1
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address 0.0.0.0
Local Port 56004
Data Sent 42 bytes
Data Received 42 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 True 1
Fn
Send flags = NO_FLAG_SET, size = 42, size_out = 42 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 42 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address 0.0.0.0
Local Port 56004
Data Sent 42 bytes
Data Received 99 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 True 1
Fn
Send flags = NO_FLAG_SET, size = 42, size_out = 42 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 99 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #26: nslookup.exe
11 11
»
Information Value
ID #26
File Name c:\windows\system32\nslookup.exe
Command Line C:\Windows\system32\nslookup.exe 255.255.255.255
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:50, Reason: Child Process
Unmonitor End Time: 00:00:52, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xb30
Parent PID 0x9cc (c:\users\5p5nrg~1\appdata\roaming\8dat2h~1:bin)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B34
0x B48
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory rw True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory rw True False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
nslookup.exe.mui 0x00270000 0x00274fff Memory Mapped File rw False False False -
private_0x0000000000280000 0x00280000 0x00280fff Private Memory rw True False False -
private_0x0000000000290000 0x00290000 0x00290fff Private Memory rw True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
pagefile_0x00000000003c0000 0x003c0000 0x00547fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000550000 0x00550000 0x006d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000006e0000 0x006e0000 0x01adffff Pagefile Backed Memory r True False False -
private_0x0000000001ae0000 0x01ae0000 0x01b6ffff Private Memory rw True False False -
private_0x0000000001c40000 0x01c40000 0x01cbffff Private Memory rw True False False -
sortdefault.nls 0x01cc0000 0x01f8efff Memory Mapped File r False False False -
private_0x0000000001f90000 0x01f90000 0x0213ffff Private Memory rw True False False -
private_0x0000000002180000 0x02180000 0x021fffff Private Memory rw True False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fffe000 0x7fffe000 0x7fffefff Private Memory rw True False False -
nslookup.exe 0xff490000 0xff4b6fff Memory Mapped File rwx True False False -
wsock32.dll 0x7fef9020000 0x7fef9028fff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7fefaef0000 0x7fefaf07fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7fefaf10000 0x7fefaf20fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb130000 0x7fefb13afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb140000 0x7fefb166fff Memory Mapped File rwx False False False -
nlaapi.dll 0x7fefb300000 0x7fefb314fff Memory Mapped File rwx False False False -
pnrpnsp.dll 0x7fefb990000 0x7fefb9a8fff Memory Mapped File rwx False False False -
napinsp.dll 0x7fefb9b0000 0x7fefb9c4fff Memory Mapped File rwx False False False -
winrnr.dll 0x7fefba30000 0x7fefba3afff Memory Mapped File rwx False False False -
wshtcpip.dll 0x7fefca40000 0x7fefca46fff Memory Mapped File rwx False False False -
dnsapi.dll 0x7fefcec0000 0x7fefcf1afff Memory Mapped File rwx False False False -
mswsock.dll 0x7fefd040000 0x7fefd094fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
nsi.dll 0x7fefdef0000 0x7fefdef7fff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
ws2_32.dll 0x7feffb20000 0x7feffb6cfff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Host Behavior
File (1)
»
Operation Filename Additional Information Success Count Logfile
Write STD_ERROR_HANDLE size = 102 True 1
Fn
Data
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\nslookup.exe base_address = 0xff490000 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-01-18 08:45:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 113631 True 1
Fn
Network Behavior
DNS (1)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = XDuwTfOno True 1
Fn
UDP Sessions (2)
»
Information Value
Total Data Sent 88 bytes
Total Data Received 147 bytes
Contacted Host Count 1
Contacted Hosts 192.168.0.1:53
UDP Session #1
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address 0.0.0.0
Local Port 56004
Data Sent 42 bytes
Data Received 42 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 True 1
Fn
Send flags = NO_FLAG_SET, size = 42, size_out = 42 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 42 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x110
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address 0.0.0.0
Local Port 56004
Data Sent 46 bytes
Data Received 105 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 True 1
Fn
Send flags = NO_FLAG_SET, size = 46, size_out = 46 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 105 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #27: net.exe
0 0
»
Information Value
ID #27
File Name c:\windows\system32\net.exe
Command Line C:\Windows\system32\net.exe view igmp.mcast.net
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:01:24, Reason: Self Terminated
Monitor Duration 00:00:33
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xb4c
Parent PID 0x9cc (c:\users\5p5nrg~1\appdata\roaming\8dat2h~1:bin)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B50
0x 6A0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
private_0x0000000000140000 0x00140000 0x0023ffff Private Memory rw True False False -
