1e0db9aae4b512fed223e566d6a7baf6c149e252d276f30037a990fb7c325b94 (SHA256)
Desktop Ransomware.exe
Windows Exe (x86-32)
Created at 2018-11-01 17:12:00
Notifications (1/1)
The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.
Monitored Processes
Behavior Information - Grouped by Category
Process #1: desktop ransomware.exe
851
0
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\ciihmnxmn6ps\desktop\desktop ransomware.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\Desktop\Desktop Ransomware.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:00:36, Reason: Analysis Target |
| Unmonitor | End Time: 00:04:37, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:01 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdd4 |
| Parent PID | 0x508 (Unknown) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DD8
0x
DDC
0x
E14
0x
E18
0x
E2C
0x
E30
0x
EF8
0x
F38
0x
F3C
0x
F40
0x
F68
0x
F6C
0x
F9C
0x
FC4
0x
FF8
0x
534
0x
7DC
0x
C14
0x
BF8
0x
820
0x
D9C
0x
78C
0x
DA0
0x
EA0
0x
E0C
0x
E98
0x
D48
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000020000 | 0x00020000 | 0x0003ffff | Private Memory | - |
|
|
|
- |
| desktop ransomware.exe | 0x00230000 | 0x002fffff | Memory Mapped File | rwx |
|
|
|
|
| private_0x0000000000300000 | 0x00300000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000300000 | 0x00300000 | 0x0030ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00333fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x00443fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000450000 | 0x00450000 | 0x00450fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x00461fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00470000 | 0x0052dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000530000 | 0x00530000 | 0x00536fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x00546fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000550000 | 0x00550000 | 0x0064ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000650000 | 0x00650000 | 0x0074ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000750000 | 0x00750000 | 0x00756fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000760000 | 0x00760000 | 0x00760fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000770000 | 0x00770000 | 0x00770fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000780000 | 0x00780000 | 0x00780fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000790000 | 0x00790000 | 0x00796fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007a0000 | 0x007a0000 | 0x007a2fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000000007b0000 | 0x007b0000 | 0x007b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000007c0000 | 0x007c0000 | 0x007cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000007d0000 | 0x007d0000 | 0x007d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| rpcss.dll | 0x007e0000 | 0x008b5fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000007e0000 | 0x007e0000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| l_intl.nls | 0x007e0000 | 0x007e2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000007f0000 | 0x007f0000 | 0x007f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000800000 | 0x00800000 | 0x0080ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x0081ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000810000 | 0x00810000 | 0x00816fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000820000 | 0x00820000 | 0x0082ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000830000 | 0x00830000 | 0x0083ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000840000 | 0x00840000 | 0x0084ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000850000 | 0x00850000 | 0x0085ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000850000 | 0x00850000 | 0x00850fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000860000 | 0x00860000 | 0x0086ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000870000 | 0x00870000 | 0x0087ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000880000 | 0x00880000 | 0x0088ffff | Private Memory | rw |
|
|
|
- |
| sorttbls.nlp | 0x00880000 | 0x00884fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000890000 | 0x00890000 | 0x0089ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008a0000 | 0x008a0000 | 0x008a6fff | Private Memory | rwx |
|
|
|
- |
| private_0x00000000008b0000 | 0x008b0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000008c0000 | 0x008c0000 | 0x008cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008d0000 | 0x008d0000 | 0x00a57fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000a60000 | 0x00a60000 | 0x00be0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000bf0000 | 0x00bf0000 | 0x01feffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001ff0000 | 0x01ff0000 | 0x020effff | Private Memory | rw |
|
|
|
- |
| sortkey.nlp | 0x020f0000 | 0x02130fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002140000 | 0x02140000 | 0x0214ffff | Private Memory | rwx |
|
|
|
- |
| sortdefault.nls | 0x02150000 | 0x02486fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000002490000 | 0x02490000 | 0x1a48ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001a490000 | 0x1a490000 | 0x1ab5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ab60000 | 0x1ab60000 | 0x1ac6bfff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ac70000 | 0x1ac70000 | 0x1ad6ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000001ad70000 | 0x1ad70000 | 0x1aefdfff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000001af00000 | 0x1af00000 | 0x1af0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001af10000 | 0x1af10000 | 0x1af1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000001af20000 | 0x1af20000 | 0x1af30fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000001af40000 | 0x1af40000 | 0x1af4ffff | Private Memory | rw |
|
|
|
- |
| mscorrc.dll | 0x1af50000 | 0x1afa3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001afa0000 | 0x1afa0000 | 0x1afaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001afb0000 | 0x1afb0000 | 0x1b0affff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b0b0000 | 0x1b0b0000 | 0x1b1affff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b1b0000 | 0x1b1b0000 | 0x1b2cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b1b0000 | 0x1b1b0000 | 0x1b2affff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b2c0000 | 0x1b2c0000 | 0x1b2cffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-system.dat | 0x1b2d0000 | 0x1b345fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001b350000 | 0x1b350000 | 0x1b44ffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-fontface.dat | 0x1b450000 | 0x1c44ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001c450000 | 0x1c450000 | 0x1c54ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000001c550000 | 0x1c550000 | 0x1ca41fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000001ca50000 | 0x1ca50000 | 0x1cb6dfff | Private Memory | rw |
|
|
|
- |
| private_0x000000001cb70000 | 0x1cb70000 | 0x1cc6ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000000001cc70000 | 0x1cc70000 | 0x1cd6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001cd70000 | 0x1cd70000 | 0x1ce6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ce70000 | 0x1ce70000 | 0x1cf6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001cf70000 | 0x1cf70000 | 0x1d06ffff | Private Memory | rw |
