Finals I was able to figure the hint you gave me for task on while analysing task 3 on API monitor it’s seems my timeline explorer or server I’m using it’s the issue cause most of the images in this section I can’t find it’s when I analyse the mft backup csv
Thanks again for the hint
Just got it.
It is in the MFT File.
Normally you will see the uninstall.exe. However, don’t forget that
- Don’t forget to remove the Filter 93866
- The top -down list does not represent the real time sequence order. The new filename can be above the past (uninstall)
- Explore ‘File name’ fiield (new name) and ‘Zone ID field’ content (contain the old filename)
- Another way is to look for the same file size
Hola, para lo que esten estancados en este ejercicio intenten filtrar directamente por el nombre uninstall.exe, o un Ctrl + f y se fijaran en el campo ZoneId contents, asegúrense que sea el mismo que el de uninstall.exe y llegaran a la respuesta.
Your tip is so helpful to me.
Thanks a lot.
To everyone pay attention in the API field → “CreateProcessA”