locale.nls 0x00240000 0x002a6fff Memory Mapped File r False False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x0000000000470000 0x00470000 0x0047ffff Private Memory rw True False False -
pagefile_0x0000000000480000 0x00480000 0x00872fff Pagefile Backed Memory r True False False -
private_0x00000000009b0000 0x009b0000 0x00a2ffff Private Memory rw True False False -
netmsg.dll 0x750e0000 0x750e1fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff9000 0x7fff9000 0x7fff9fff Private Memory rw True False False -
net.exe 0xff120000 0xff13bfff Memory Mapped File rwx False False False -
browcli.dll 0x7fef4bf0000 0x7fef4c01fff Memory Mapped File rwx False False False -
cscapi.dll 0x7fef92d0000 0x7fef92defff Memory Mapped File rwx False False False -
mpr.dll 0x7fefac90000 0x7fefaca7fff Memory Mapped File rwx False False False -
winnsi.dll 0x7fefb130000 0x7fefb13afff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7fefb140000 0x7fefb166fff Memory Mapped File rwx False False False -
samcli.dll 0x7fefb890000 0x7fefb8a3fff Memory Mapped File rwx False False False -
wkscli.dll 0x7fefb8b0000 0x7fefb8c4fff Memory Mapped File rwx False False False -
netutils.dll 0x7fefb8d0000 0x7fefb8dbfff Memory Mapped File rwx False False False -
srvcli.dll 0x7fefd5a0000 0x7fefd5c2fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
nsi.dll 0x7fefdef0000 0x7fefdef7fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #28: svchost.exe
0 0
»
Information Value
ID #28
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:08, Reason: Child Process
Unmonitor End Time: 00:01:31, Reason: Self Terminated
Monitor Duration 00:00:23
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xbc4
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Local Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BC8
0x BCC
0x BD0
0x BD4
0x BD8
0x 658
0x 8D8
0x 8C0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00051fff Pagefile Backed Memory rw True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory rw True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x0010ffff Private Memory rw True False False -
locale.nls 0x00110000 0x00176fff Memory Mapped File r False False False -
pagefile_0x0000000000180000 0x00180000 0x0023ffff Pagefile Backed Memory r True False False -
private_0x0000000000250000 0x00250000 0x0025ffff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory rw True False False -
private_0x00000000003b0000 0x003b0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x00637fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000640000 0x00640000 0x007c0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007d0000 0x007d0000 0x00bc2fff Pagefile Backed Memory r True False False -
private_0x0000000000c70000 0x00c70000 0x00ceffff Private Memory rw True False False -
private_0x0000000000da0000 0x00da0000 0x00e1ffff Private Memory rw True False False -
private_0x0000000000e90000 0x00e90000 0x00f0ffff Private Memory rw True False False -
private_0x0000000000f30000 0x00f30000 0x00faffff Private Memory rw True False False -
sortdefault.nls 0x00fb0000 0x0127efff Memory Mapped File r False False False -
private_0x00000000016b0000 0x016b0000 0x0172ffff Private Memory rw True False False -
pagefile_0x0000000001730000 0x01730000 0x01b2ffff Pagefile Backed Memory rw True False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
svchost.exe 0xfff20000 0xfff2afff Memory Mapped File rwx False False False -
fntcache.dll 0x7fef4250000 0x7fef436afff Memory Mapped File rwx False False False -
ktmw32.dll 0x7fefacb0000 0x7fefacb9fff Memory Mapped File rwx False False False -
ntmarta.dll 0x7fefc7a0000 0x7fefc7ccfff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd6a0000 0x7fefd6aefff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
wldap32.dll 0x7feff600000 0x7feff651fff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
ole32.dll 0x7feff870000 0x7feffa72fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
private_0x000007fffffae000 0x7fffffae000 0x7fffffaffff Private Memory rw True False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd4000 0x7fffffd4000 0x7fffffd5fff Private Memory rw True False False -
private_0x000007fffffd6000 0x7fffffd6000 0x7fffffd7fff Private Memory rw True False False -
private_0x000007fffffd8000 0x7fffffd8000 0x7fffffd9fff Private Memory rw True False False -
private_0x000007fffffda000 0x7fffffda000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdc000 0x7fffffdc000 0x7fffffddfff Private Memory rw True False False -
private_0x000007fffffde000 0x7fffffde000 0x7fffffdffff Private Memory rw True False False -
Process #29: sppsvc.exe
0 0
»
Information Value
ID #29
File Name c:\windows\system32\sppsvc.exe
Command Line C:\Windows\system32\sppsvc.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:03:04
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x76c
Parent PID 0x1d4 (c:\windows\system32\services.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\Network Service
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 20C
0x 63C
0x 678
0x 128
0x 83C
0x 8DC
0x 904
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00051fff Pagefile Backed Memory rw True False False -
private_0x0000000000060000 0x00060000 0x0015ffff Private Memory rw True False False -
locale.nls 0x00160000 0x001c6fff Memory Mapped File r False False False -
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory rw True False False -
private_0x0000000000250000 0x00250000 0x00250fff Private Memory rw True False False -
private_0x0000000000260000 0x00260000 0x0026ffff Private Memory rw True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