|
|
|
- |
| msvcr80.dll | 0x64a10000 | 0x64ad8fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00007ff5ffc48000 | 0x7ff5ffc48000 | 0x7ff5ffc49fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffc4a000 | 0x7ff5ffc4a000 | 0x7ff5ffc4bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffc4e000 | 0x7ff5ffc4e000 | 0x7ff5ffc4ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffc50000 | 0x7ff5ffc50000 | 0x7ff5ffc5ffff | Private Memory | rwx |
|
|
|
- |
| private_0x00007ff5ffc60000 | 0x7ff5ffc60000 | 0x7ff5ffceffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00007ff5ffcf0000 | 0x7ff5ffcf0000 | 0x7ff5ffdeffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff5ffdf0000 | 0x7ff5ffdf0000 | 0x7ff5ffe12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff5ffe13000 | 0x7ff5ffe13000 | 0x7ff5ffe14fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffe15000 | 0x7ff5ffe15000 | 0x7ff5ffe16fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffe17000 | 0x7ff5ffe17000 | 0x7ff5ffe18fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffe19000 | 0x7ff5ffe19000 | 0x7ff5ffe1afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffe1b000 | 0x7ff5ffe1b000 | 0x7ff5ffe1bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffe1c000 | 0x7ff5ffe1c000 | 0x7ff5ffe1dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff5ffe1e000 | 0x7ff5ffe1e000 | 0x7ff5ffe1ffff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff875e30000 | 0x7ff875e30000 | 0x7ff875e3ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875e40000 | 0x7ff875e40000 | 0x7ff875e4ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875e50000 | 0x7ff875e50000 | 0x7ff875eeffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875ef0000 | 0x7ff875ef0000 | 0x7ff875efffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875f00000 | 0x7ff875f00000 | 0x7ff875f6ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875f70000 | 0x7ff875f70000 | 0x7ff875f7ffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875f80000 | 0x7ff875f80000 | 0x7ff875fbffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875fc0000 | 0x7ff875fc0000 | 0x7ff875fcffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875fd0000 | 0x7ff875fd0000 | 0x7ff875fdffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875fe0000 | 0x7ff875fe0000 | 0x7ff875feffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff875ff0000 | 0x7ff875ff0000 | 0x7ff875ffffff | Private Memory | - |
|
|
|
- |
| private_0x00007ff876000000 | 0x7ff876000000 | 0x7ff87600ffff | Private Memory | - |
|
|
|
- |
| microsoft.visualbasic.ni.dll | 0x7ff8d1e20000 | 0x7ff8d2036fff | Memory Mapped File | rwx |
|
|
|
- |
| system.windows.forms.ni.dll | 0x7ff8d25c0000 | 0x7ff8d3658fff | Memory Mapped File | rwx |
|
|
|
- |
| system.drawing.ni.dll | 0x7ff8d3740000 | 0x7ff8d3978fff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7ff8d3b00000 | 0x7ff8d452ffff | Memory Mapped File | rwx |
|
|
|
- |
| mscorjit.dll | 0x7ff8d4530000 | 0x7ff8d46b2fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7ff8d46c0000 | 0x7ff8d559dfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x7ff8d55a0000 | 0x7ff8d5f3ffff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7ff8d6410000 | 0x7ff8d64a6fff | Memory Mapped File | rwx |
|
|
|
- |
| culture.dll | 0x7ff8d6680000 | 0x7ff8d6689fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7ff8d6690000 | 0x7ff8d66f7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x7ff8d9a40000 | 0x7ff8d9be8fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7ff8e37f0000 | 0x7ff8e3a48fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7ff8e3a50000 | 0x7ff8e3a59fff | Memory Mapped File | rwx |
|
|
|
- |
| windowscodecs.dll | 0x7ff8e86a0000 | 0x7ff8e8851fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ff8e8fb0000 | 0x7ff8e8fd1fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ff8e9500000 | 0x7ff8e9577fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 78 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | 826.10 KB |
MD5:
3c7218b6316b04c210ae1487433585b0
SHA1: da0dcfe4d9cd2887d99b93cff3adbbefb8540ec7 SHA256: 9ebcc96babc5f7bd5873181e84a7de7fef57d2554ebaf286307b78ec8d99deed SSDeep: 12288:ghkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4a73oPzJe0/t1k5iEBta:oRmJkcoQricOIQxiZY1iaDobdt1STo |
|
|
Host Behavior
File (8)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ |
|
1 | |
| Get Info | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\machine.config | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\Desktop Ransomware.config | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | type = file_type |
|
2 | |
| Write | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 845927 |
|
1 |
Registry (3)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | - |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | value_name = DbgJITDebugLaunchSetting, type = REG_NONE |
|
1 | |
| Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework | value_name = DbgManagedDebugger, type = REG_NONE |
|
1 |
Process (14)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | show_window = SW_SHOWNORMAL |
|
1 | |
| Create | https://www.facebook.com/profile.php?id=100027091457754 | show_window = SW_SHOWNORMAL |
|
13 |
Module (272)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Get Handle | c:\windows\system32\user32.dll | base_address = 0x7ff8ebdc0000 |
|
1 | |
| Get Handle | c:\users\ciihmnxmn6ps\desktop\desktop ransomware.exe | base_address = 0x230000 |
|
20 | |
| Get Handle | comctl32.dll | base_address = 0x7ff8d18c0000 |
|
125 | |
| Get Address | c:\windows\system32\user32.dll | function = DefWindowProcW, address_out = 0x7ff8ee413240 |
|
1 | |
| Get Address | Unknown module name | function = ImageList_WriteEx, address_out = 0x0 |
|
125 |
Window (13)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | - | class_name = WindowsForms10.Window.8.app.0.33c0d9d, wndproc_parameter = 0 |
|
1 | |
| Create | .NET-BroadcastEventWindow.2.0.0.0.33c0d9d.0 | class_name = .NET-BroadcastEventWindow.2.0.0.0.33c0d9d.0, wndproc_parameter = 0 |
|
1 | |
| Create | Desktop Ransomware | class_name = WindowsForms10.Window.208.app.0.33c0d9d, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.Window.0.app.0.33c0d9d, wndproc_parameter = 0 |
|
1 | |
| Create | Get PIN | class_name = WindowsForms10.BUTTON.app.0.33c0d9d, wndproc_parameter = 0 |
|
1 | |
| Create | You | class_name = WindowsForms10.STATIC.app.0.33c0d9d, wndproc_parameter = 0 |
|
1 | |
| Create | Enter PIN | class_name = WindowsForms10.STATIC.app.0.33c0d9d, wndproc_parameter = 0 |
|
1 | |
| Create | Decryption | class_name = WindowsForms10.BUTTON.app.0.33c0d9d, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.EDIT.app.0.33c0d9d, wndproc_parameter = 0 |
|
1 | |
| Create | PIN = | class_name = WindowsForms10.STATIC.app.0.33c0d9d, wndproc_parameter = 0 |
|
1 | |
| Create | Oooooops All your files on the desktop are encrypted To decrypt files enter PIN see you soon | class_name = WindowsForms10.STATIC.app.0.33c0d9d, wndproc_parameter = 0 |
|
1 | |
