Finals I was able to figure the hint you gave me for task on while analysing task 3 on API monitor it’s seems my timeline explorer or server I’m using it’s the issue cause most of the images in this section I can’t find it’s when I analyse the mft backup csv
Thanks again for the hint
Just got it.
It is in the MFT File.
Normally you will see the uninstall.exe. However, don’t forget that
- Don’t forget to remove the Filter 93866
- The top -down list does not represent the real time sequence order. The new filename can be above the past (uninstall)
- Explore ‘File name’ fiield (new name) and ‘Zone ID field’ content (contain the old filename)
- Another way is to look for the same file size
Hola, para lo que esten estancados en este ejercicio intenten filtrar directamente por el nombre uninstall.exe, o un Ctrl + f y se fijaran en el campo ZoneId contents, asegúrense que sea el mismo que el de uninstall.exe y llegaran a la respuesta.
Your tip is so helpful to me.
Thanks a lot.
To everyone pay attention in the API field → “CreateProcessA”
Hi @slimchady and anyone this may help. I got this by
- generating an MFT.csv using the command line commands in the notes
- then loaded this MFT file in TimeExplorer.
- Filter the uninstall.exe event using 93866 as entry number.
- You can now find the Zone ID info which doesn’t change.
- I then use the HostUrl link to filter to filter the zone ID content while removing all other filters.
FYI: The HostUrl is the source of the uninstall.exe and will remain thesame even when the filename is changed