pagefile_0x0000000000370000 0x00370000 0x004f7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000500000 0x00500000 0x00680fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000690000 0x00690000 0x0074ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000000750000 0x00750000 0x00b42fff Pagefile Backed Memory r True False False -
private_0x0000000000b50000 0x00b50000 0x00b50fff Private Memory rw True False False -
private_0x0000000000b60000 0x00b60000 0x00bdffff Private Memory rw True False False -
private_0x0000000000c00000 0x00c00000 0x00c7ffff Private Memory rw True False False -
private_0x0000000000d80000 0x00d80000 0x00dfffff Private Memory rw True False False -
private_0x0000000000f30000 0x00f30000 0x00faffff Private Memory rw True False False -
user32.dll 0x77640000 0x77739fff Memory Mapped File rwx False False False -
kernel32.dll 0x77740000 0x7785efff Memory Mapped File rwx False False False -
ntdll.dll 0x77860000 0x77a08fff Memory Mapped File rwx False False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory r True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
sppsvc.exe 0xffd90000 0x1000eefff Memory Mapped File rwx False False False -
cryptbase.dll 0x7fefd6a0000 0x7fefd6aefff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x7fefd790000 0x7fefd7a3fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7fefd900000 0x7fefd96afff Memory Mapped File rwx False False False -
usp10.dll 0x7fefdb80000 0x7fefdc48fff Memory Mapped File rwx False False False -
lpk.dll 0x7fefdd30000 0x7fefdd3dfff Memory Mapped File rwx False False False -
imm32.dll 0x7fefdd40000 0x7fefdd6dfff Memory Mapped File rwx False False False -
gdi32.dll 0x7fefed10000 0x7fefed76fff Memory Mapped File rwx False False False -
msctf.dll 0x7fefed80000 0x7fefee88fff Memory Mapped File rwx False False False -
advapi32.dll 0x7feff0f0000 0x7feff1cafff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7feff1d0000 0x7feff2fcfff Memory Mapped File rwx False False False -
sechost.dll 0x7feff850000 0x7feff86efff Memory Mapped File rwx False False False -
ole32.dll 0x7feff870000 0x7feffa72fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7feffa80000 0x7feffb1efff Memory Mapped File rwx False False False -
apisetschema.dll 0x7feffb80000 0x7feffb80fff Memory Mapped File rwx False False False -
pagefile_0x000007fffffb0000 0x7fffffb0000 0x7fffffd2fff Pagefile Backed Memory r True False False -
private_0x000007fffffd5000 0x7fffffd5000 0x7fffffd6fff Private Memory rw True False False -
private_0x000007fffffd7000 0x7fffffd7000 0x7fffffd8fff Private Memory rw True False False -
private_0x000007fffffd9000 0x7fffffd9000 0x7fffffdafff Private Memory rw True False False -
private_0x000007fffffdb000 0x7fffffdb000 0x7fffffdcfff Private Memory rw True False False -
private_0x000007fffffdd000 0x7fffffdd000 0x7fffffdefff Private Memory rw True False False -
private_0x000007fffffdf000 0x7fffffdf000 0x7fffffdffff Private Memory rw True False False -
Process #32: System
0 0
»
Information Value
ID #32
File Name System
Command Line -
Initial Working Directory -
Monitor Start Time: 00:01:47, Reason: Kernel Analysis
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:02:39
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x4
Parent PID 0x0 (Unknown)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 8
0x 5C
0x 24
0x 9C
0x 78
0x C0
0x 28
0x 40
0x 3C
0x 38
0x 34
0x 30
0x C4
0x CC
0x 48
0x D0
0x B8
0x D4
0x D8
0x DC
0x E8
0x EC
0x 64
0x 2C
0x FC
0x 104
0x 114
0x 108
0x 4C
0x 10C
0x 12C
0x 130
0x 134
0x 138
0x 174
0x 90
0x 100
0x B0
0x 74
0x 98
0x 268
0x 2E4
0x 84
0x 68
0x 8C
0x 80
0x 88
0x 3AC
0x 440
0x 464
0x 94
0x 56C
0x 5B0
0x 5C4
0x 5C8
0x 634
0x 6B8
0x 6C8
0x 6D8
0x 6E0
0x 6EC
0x 6F4
0x 60
0x 20
0x 448
0x 1C
0x 788
0x 444
0x 790
0x 0
0x 7E0
0x 4FC
0x 4F4
0x 410
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x00032fff Pagefile Backed Memory rw True False False -
ntdll.dll 0x778d0000 0x77a78fff Memory Mapped File rwx False False False -
ntdll.dll 0x77ab0000 0x77c2ffff Memory Mapped File rwx False False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
Process #33: ose.exe
0 0
»
Information Value
ID #33
File Name c:\program files\common files\microsoft shared\source engine\ose.exe
Command Line "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:53, Reason: Autostart
Unmonitor End Time: 00:01:54, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x610
Parent PID 0x1ac (c:\windows\system32\winlogon.exe)
Is Created or Modified Executable True
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 614
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory rw True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File rwx False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory r True False False -
private_0x00000000000d0000 0x000d0000 0x0010ffff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
ose.exe 0x00ce0000 0x00d02fff Memory Mapped File rwx True True False
...
ntdll.dll 0x778d0000 0x77a78fff Memory Mapped File rwx False False False -
ntdll.dll 0x77ab0000 0x77c2ffff Memory Mapped File rwx False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory r True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory rw True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory rw True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory rw True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory r True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory r True False False -
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image