| Create | Welcome in Desktop Ransomware | class_name = WindowsForms10.STATIC.app.0.33c0d9d, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = WindowsForms10.Window.8.app.0.33c0d9d, wndproc_parameter = 0 |
|
1 |
Keyboard (517)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 |
|
11 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 0 |
|
26 | |
| Read | virtual_key_code = VK_RBUTTON, result_out = 0 |
|
88 | |
| Read | virtual_key_code = VK_MBUTTON, result_out = 0 |
|
88 | |
| Read | virtual_key_code = VK_XBUTTON1, result_out = 0 |
|
88 | |
| Read | virtual_key_code = VK_XBUTTON2, result_out = 0 |
|
88 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 18446744073709551489 |
|
21 | |
| Read | virtual_key_code = VK_SHIFT, result_out = 0 |
|
22 | |
| Read | virtual_key_code = VK_CONTROL, result_out = 0 |
|
22 | |
| Read | virtual_key_code = VK_MENU, result_out = 18446744073709551489 |
|
10 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 1 |
|
23 | |
| Read | virtual_key_code = VK_LBUTTON, result_out = 18446744073709551488 |
|
18 | |
| Read | virtual_key_code = VK_MENU, result_out = 1 |
|
6 | |
| Read | virtual_key_code = VK_MENU, result_out = 18446744073709551488 |
|
6 |
System (9)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Computer Name | result_out = LHNIWSJ |
|
1 | |
| Get Cursor | x_out = 748, y_out = 484 |
|
4 | |
| Get Info | type = Operating System |
|
4 |
Environment (2)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | name = COR_PROFILER |
|
1 | |
| Get Environment String | name = COR_ENABLE_PROFILING |
|
1 |
Process #2: tempchhksm.exe
10844
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\users\ciihmnxmn6ps\appdata\local\tempchhksm.exe |
| Command Line | "C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe" |
| Initial Working Directory | C:\Users\CIiHmnxMn6Ps\Desktop\ |
| Monitor | Start Time: 00:01:03, Reason: Child Process |
| Unmonitor | End Time: 00:04:37, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:34 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xf74 |
| Parent PID | 0xdd4 (c:\users\ciihmnxmn6ps\desktop\desktop ransomware.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
F78
0x
F88
0x
F8C
0x
F90
0x
F94
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00023fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00053fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000060000 | 0x00060000 | 0x0009ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000000a0000 | 0x000a0000 | 0x000a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000b0000 | 0x000b0000 | 0x000b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x000c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000d0000 | 0x0018dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x00210fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x00223fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000230000 | 0x00230000 | 0x00231fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000240000 | 0x00240000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000240000 | 0x00240000 | 0x00240fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000250000 | 0x00250000 | 0x00253fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00260fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x002bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002c0000 | 0x002c0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x00310fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00320fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000320000 | 0x00320000 | 0x00323fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x00333fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000390000 | 0x00390000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| tempchhksm.exe | 0x00400000 | 0x004b8fff | Memory Mapped File | rwx |
|
|
|
|
| private_0x00000000004c0000 | 0x004c0000 | 0x008bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000008c0000 | 0x008c0000 | 0x00a47fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000a60000 | 0x00a60000 | 0x00e5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000e60000 | 0x00e60000 | 0x0125ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001260000 | 0x01260000 | 0x0165ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000001660000 | 0x01660000 | 0x017e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000017f0000 | 0x017f0000 | 0x02beffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000002bf0000 | 0x02bf0000 | 0x02d7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002bf0000 | 0x02bf0000 | 0x02ceffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002cf0000 | 0x02cf0000 | 0x02d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000002d70000 | 0x02d70000 | 0x02d7ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x02d80000 | 0x030b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000030c0000 | 0x030c0000 | 0x034bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000034c0000 | 0x034c0000 | 0x038bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000038c0000 | 0x038c0000 | 0x03977fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000003980000 | 0x03980000 | 0x03b7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b80000 | 0x03b80000 | 0x03c53fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b80000 | 0x03b80000 | 0x03c50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b80000 | 0x03b80000 | 0x03c5afff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b80000 | 0x03b80000 | 0x03c57fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003b80000 | 0x03b80000 | 0x03f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c60000 | 0x03c60000 | 0x03d37fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003c60000 | 0x03c60000 | 0x03d3afff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003d40000 | 0x03d40000 | 0x03e0bfff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003d40000 | 0x03d40000 | 0x03e19fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003e10000 | 0x03e10000 | 0x03ee6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000003e20000 | 0x03e20000 | 0x03ef7fff | Private Memory | rw |
|
|
|
- |
| wow64cpu.dll | 0x64ae0000 | 0x64ae7fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64win.dll | 0x64af0000 | 0x64b62fff | Memory Mapped File | rwx |
|
|
|
- |
| wow64.dll | 0x64b70000 | 0x64bbefff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x74660000 | 0x7468efff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x74690000 | 0x746aafff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x746b0000 | 0x746c2fff | Memory Mapped File | rwx |
|
|
|
- |
| devobj.dll | 0x746d0000 | 0x746f0fff | Memory Mapped File | rwx |
|
|
|
- |
| mpr.dll | 0x74700000 | 0x74716fff | Memory Mapped File | rwx |
|
|
|
- |
| winmmbase.dll | 0x74720000 | 0x74742fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x74750000 | 0x74768fff | Memory Mapped File | rwx |
|
|
|
- |
| wininet.dll | 0x74770000 | 0x74993fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x749a0000 | 0x74ba8fff | Memory Mapped File | rwx |
|
|
|
- |
| wsock32.dll | 0x74bb0000 | 0x74bb7fff | Memory Mapped File | rwx |
|
|
|
- |
| winmm.dll | 0x74bc0000 | 0x74be3fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x74bf0000 | 0x74bf7fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x74c00000 | 0x74c1cfff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x74c20000 | 0x74c94fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x74ca0000 | 0x74d30fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x74d40000 | 0x74d98fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x74da0000 | 0x74da9fff | Memory Mapped File | rwx |
|
|
|
- |
| sspicli.dll | 0x74db0000 | 0x74dcdfff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x74e70000 | 0x74fe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comdlg32.dll | 0x75160000 | 0x7521dfff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x75220000 | 0x75255fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x75260000 | 0x7534ffff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x753b0000 | 0x753f3fff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x75400000 | 0x7542afff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x75430000 | 0x767eefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x76810000 | 0x7681efff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x768b0000 | 0x76999fff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x769b0000 | 0x76a0bfff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x76a10000 | 0x76a8afff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x76c40000 | 0x76c82fff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x76c90000 | 0x76d21fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x76d90000 | 0x76e3bfff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x76e40000 | 0x76ff9fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x77000000 | 0x7714cfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77150000 | 0x7728ffff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x77290000 | 0x772d3fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x77340000 | 0x773ccfff | Memory Mapped File | rwx |
|
|
|
- |
| psapi.dll | 0x773d0000 | 0x773d5fff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x773e0000 | 0x773e6fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x773f0000 | 0x778ccfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x778d0000 | 0x779effff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x779f0000 | 0x77aadfff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x77c30000 | 0x77c3bfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77ca0000 | 0x77e18fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| private_0x00000000ffeaa000 | 0xffeaa000 | 0xffeacfff | Private Memory | rw |
|
|
|
- |
| private_0x00000000ffead000 | 0xffead000 | 0xffeaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000ffeb0000 | 0xffeb0000 | 0xfffaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000fffb0000 | 0xfffb0000 | 0xfffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000fffd4000 | 0xfffd4000 | 0xfffd6fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffd7000 | 0xfffd7000 | 0xfffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffda000 | 0xfffda000 | 0xfffdafff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffdc000 | 0xfffdc000 | 0xfffdefff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffdf000 | 0xfffdf000 | 0xfffdffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000fffe0000 | 0xfffe0000 | 0x7ff8ee37ffff | Private Memory | r |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x00007ff8ee542000 | 0x7ff8ee542000 | 0x7ffffffeffff | Private Memory | r |
|
|
|
- |
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.DlhsKoDumMDb.bmp | 89.91 KB |
MD5:
b3877521b2befaaeed42eafee857507c
SHA1: def6b44422630d725d4b32cbf27ea239ffab07d9 SHA256: 863254cbe699888687ab1d02385a0c3c7bcdff2ad31fb6b46dccecb1ad459760 SSDeep: 1536:/ZkIuCsG9PGzUpYvTSCnmJQILhobvqdRATRlB1ZAxnYUsb8:RkIuaKt2MEQIN9gFr1Sxiw |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.uQdlphYG1dbqk1.jpg | 70.86 KB |
MD5:
2ae565171a26dea1b3590e053ed467cf
SHA1: 2d90e577661599ac505f4be0c904e1bad0d0aed4 SHA256: 6532c6dfbdb8f38893ba38f5de0e6a28e086e4994be1444b3aab7614c192636f SSDeep: 1536:O6F3mB02b80vLZFTnTVn12GykYEsGcHW78d9dYHsOMH5UQmj:rFN2HvzTTVnWEspy+w |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\ueiephm | 7.35 KB |
MD5:
4d201336419143ade64b63767eaad1be
SHA1: a960a2e56476d2a4ef744b88167bf1b6a2e976b2 SHA256: 62e59456694f3fbe2f83735d73b7cd7d90c4ad33716cbf6dd526c424dd230c58 SSDeep: 192:nv1fbgy1j/FhwI8yFk/DL0N0x1LGrGXmLr+rK/:tjgyV/1 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.e4YsgwXPFnJ1eF_aq_.rtf | 90.59 KB |
MD5:
a29d2f6abd67fcf5718c20ac802ee632
SHA1: b99bd40169965b53e5f72b2214c95ff8dcc928a1 SHA256: 5ebfb5eb72b078fb2e8f487ae28633a607c87f8e53a03f497273f617e31c18b7 SSDeep: 1536:fnAssYjtciNZax9rkgP5MrBHVMPXZsCzJFrBUL2JQrxYuED6DMSUJCh2trg3ihh/:fAtYai/Y97mpG7VFr7J2KD6BwCgt0C/ |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.dCV6-VAR1Amz0.mp4 | 1.80 KB |
MD5:
e65cfd7126b21bb9e4ed6fd52f8218f7
SHA1: 56d12eed50b8b65a626d88786b25c3a6aac0e6b6 SHA256: e998fa5da054b0cb81eab345c6207e7767d2dfaf8a2ccba1776d9ada0763f4c1 SSDeep: 24:LbxMhMTHMd0egMQQk2eiE2leb2qpkOJ+pSTkgxSLcH4um26WHarD1SOUfZ7LYuv6:LCmQQiEUeb2okOJESQfgHo26Sn7Hs |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.R0bpFAwwI.xls | 40.78 KB |
MD5:
a873837e1cc6e76da3d7a7854c850412
SHA1: 137fc0608a076e7e0cc0e0169e82e12d1fec755c SHA256: fb7aed3b69233974bf3cdd03384bda4637a9206ab0baca7d2b2ff17a6b2af397 SSDeep: 768:xpCfw/DPAztt9UdFlLReu8gLmIUghFW+TXwv9qeBbTg8IVvVKw5CqW:xkI7s/CFl1eu80mIANAubTv09bCqW |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.SeOV2qpgcHWHh_nbqI.mp3 | 40.55 KB |
MD5:
3ea69d26347f04f5a8a43b1ff0327e6e
SHA1: 2835c1292874855921e30a48bc1c14421771a260 SHA256: 414838c1b266b82b315d4df6a6fba1b80b5bcaa09f6599ea2065e7c9b8bb16d4 SSDeep: 768:Oj0ezuUZ3k9odRxegntsMjxa2fd5SZWos/iU4stl1tNwQXSlsub:YX70HgtVlNF5SwoqiU4st//XmN |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.VgQS p2zoBtKpHSKB.docx | 49.02 KB |
MD5:
9481f05d394807fcc22313d3538306f1
SHA1: ece8f2fde6578039905083976a8d52a3502a9f05 SHA256: ab5407f68e3fca5f6ebece0c3fa68f1d35ad6a17c20beda426849afb3dd00d4c SSDeep: 1536:Vl3hufmBfmE8by1apOm5zpQEW38On2O5D:0fm5f8QP8On2CD |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures/Lock.pCRiuz4PFsi5.png | 82.95 KB |
MD5:
418fc4eab222f7c2f4dac612f8e5b71e
SHA1: 5736b261a903881f4a594c6f0ea1fadb508b11b2 SHA256: 7ecca217e64de0e3406533670776cf0ced6c89f04f2fe89297438ba17ecdd686 SSDeep: 1536:JBfsuqxwZlCDjPXEjF8CxadNNemTT6LLtjsse166VLbTYEzaJVps:PfsuXCDjP0jFx4jxSLLtj+66VjYEz2ps |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.z0fFK_swV0a.wav | 68.63 KB |
MD5:
32ea28c325fb074e4ddd62026cda89a4
SHA1: 79d6867695bfd5808191a2d57d807eef38991714 SHA256: 99e315b85a002e05286540168ca3cd9761cf5bd022166c37cdfcdffd229f3692 SSDeep: 1536:vQyYbnIOG0vwyrhxrTKEiB8xxelbh0bvALrFGQMolJUnhYR5ThHM:dYPG0vfVxrTwAelOboLoRKJUnh6ts |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.SBImy.wav | 97.45 KB |
MD5:
effd4e5092c6923b3cd1beaca11bca9d
SHA1: d90d0afadc73c7d8e7aab13c98437ade17b09b5c SHA256: 0fcf5cb0b99eaaef1bf0cfa7d56050d89961071f000cc29634c8303b39210480 SSDeep: 3072:xaXjVYXCy7tGl612bwgPPNfa4JSk/SF56:uj6bg2edfa8O56 |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos/Lock.5VHrP.avi | 36.27 KB |
MD5:
8a6b721beb27f97c5d4e8fa5a45284c5
SHA1: fd9966b0c2717ed649b23c7252644006f88fcef5 SHA256: ac3f2fb9f4d0804f5702f032f020650f4ca24c9118882728572d583c883c93e6 SSDeep: 768:kvaRVO5vmZ75PEwOiXgF4Dnoy+uVJVXYLjFOPTwyO8Z:ZXO5u55zOwgF4DsuVXcFOPMyO8Z |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.e5GfWHYXYvLZf4xlvH.odt | 52.27 KB |
MD5:
e2b407dd9b604da7b714ee0f340c290d
SHA1: a98ee6e07c89d0e18f06d12cb2205877d325ff81 SHA256: f1a51379fe0486e3795cf60e3e6f9e47b4f55c06ef4e6abf0dd8eb93a2b0273d SSDeep: 768:Q61j39wQPsz42jdeFO6bFm8MlPGcuSgMFweTPyFVu2SlKqcldEa8Ml7CdjK:Q6xtTs8yGZSgMFwYKzKMqZaVlWZK |
|
|
| C:\Users\Public\Videos/Lock.desktop.ini | 0.38 KB |
MD5:
1266a4ab23e5f2bb48db47c0ad3a391c
SHA1: 8a3c979136b0432c9291d5dbe25cf5a9c1bc043b SHA256: 7ff02fe5fdd24624fb413f493ecb593606663dac00382a7a0e12303bd45a7ae9 SSDeep: 6:x/unJ6ZESn4iPU+HID8/KOv9CwdRgZ/6xDhyPlrt45UxnDmOY+FfzFqrQxhNeEof:x/YcZ74iPoQKG9CwdRgZ/qDhyAaiCzFs |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.7NLT7b7.bmp | 62.46 KB |
MD5:
b8c7d59fe8061970cc7ef7d8abbd5fef
SHA1: ed44909867439fb2af5fd7db54838060bfa9b46e SHA256: 9c4d7387ef0d78ebcd4466e1630390a00c4e3a88e0956aabdf6eace549e99fd6 SSDeep: 1536:Naownp1orPCUDMD2kRsXVvYeQiBCTmay7Cd3YdFOv5v:Na3p1or6wkRsXVavTmT630ON |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.gj X79Jxk-e2.mp3 | 28.48 KB |
MD5:
be835ec41d43d19eb2c9f32a821ba034
SHA1: dc1b764e29c9956ff9425aac5e70cde00e109ece SHA256: 6bf34f8dd4a568f7e93c23ba9f13336df22be7fc393ca5115bc0b1a30a4167d7 SSDeep: 768:+Qsm1eH4kmgVtw47jCNqAOLXGhsr1FbyrcwhwL:ym1e/JgOOqA0GqXbIcwCL |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.VowNGbAt2Uc.flv | 95.70 KB |
MD5:
5ee5cee50e329af145873879da55f924
SHA1: 9cf5db98608102b4e8f684bc252c786e103eecf7 SHA256: 04ac837fd5907dd6b0629ab327eee4e4f46103cbf7d4b7c9ed21f620a2245cb1 SSDeep: 1536:4cA6phMOObbxiAAdxJZc3fSl9hfdImgN2oCOCRgDcsv1tzemdAu0f0/wK90CauOG:4cAGwiACxJHpfqmu2nOC6L9lepPfpgAG |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.v_rOYmuVae.mkv | 4.84 KB |
MD5:
23a84c8d571f5089240ee3512c01539b
SHA1: b23517c88c13fe7f613a6f19ebff63f8f27c5bbf SHA256: 6197b2612dccb1856f87380be328f3b948f4de38b6d7ac87a279eed2d254d303 SSDeep: 96:ltfVKAXn7QkczSRDv1do78+trf76U5650VCfdiRq:dKqcSDv1uw+AU5650VCfr |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.miHZX-Mq6_uJj5Jr.bmp | 31.97 KB |
MD5:
7062d17dc0879a2a853b89e89e5b8fad
SHA1: 721241c7217fb2847393d4d64ed1b1f78c33ddbb SHA256: d8913d545eab40184174323798f68d86e2c674e3a7a974e20da15f302ba65b97 SSDeep: 768:MP07wNIsdU4/me/hsI0y8s70d2l9iTJeLK9G6ppHM9:F7wNIqUqmPs7I2l9u1M9 |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures/Lock.SHgyDm0.gif | 72.32 KB |
MD5:
3234964574b362cb813d85a181ab819f
SHA1: 921e4ff33ca26ce2f47d186a67fb7e293028055b SHA256: 4b1296ca5738dd03a0a47298530c10e794514d17389dd70895a9e61c8844173d SSDeep: 1536:fECS4NQWCa75J5TJzYyRsDH+x+nsHnpDiwbnu0iYfs0IL1iXbe:fq4Nz9J5FTck+sHpOwbliYfkgy |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.md9DYhuwlzuJ4s.bmp | 93.30 KB |
MD5:
39236a6ad3667c29f35307866ff9352b
SHA1: 50ee2ed74d4d1b6ed6421f83f0f4e65023c0a3e6 SHA256: 8185ac71fa8d90589947457ddaa1c1f7644602f07f92eb3db19187db3aa27354 SSDeep: 1536:cjkgWwRpz3tPisNx+Qah9+SYDKEVhfTIe6Esh4oywHPgCTLkNCf9GWMr9gB1:ukJwDz3tbNx+fh9+S+5IefsDpTI0GWEC |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos/Lock.desktop.ini | 0.50 KB |
MD5:
ba8e16029d84e8959d9562cb2032d9bf
SHA1: b2953e85caaeca1257522b2efcbec4c0937b20da SHA256: e78630bba56447930624526c839eeb26fa8192df0f97ddd5115fbf630dc2eeb0 SSDeep: 12:x/YcZ74iPoQKG9ChqkxEWGx/rb0l4iLNnO91lo:xwA71FCAdf5rM/ |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.J_D_Smy7X3HCRMT CH6x.mkv | 4.23 KB |
MD5:
b40694223fac355c1d8f1c404079e419
SHA1: 621f3b455148de7784cca4d731b31723272e778d SHA256: 003164581aec1e44f746cc8d82f72e15e603963d2dec6fc11abe2db274311d39 SSDeep: 96:lMLpQR3bpVt/D4EMFyvkS2GCBG3QKrB7qDFRpGbZS/fwLC:0QVbpVx0nmlrBkPgc/n |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.LvpXw5odR.mkv | 75.86 KB |
MD5:
a3e4bb0e803e6a38999c2e6f6e4a9dc2
SHA1: cec31e7efd8d805b17c7fbed8080b91e40bfe796 SHA256: d5a275c4fc3757baf0fa8a1ff4be85dc1e72f34c369f168d6af65eba3fa395f8 SSDeep: 1536:kpYxxVXvjHj3SmDxYOEQH9laghUX21w3m8AUfioUkAvqSe7eioMYT+4OHQIoD:dvvX3SAx33H9IGUXx3mvUqoUVJKPoMYX |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures/Lock.WNoBJk6u3i.bmp | 76.58 KB |
MD5:
2cde6e29404fbea9516274f0f7ce63c8
SHA1: 52f883a8550cab7398c7fa9eadb0130d73581085 SHA256: c8b896abaa3750f56853536e0cb61c745186cdb75bf433f41066c86acaf7dfd1 SSDeep: 1536:OWRsij42hdp9CQQHmqo+vxiO29s27FxHcHWK/x9NPdrWHbReORVLLmxMZ1B:Fr5hd76Gq7iO+sUSWK/HrGeORlL8gB |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.8irUlxoryz9NBEdK.gif | 83.17 KB |
MD5:
94557a6fe456d6c47237d125faaf725a
SHA1: c3443cbe4aa1515ed762ea5a9405e0050de96d02 SHA256: d6296b97bac62984b610aae09db79e2e8ddeff5ddc637ec110364250011371e8 SSDeep: 1536:dLn0upjDhl+xaY2D6nCAZKv/ENLKg/xhDMalhCQ8555mwSSVTOqUW9strgA5UAM1:dLnTDeiDgA/Iv/xhDvlhCQM5ARw9stl0 |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos/Lock.ctEdCOQfNgS.avi | 13.52 KB |
MD5:
fccc8ec9522a7ffa8e46dd2e2d487610
SHA1: d1c57da0e7fe612c1c2cc447ec2748f7c85665a3 SHA256: cac6d28f769aac00e5b1f2e243abe7205cebbc4ac01371b91018b7e30f867d97 SSDeep: 384:Zbr6kj7b31eWtz4BzCVjggCaz954quVV3xxb:ZbGiNtz4B+tf95ENb |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures/Lock.desktop.ini | 0.50 KB |
MD5:
82d46e91be16a17eb99f24cac1768f01
SHA1: d1cd482829c5e89d764a36af5db3b23535b0d8f0 SHA256: cb4e93277081095bdbd95f8bd745a80700689bc25483259ae9d970a2c72f076e SSDeep: 12:x/YcZ74iPoQKG9CuF/+Pih/a63DCoDSr3xGFUZ4ppWpo4:xwA71FCi4iVn32oDskFUZQpW64 |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\aut475F.tmp | 1.40 KB |
MD5:
ed1e7bd7f6df91f75c9176d651cb5b51
SHA1: 45a64f005af4925d0c8b075bfd93bfd95eac9d72 SHA256: 17480789de1b9fe4d6c38a1ad136594d893d00d8c051a3818f693d52faa89a1a SSDeep: 24:nCGD023AQdkS4FeaTTUzP+31lSUxBKDDIry415a2nsuCmtcmv0dtIxYcGpz0cU:CftUUeiwP27SUPK3IW6PCmtDWtIxtGpg |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.xJQWy0H5XjB.bmp | 63.84 KB |
MD5:
636c0f05f62f7ec3cfede99884bfbecd
SHA1: 2bf86d214a03565e711073dab21e7328e4a59d42 SHA256: 793b51a3b908d7ccfc9562fd0cf80e1d7b2ed39e396d2fdd5fa7a1af0daad009 SSDeep: 1536:9pTw2YVs3m/Bfs1ZVrGXltKkdk6qpTi9vHoInn:/Lm/Bk1ZYXOk63Zi9vIInn |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.6x1noCxpBp1mmFoeCN6T.png | 23.09 KB |
MD5:
665abeb0ebb28d77df2bf19bf674eb20
SHA1: 4c4b46e2ca8de598957be63d85f43a07a923ee37 SHA256: 99f2c4d13185d26dd982dcfbb5201761eebca966e289bbc13b8e3763c5f2e1ab SSDeep: 384:WB4mKDPEM+36+FjJOuTdHKQf99RVXzgJ9csPDDZSWtgFEdX/+EJVaM:3mcngB3KQfXRNgJ9cSpSVFEJ7JVD |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.SN-7hPJVIjPbeSt.mp3 | 43.81 KB |
MD5:
45a708009dca525ef1a1d63ffc4478ad
SHA1: 0620737cb43811263a53b4219cea4516be38da3a SHA256: df6862e2a4fbee4522e9fb4707ffa3db28052d94c260c6aaf30e21cf9d8285fa SSDeep: 768:4nmZZgtTuxx5TRQqJN47JxUm9E+05HVnJ3eEyTb4Ja/WYbeWWEeULL+P:4nmzgUR9JN47/xa+5EKb4JmbeEJi |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.4hX BzG8K.gif | 64.96 KB |
MD5:
4219cb8fed5ea91e42a5ca86f3966b18
SHA1: 4976fcb15e8f512664825fcbe831f3523d949fe7 SHA256: 9c0c3a0eb7a5fe96eb24150d025fcfba22ffe943a552695e388b106b73c8a25c SSDeep: 1536:Fgolcye2DZRaNNZKuD/xTshAF2swaQp1e:S2c+DaNxD+Y2Njp1e |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.5h pi4P G_.ods | 93.29 KB |
MD5:
37e0b45f1840e223e40e0d79364b8967
SHA1: afeb0afa4f1cfef269f5c621a345615f250b0cad SHA256: 8905204abc7d1c02d34ce67d6ce78b9d2b75990bb5630c883758f00d19d57835 SSDeep: 1536:f7bTRS4Fgfajc2NnlI7BEfswfGOLCbrFq9m+yGKoC0aE0piNSSaf5q5lWUh99F5d:z3RSRfWxzI7SUwfGOwFqo+yGTHaE0otH |
|
|
| C:\Users\Public\Documents/Lock.desktop.ini | 0.27 KB |
MD5:
ed32321288e596a743e12080885bd804
SHA1: bb98925e7c07132b23bb32b11978b6bda0b11bf5 SHA256: b5a21156abd7ed5f0c2b1a0a4ac458ca832e401707ed97361967d46e240045bc SSDeep: 6:x/unJ6ZESn4iPU+HID8/KOv9Cwd2oqbAeifTeWBUhUxcx:x/YcZ74iPoQKG9CwdS+eWehuA |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.6Ihl59F1EW3Dmio30.mp3 | 21.62 KB |
MD5:
581c885caa4055e871eff58f7cc881d3
SHA1: 10e2bfd49c8c5d8c5adccf6d331a81c2f452e88a SHA256: e7f02b5c7b98f7ba4dcc0d492c2da0be70c8dbebe46fc33be0dad885d83d1ea4 SSDeep: 384:W6cIKXm9lSLmPjgbeCI5nIawYZR/tIqH5nzH2yqK8YxBxqSpd:R629lSLasbeCAIawYZRVFF2nKbBxqo |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures/Lock.di ot4o1qyFI.jpg | 68.92 KB |
MD5:
b646962d696dd1b8985f0b97572c41b4
SHA1: d51cf5be61aada6d7942ee8264eeca4e22dd0fcd SHA256: 81c2aadefe4ebb3587a418a7ebb938781ad74ec3e2ee354ccde575bf93f04818 SSDeep: 1536:DjaltVT+w8fLvkcGklXqdocq4aWiYUKt13Zx8IaXvM3IJ5p3:UJQzvkcGkV4aWiYj8IaXvqa5p3 |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.j3xOnM3C5H UUFiE2.pps | 17.12 KB |
MD5:
eb710645b3c13bb03b2980826f88f843
SHA1: bec46c32e19f9af4d7a225fa6baad2ae78caff65 SHA256: 66aff372fa71b61160213f9a387053c87e2a59e00bc23489ca1508fa98053650 SSDeep: 384:NLnb1VnG//mtoSCNqRykbOegvNmvQJckG7PJnefQp/Do85ZOGFIL9:5G/KoSCMAoOvNmAZUDZo8W6IL9 |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.e47Ptw.gif | 10.63 KB |
MD5:
00b06f2b2541986c5cc2edcaea14ab05
SHA1: 5cdb230887206da519003aa5c16d8ae678af4196 SHA256: b444f406e29a011fb7bdc6501f4028630ec8e868bfa7ee6f145c38dc74728b1a SSDeep: 192:dEaQL8fuXlhKfTAUNUbz+iIA5rAxTlng3bqkLG/3xXQ:yaQL8f+hKLvniqThypLIFQ |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.WUpSn9HARv5eBhQKKyI.docx | 29.97 KB |
MD5:
225f71f7f2f62bd3520a33c5b616632f
SHA1: dc9eafb157d0b1f568ee4ee06229d9f353c49ad8 SHA256: 4085a864fa8ad73ddb308538fd73cc971364e537bcc96bdcb8b0e6d8e4391b99 SSDeep: 768:HULsgyyweRPqTsQ8J0guAnbEL156hKn9XQCniaG:iyLx82gu2byqs9Xjiz |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\aut475F.tmp | 0.00 KB |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDeep: 3:: |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.wxFZJI-.mkv | 17.95 KB |
MD5:
c91ff64379b701caa83cd7cb1a286196
SHA1: 7524286659cdaade288502dbb208c2ddfdbffb4f SHA256: 588faf500a0987a2fc88cd59c42404411978e5ca8bb0d103dc629e5be4a2091b SSDeep: 384:fyJWkZi7/+ryi1RxJkPQIFYS47+p9BfcCf72jJcbRolTDSPF6phuQ:3kA7/e11Jkb4ihBf7mgRoZpv |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Local/Lock.IconCache.db | 118.56 KB |
MD5:
faba91a40ed3b94a39580b21f20b1e4b
SHA1: 43420288c935a413f4b61fdb3bad1d09c351db5b SHA256: 1866c5011ba4d228d4b788e5c87cd4e306e861af17cfb21ce3fbcbce0df6d2ce SSDeep: 3072:1SfxKyFkc5CRoJj7nFWzXDMepKbyssUpV2efrGtRw1wjxCb/MtcJjYfB:1S5KkdIAj7FiDx6V/3frG/wCW6cJjaB |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.a59dR.mp3 | 33.36 KB |
MD5:
bebdddb9649c4d9bdf98243920be5e68
SHA1: 4ac77c476bf477eb60f157837ada07fb24818497 SHA256: 5cedf20e288c92d567ecbcac331b4e3b2a7d7219b06b5a390989337334b8dec2 SSDeep: 768:+mm3DqSz8oqk03VABHpR79DcwbktQ7vE1gGYRbhjs46EZF0d0hZIn:zs8oqJ3aRmwbktQ7c1WJhj+EZF0mhZu |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.YeqB3B7c2.odt | 19.63 KB |
MD5:
6dcd0a6993f2a00251e0bdc490c901bb
SHA1: 1b2ea0406c9be3d6df68655f8139a69a7f0c1d88 SHA256: dd11ac2b2f21043156311b4187164a6f83b7c1836a54604be65468cca1cc0638 SSDeep: 384:f0iDuRAwpqB3D/+S3qfLoq/2cUNra4Ak74dey1Njazrrn2:D3bqS3WpYra4B70lazry |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.HPiFfUsmobc0kOQ6Rzg.flv | 50.17 KB |
MD5:
ba6353b541b9f183db98c8542f9f4781
SHA1: dfa7301335d2d0a0d799e7b917274e1bb7c46323 SHA256: 3e3c96b2a1e176bfd0ce9f2d5a7059d566f176ae2c8ce6fcedcacf08c7b10bc8 SSDeep: 768:keJEihJHQ82X+ChIV5/EpE+VhrxypsaX1LsvvrCM6OvghZy4mglLi3UsRqu7SHTN:jOinH4X+ChPjXty9X1LIeM6u+flo1miG |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.CHfvN1bcW R8s7_bOrn.xls | 29.17 KB |
MD5:
44199d2521e05bd861c20ded363a40a9
SHA1: 492dbb8b3fcd9faee0a95b862fbd9ef0dfcbaf0c SHA256: 4ccd78fca236873eb1d9d764d416881ba15ec3ff0fac40a042ca891815eecbf6 SSDeep: 768:YaI22+N4oEQWPmwSHj6cVwZfyc7SG1gmfWaC36NnVjq:YblS5LpucVwZTD1gmfdC3mQ |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.T2Cxs_YQD7nPt.bmp | 38.41 KB |
MD5:
35e406c59bdc0756018e9b5ee8c3d2d0
SHA1: 94de06879a41d7dd27df89358ecd7b67b3c8dd97 SHA256: aa4a11ecaf1744a555878ddab94e75830ecfd9d5e89c1dfad2b34a6984e11f89 SSDeep: 768:n3c2zeBy+hrqsdf1WmlAsBvdLrRce2hwUMpj92bmcQ/ybXsglgwvgb1sfE6q:Mvnrjdf5ASvcerUbfgqXpgZIEN |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.XYua.pptx | 69.51 KB |
MD5:
ccfb728780f1fe38f47a0f8c22e2fdd0
SHA1: 41db4559f85b1686c6b05e91127860b047d0363a SHA256: 6ee84c39cb8fb33f89257de6d9b024c48c587c963857f8315c7ee495c6ad8fb2 SSDeep: 1536:zK/TS4arIevBSgm6HAEASabKp3vlOOVVZi1WYARobMTUKYs:O+4Tz4KelOizi1WYAebMTUy |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.UiCbiMIX.ods | 87.09 KB |
MD5:
43d7dc0c5630ac3aaf3341f58f0a060e
SHA1: 7d6ba43c34293c67ef11dfa1232f3aac1e080cd5 SHA256: 6b727d33f1e2cafa6d5a8c285a0c2cb0e69555de294218c56d06ef36375f7b84 SSDeep: 1536:5MXnRFHigqW+hXm383QBPsYSpx0SIJfIIGWjglPmp90/A3fNu7pr3TNZJ320:5M3rdq7UsgBPsYSpxQsWjglPmwyVyr3p |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.lqoCl6y.xlsx | 67.87 KB |
MD5:
7b974d2ea2c1c2035f3b6412e47acfaf
SHA1: 6fd2a9553742a50086a470c8870c0716b9b03ea1 SHA256: 32089937bb86ca4aa9688837923899d14773ddf75977222f97f943eb9d15856a SSDeep: 1536:SBokOtz7DCBISvURj9l6rQfhXrxmIzhowESSfvB6/wKCGtaYCSK:Xkw7mSSS6rQ9fh4Scvzytaxr |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.sgCJT.jpg | 64.02 KB |
MD5:
9c7d8ff39ab3fe4f57a975c062f1fab2
SHA1: 150569bbd9cc865f419c797fdc562d0895a09800 SHA256: 0ee6d8205d48b11ec763dd8522803de07e3698c64801c258fc71bcc330aedc8f SSDeep: 1536:PpoUcXPFVCZOxQnrmIUKL3NXvttqwX0W6tK+T/fmSh7KP/h:PIIXUKLBCwEWWRXxIh |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.Sj6SoGBJ.pptx | 34.42 KB |
MD5:
f3cfa2ce3d0290eee4125fbbe0b94384
SHA1: 744d4398a2e3a634af348976c56deba1fd9a4ac4 SHA256: f579b483325654a1f19f1460d18cf227b0601378a29a6ab1c695ec84e167601b SSDeep: 768:IMPGIMJC/1MhvWTiv2wzd7aOOZZi/0IHqPw8HsPK3of:PGIMJC9+vWT0PCZjIeU6of |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.8ZHaOi1b54EwUUY.wav | 33.72 KB |
MD5:
ed3672795f34c44e15608499b8b34b78
SHA1: d5b127fd25e6ea89caa4eaa1559660bb03f21cde SHA256: c5714b5a17531d8d46f41f679b8b3f214f2bb34fff94875647528951e850ba68 SSDeep: 768:URDaHf1r1F7XanldymQGKaQ8uOAnxt5ECegddlJg4Pu:URDaHf1r1F76yCQ8j0EZgdrOd |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.07iDkNP.swf | 75.07 KB |
MD5:
b3b89f40cf849646c135c2bc0b5cdfb1
SHA1: 086ed5a9a5d3dde1acca3dfd78f69027b81807d5 SHA256: f7a1c01b29913a31c2156737f9b0204c9ae76a5faba7440e2a13e872a026081b SSDeep: 1536:o8ksquPWDKD3YO0MjHmQeIK6rUz7j5dK/JPE+Vwxm0qy9F2i04:o8VquToOhjpeqY3j3KRs+VwxmsW4 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.WoAfC7fH.docx | 84.84 KB |
MD5:
0ed8aa5463d74bda6c2dbbf465d65d0a
SHA1: 49e9c64f14205a28fc6edadfac984998290cd39a SHA256: c95a6c4e442a992ac47f5d964c224c13d10540c22f7c8036978a7bf4e17c1942 SSDeep: 1536:b+g2zUAox2Go+L12wXbZ45fjFjKIdOMK/dQQVLt1IPmOzwLqJydE:br4UAox2K12ONSF+AodQQVLtWPPbJya |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.dH8KjJr-DCE7s3hc0W.rtf | 31.41 KB |
MD5:
8313c9d938ada8e3f5b8bf9694c91f90
SHA1: 88007d7c1808108391fb38eb41c03cacdac33bc4 SHA256: 1aeddfcedf1454036b26a280c69c74e971095ebd87acadc9a6a491454ddaff66 SSDeep: 768:fZK3bLBMLPOsoYrProuGbmdoDuBqvdPTrs/OlkY2vESi:fubLmLmFYrPosok2xI/OX2vfi |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.cVtkaJxJuKDO0_4HwRfX.pptx | 10.64 KB |
MD5:
5e31eda5d2411824f192069cc107c871
SHA1: 8f1873baaa76e2a6572f45ad608cfc279ae8a5c7 SHA256: 77efda929c152f01c2d4b438abcee2046ce082d8c7031b0909a67c5cfa2cd1d6 SSDeep: 192:+DLMAgeI32t2vbCAET6PyF9N5DhTZvzvgqL3A07ZvZmwd:H/eeNg2Py55NTRMsw+ewd |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.HD1FLLNmLPJ7igO2XSQ.png | 34.12 KB |
MD5:
2d3dc65b8e76a52658e1be5267494147
SHA1: b3e7e9f83b6ec89598be39ac481c28a3bc2029ba SHA256: 889611a0267d727fe7a1212e334f8c0319f3db529f0258f4db4c9e98a633cafb SSDeep: 768:x6pAhsp6g6GC3TEevOAWpXFVqAjPl+wKROskwXYJX1n:6A2p7nCAevOAyXqA7l+wK5XwV |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.rzTdzniVDq.csv | 56.70 KB |
MD5:
a5e750509d2d95537f6afa4bcd1b035c
SHA1: 59041c4452ca60fcbd033a33f8efdc9af301bcc3 SHA256: 46f07a2ba403e70bd29249640e7aedb763ca6fc612714432f00fa9473429a273 SSDeep: 768:L0xc2NxK6bPrHWbCj42Z/ECcZTH2drOa04Wm774yFNVW80Nrd1heNvU/Ma8NDTLM:Ea6fHn38C7CaVb77m80x8NvUkZDTLBQJ |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.oNfvs3LGk1TKi1J4_aSN.xlsx | 2.40 KB |
MD5:
bc2f77130b5a6d301671f4d711e04c3b
SHA1: 1b33abfc0040c1fd51fc07e8f96a7fb6d846517a SHA256: af7f5db7186d4350557c6ebd012ccca374357cc9b7e97d77ca40545133fa0c0e SSDeep: 48:IuUi8QL8w+CevG0iajzLwOtvDLugiPM/5nQhcSNmHF80CXh9yN3wR:G7c2fO0BbtvDLx5nQuSNka/s3wR |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.eA3aYZlB_n2DMgb4vCUM.bmp | 49.99 KB |
MD5:
947b403b1c8bc63e56b86bc1767396eb
SHA1: 452181a7d3c0d0ad3c3faff96a6a10fc3e183d2d SHA256: 8c4813629028a3ea471f5e45b1069248c98f26890a360efb137144c72edcaa71 SSDeep: 1536:CyKmKYm71FOwlKTUIumdQXj+UQp9a5EZ8l:CyBE1FTlkbumdaj+z9Ix |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.OHPAk7bl2NSxuhuQR7XV.flv | 35.41 KB |
MD5:
a9f7c0bb941e457e2fb2f9bb7b0d3d96
SHA1: 1f22fe9eeb6101535bb77a04eb280c20488b36b2 SHA256: 424dfb500879a10aa02486694fd93d2c8ad01d55bdcfcf0f3991ca04a9219984 SSDeep: 768:adC2SfGn+vOmPeuBuGPuOlRi1YSrqMAfZEcQbEwXRZjE/p:jQMOqBbG5914i3Ex |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.dPayGG-Py.wav | 6.80 KB |
MD5:
063955cdae7d736128e8447d79fe0dd2
SHA1: 8cb5494412207753ed84ae301eadf50b92d243b4 SHA256: ee238d9e0bd162b2595c8085e5072599be856fbc5311d94c9610be9c78944ed8 SSDeep: 192:cwbwYyi1KufS6kKdfxkMZXxg+GQ+Jyw5055viHJmfdl:jaiQufh5dfY+syw54+4fdl |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.33ks1nc2w.xlsx | 85.71 KB |
MD5:
1ce730ed4ddd0e06f3ec6ee252423eb8
SHA1: 192526192c3d470fdf0252588810c688717ccafe SHA256: 5709fd5bd8c1e5f9155756a102b0b20f52215c036ffa8ac1e8bc4d2a70452c88 SSDeep: 1536:Oa9QNURbMnyFHWU7r74AeN6kxyhdyAYmooXigKkc2:zQSRbMnygode4k+dLriHQ |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.6UcE2 -hZ7ABmj.bmp | 77.27 KB |
MD5:
6254c6042998d0b3aa2d5f43835da1b9
SHA1: 25db29f864144c94aef32628059a7f112ada434c SHA256: 08d8dacc9e92d1efd86ec29f17c9fd60f4313923361b7dd151faf5607278ebfe SSDeep: 1536:/9zbyQqfmuy/dWQtC3P+657XpDOo+t9rVZFNqvxsMIkyF8Yf:pbyEuy/nar5DOo+rrVXS2M/eXf |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.Ihhj7L6.docx | 36.23 KB |
MD5:
c8d4308e21d92f913ad2a6f2f01321a5
SHA1: d5895fda1cab3f8ef8f21e2db99bb95637b8a641 SHA256: 7a38e22bead060e7966b7308a96ee0342ae20d7071b73938ffe4d676a3439d95 SSDeep: 768:pv6yBX7Dj6XbeKGIMJiTMQAUSoi5W9XM1uZPti5/4tQBaQI8c:pvjBXQbCJiQRUZQWNM1wti5xa+c |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.P6_LLd2-wg7.gif | 38.38 KB |
MD5:
9a659682e57e60da6366fc7ed5515490
SHA1: b13e4f1f44d7907d06fc8ae4f8d99c82e325e927 SHA256: fa5755e6fd3b07eaeb2d95d1deea84a4f8e41a69d326b7470bb994089f1e226c SSDeep: 768:yqWFGKVvzrApmZ++V9QR9OY1z18d5DHIlEbpqSoQQanFYCvLu1tT80lxD7X54:yqw3x7w+k5z1oIKoQN+CvSc0lx3p4 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.Database1.accdb | 348.01 KB |
MD5:
9af7e3f6135e9157d8c260551d393d2a
SHA1: ea1f600ab97c8021894b9a6734d6532aa200670e SHA256: 7334250c767d958c7394b89d294534bffa2fa38468b67080e45a8c8bb1e63dea SSDeep: 6144:ia4Xn03WRjGfqSWithCqVUhDGMLZcN9ehtoyy9FCAmrr64owvO:D0RaqS/SvtLyNc5yzCrlowG |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.W9JWpaycQhp.pptx | 2.60 KB |
MD5:
74764eddf7fe5947be99268fc2eab871
SHA1: 2c5c160dcfa0bd0127b33b2c49404f8654471ecc SHA256: 23625275a1295446e6b31ea658a76e702cf7929964be049852d3d73b4911d489 SSDeep: 48:I6Jw9ve01voCJVx1q5w/iNuZ8vbs/KMsDXpop+BKmnPNdEGh2:Zwg0J7xo5a+W2bsLyXpomKmnPh2 |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.TzQzGhO-DVwBiUIbj v.odp | 93.72 KB |
MD5:
804d65ed973ca44ac6dfc26d907ad47b
SHA1: 790b18981795bf0a01b504c49d93a5a1182399d2 SHA256: 3a4c13d168ddaffde2c4325723188919b9f7dd32a6355564d38f8805c1fd2726 SSDeep: 1536:ZcEHSkYvCUO8iJ3XZVpnbL8WCBb86/rAutkEiKJWIFPdahWE9yjHezcBMu/y:qEH6Q5VNbubhXrTFPdgWMyjH94 |
|
|
| C:\Users\CIiHmnxMn6Ps\Music/Lock.desktop.ini | 0.50 KB |
MD5:
3e5d2582a5d0c915afef6c8cafa343d1
SHA1: 7062928a2ec000838f78dce8c48693a1859471e1 SHA256: 34ae08d15c34e017facda7c39f7b5f9e8cc891b160072b908969a1a2523772aa SSDeep: 12:x/YcZ74iPoQKG9CHlw5Ok9LIDNV86xqSx95b+1ywId21p4sE0e11:xwA71FCdk9LIU4x3b4bId2Y4er |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.S0Njuyb0MbA8NPe7f.odp | 44.82 KB |
MD5:
e98041721764c1fab5c50232ea96e654
SHA1: 97308ee81c26eff21e9037e9b257980e4d970ed2 SHA256: 5af62335cc205acf7d24db86cc0f441b9909ee966f66a1f4bf6d8546d1b6e93a SSDeep: 768:J5RJp75qJ9VM0CqQNnQvPQkhICnxZbIvl81OQKAqQL7iGZaifcy7gZuJdjQdR:J9p75qJ920LOkrhrxxIv27KrCaifh9G |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.FsWV1eA3OkafmtB.xlsx | 63.62 KB |
MD5:
91a37f47ef6d1fc202e64feed22f8fb3
SHA1: c4c84cd6f54db6f531116fda71db8d33614c869a SHA256: a011cfbdd10d3d54e17877bfa598f99d4de7e4bd2a844d4a4328d4f7751c2a96 SSDeep: 1536:CI8GKIkRFyxJyJz31tUvslJKq021M/mctW8W6/yN/:cGKFjj1tiOA61M/npNu |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.desktop.ini | 0.40 KB |
MD5:
7835655816219d921dffbdb312396000
SHA1: bee4392a2a21f1faff64510296ed6d29d5ba6e7a SHA256: 4ef42b28c2d34762c16b1b31beae549b7a01c891ecf402fe5fe84b79f12afce5 SSDeep: 6:x/unJ6ZESn4iPU+HID8/KOv9CuA4+2Nof9wWdQM4hW0Zi7DYVc8k:x/YcZ74iPoQKG9CuA4GlqG2k |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.IRevt7-Vo2dY1p.docx | 93.05 KB |
MD5:
cc8d23f8a4ead6ad1ced1e95cffba700
SHA1: 47a528bc656639ba8ec9a6e760213ff360e8436e SHA256: 4390ab4a2f7626661838f5ae3b1ef9d611493e93de033c897ab502727c2dcd9d SSDeep: 1536:Zc83T0nphVfm2/qwsQzJHa1kNsYz8W6n3IHTMz/LsA32BZlBgKtNcDp:Zf3wg2iIV9uYoW6n3IzuT532hLNQp |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.Desktop Ransomware.exe | 808.01 KB |
MD5:
1286543236c90b1cb75cb9a7aaabee5a
SHA1: 92a2e58196f69840ad1c237fb2d60a96780a3b83 SHA256: 55f47a683b0c52edf25e6afd61f6872ab2d7202cd682de69e4175f52a564aebc SSDeep: 12288:wvKre4+gyK6YaQZ1GYvDOrge1bNIDFu+VEA2GPXbsVqI0is3UQrULQ/Ex:ws+xK6YaQGYvDOj2u+N/bsV0nUQrSrx |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.4 oKstOLjt Ogj.csv | 72.30 KB |
MD5:
6a1a55bc8cc6912d44122760b9aa3da1
SHA1: 2ccbe6bd682f748f53df833f5271fafac2c78559 SHA256: 7b550a29195405e1856392f941d2ac72ab8b314cc6d85e1cb54424ad2c911b5a SSDeep: 1536:lVXbZvO3szmjaGhdPC1aKAvLbZgIC8JQDQGYuIZh0pygt2o049:vXbijhBsrQfZ/5QEmu2 |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.Qro3U.bmp | 47.45 KB |
MD5:
d5d4294ad1e79c38b028053b1ae5c594
SHA1: cdfa3c26a3e7fac9f59628c2f8854353c4c3bb7c SHA256: 15041f9d9cd5ca2a8495da4fb3f03f80fd68eff820a5ad876d44e364b67428b3 SSDeep: 768:V0zAHbUV6zCqA216smzBMM09sunW6R7C2NflTWBc6COpyX8lNF+7n5sCEqLBNi2W:aAowzDA2OC9suBR7C2tlYCOpXlNg7n5w |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.5IRX mV-dQwqDIWU8l.docx | 79.51 KB |
MD5:
83d6d733f7fad2d73b45931fde3dd17a
SHA1: ceed48f7ee254b5cec7591dbbb70ae3262154bf8 SHA256: 5b269e3c84b44cdbe245a561903503ac21d0599769747af39cc5b473d38e7006 SSDeep: 1536:bB8tte9zLpXSQXak4iHiHMiK3/SbcqKdxxWJgh3TwfcCtMX5BrsS1q1Nz1BNGpAw:NOtAL2+iHnToqzJgh380wMYn3Pi |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.sUead_MVmaeTHpH.bmp | 71.29 KB |
MD5:
1e7171ac841afbca69adc30b85fc6459
SHA1: 3fc4ac7bd8c0ed72f14705f25f8b5d59044373ba SHA256: f6e85960b761c0b7e376cd4ab468d30d69d18072342ece3b6327dcf4e647686f SSDeep: 1536:yXjQjFXLXPAkqSLVQfzXFyMkN1/HGvcFOFb+28GZUiQ:yTAjvLGfFUxLFeb3ZUiQ |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.XyTO98.bmp | 21.46 KB |
MD5:
4fd9dcfc7a00ff51bcb634f2499dc863
SHA1: 0835315f9d83058e34c6b927f76dd4edf453419f SHA256: 219cabcafff610ee6b96c190f511bcfa610d48570de3fec1959a6cab48e213bc SSDeep: 384:JoD7WRRu3XhngcbGUUXot6ECSf8UAgE6hG/8QGrsDaDz/Y/ex0SpoEFxcNQCHiym:CDqj4XhraUq4CIxAgJGTGDY/e/pRMDCn |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.LRfe.m4a | 38.93 KB |
MD5:
213033f7f95243e0d081716662e21a4a
SHA1: c7b0b49c5af97e76383ac620ae96928914788ae4 SHA256: 688b6a57f76428e75a2cbf4999fc387e6c3a20beb954b39ed09edae6f5aea18d SSDeep: 768:Z7XQ5Lb5U9rSynUPBQjFztiKjww3w5quwLKsowYISe0pnes:Z8b5IJ4KsrAAVqNmes |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.-2zElut.mkv | 98.02 KB |
MD5:
467557558ba9cf412e7ab50cb9de620f
SHA1: 4b71b2409ba3e87cc2fd1f0c508c919ad36ce36b SHA256: cc04f7e5922517f244ccafa653de5301df75c12677bc44088bff470b45397e7b SSDeep: 1536:cuflEAc4tRrq7L7klamUrd3iFw1/2fAyvIdJHK5krPGNM0PzLiq:jflRtRW7OaprRiF42fCJH+kruNnXiq |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.DzQxuyYypsLJ110Td.docx | 73.61 KB |
MD5:
7dae3050a85d9682e3f0326cdb43c69c
SHA1: 061a0a0125ee2ef3eb72db2fbb2c21437d3c75ac SHA256: 104f2d8a665f20228eac81fd5979a46564dac4fa75369375230b5abf4add007e SSDeep: 1536:d9Syd/X2TFZY1e939Wp17tn18XxoNenX+8cGcqYPKDuaLZN0EriHMK:d9nZXCP3s17NKXxocXLc7fKDzn52sK |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\wl.jpg | 205.93 KB |
MD5:
c2ff15c40a01069eb268482e26a43866
SHA1: e32bf7a5d21424cb81c10384fcc2136000482970 SHA256: 27e962d5b9da5196be11b95483eceef3f2a9d43808297d7080702164057a7949 SSDeep: 6144:BVHTAEeVrUGxoLoxEfO0v8B0/SAJS/NWye:bTAjAloiO2/n4Nfe |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.3 rt.png | 46.73 KB |
MD5:
f5e1efa96e3b02f0a1ede22a8ddb0a85
SHA1: 201ca097d549ad9144968df5597d6febb1819df1 SHA256: 75e250a5515bda8cea73b1cee75afebceb2d2aa1f32a0eca79d8a4172de1f194 SSDeep: 768:34mPkNr3AhV+v5lSzPkk/oDf6mydJZyFjetazRt9EyV0lxAJusiBbbCRGgWBsQLf:PPKWVs5lSzPklf6mMJusirEc0lxASRbF |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.lcXeGR.jpg | 10.63 KB |
MD5:
df634e283fd8bb46316fd83dc1876ec6
SHA1: 35b85d002c03c86db4122a6fc211c1ea24858866 SHA256: 82b200c3877eb205e50024dc53b9674877b578e0c7042d00f9b75fe939dede63 SSDeep: 192:d+jVShXwHnAESFLQ6S5UvTyzn4txsWekkndd5ahbtHyLvikBIDTdHhgDGFE7UoDX:d+xcXwHV+LQp50TanCePddMhbtHeviZk |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.jg83kL7EHzk5tOx.pptx | 86.69 KB |
MD5:
20de5fd8acf670ca264e7171acc7b6cc
SHA1: 8da287e57d2e0d669f32659468b82171277740d3 SHA256: 4e8e9d2b809210aed2298d9c4205eb1af41f043aa1bbe59d73e352d5a8c5f4fc SSDeep: 1536:7vbogrYzf3LGCJ+n7I9fVGAuUsFU9IdBbdpbWESAzv1o/006KsRHj96yTG8i/el:uL7JG7IBwduudBbTCELzv13WsRHjQw |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.my4LIyozfPFM.mp4 | 28.58 KB |
MD5:
3fffa3ffb3c338095c9ae6c8bf0edb82
SHA1: 8abe2daeac8bba85630f558338c1e0685876df73 SHA256: 87c8b2cba4daa4addcdebe55143a5a66e32fadfe97b5b7bcd891b36abf2afd08 SSDeep: 768:4NzPoTKtsn7+wXuuKuKYsWQ1OtAxuHGYmuX/r1Vij:E7ts7nlKXWaO6gm8/a |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.PiMy.wav | 1.80 KB |
MD5:
dbae8318821cc7a24304b1b3567af775
SHA1: 2923ea576a6d16ef1088a5e31cd5f74d26711c3c SHA256: e4a19fad6794f805c6fad10e28afff46c2febe392f37fadc28902c6a27ec1e26 SSDeep: 48:uEUPxld5lH65HrWxTag4dWOEGUlRVT8Z+qD7/YLej+viMQ6Jw:zuld5lIrWxTh4dWOKl3gsqD7gK5MQl |
|
|
| C:\Users\CIiHmnxMn6Ps\Videos/Lock.Yh3aSzBw6vqSD.mp4 | 67.02 KB |
MD5:
4b6f76bd2b9dec668b355a09388003a7
SHA1: 6318d21225192fd7c7d19a044b94f4c5c39a2f69 SHA256: a39da32f9032c03d2fa7fdc859d76ad16b12b954fc34993382bab7e757e4f3a9 SSDeep: 1536:UMStlpPotfHCZORcYh4v5ZNdUmv7EHe+12uRMc0MoB2I3/ffXY3s:UMStlpPo9Hjh4v5SiE+CCc0My2I3/3es |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.YbpOFECxSdU1o.odp | 79.44 KB |
MD5:
49934c6919a98d1c9912462d06ea705b
SHA1: 50e9589dc395b3d377f2c4f2743a90003b858ffa SHA256: f1f107aec8c7c288f9319d0650bb653f42cce6ba243719f745ec5f9ace4abcd1 SSDeep: 1536:3k3t0yH6AN9ki/2HtRGSGaGC9tQIcnKG1LNhvMsdDSESL45LqejDtGgeiZeZ6H1m:06yaANaiONTGaP932VpfvKL45LNGliUF |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.G-L JfK4PzqcH7ER.csv | 25.66 KB |
MD5:
bad959de243dcf334a006e4ebc465f78
SHA1: 2e7a34c59097c92f01438b71a2af71c0819d825b SHA256: e78613feae52cc96f450f69af9c45e88e3dcb4be0ad176b60158b904f1ba852b SSDeep: 384:B48QngckFygCEXXNvXhaKjpmLso9QZXzmHMhBXTGrjFoSWGTY5CmUBahIVPVZWEZ:B4dnswSN/NkLso9nVrj4DeNlGERM226 |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.IKU0-73q9hf36BYJPVXf.flv | 29.41 KB |
MD5:
96f23ade803faa1a16545f9fe6ffde6a
SHA1: 77709d6fac78b81380422dd0e3728c6ad4aa09fe SHA256: eb467045997cbe84ade2821e78ab54c9228205b3b8dcae4ca051350069595c91 SSDeep: 768:Po/XdPZff9tTdWTtf8PJvwt+pP+BAGeymU1GOyjN8:AHfSkPJ4t++BAGxrGOq8 |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.KwL8B1f2HAeXB.ots | 91.38 KB |
MD5:
8d72829a904af43db7f489b422ce637b
SHA1: d818f7b165002a753291782521f6978df8731893 SHA256: a4839cc25e8ea58207d212f225c8c94afd516375035a273b71bda4b4984d7eaa SSDeep: 1536:4TCmxrtZhcCztvcGvIio0jl7vfdye8eqawDRCgjbhyU2+AorTknYzERW:E5r/hcCfjl4cDg/hyCnaRW |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Local/Lock.TempCHHKSM.exe | 826.10 KB |
MD5:
d8fe7c4ac10c250dfe0e808505d4a99f
SHA1: 264077792d7d2f62972f063d2bc35157ee563c66 SHA256: 3c46ab4bf7b6b8b3a5b8959432966b9a88422fcd7e762a4fcb28dba131c4e0d0 SSDeep: 24576:t3IHOvL8GTn4cIQN1t6R/+kMs2wFMiBve:tYkLFHIQNXfDqmiBW |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.xH2Q91hAXQ3Pfvttd_N.wav | 91.17 KB |
MD5:
ea5ce45706e2eef2baba047f506fa7cc
SHA1: d657410ae6caca7031ef0edfa3f520340adcc0b8 SHA256: 2776b14b7e404dd7448ce5a65c6efe14e2b6c33c1ba596c2723b840760c06a32 SSDeep: 1536:+53kjcv+lyZPpVKZ0TTC4WH1mh5Ig8uMiypstbjugDoEZxAVhR5fVWS52:+RV+lyZhV7TIn1uMi0qH9DoErAVh7VX2 |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.eZG2gw6YILMiFluj.csv | 6.75 KB |
MD5:
b02c087c6279a387903d9ada44bb5bbf
SHA1: 518f1d7240fd3866a31f6dded5f57e0d5deb5c85 SHA256: 083352332194af9722347d743784d01ebadf22c61a315e78ca07104badb3b0ca SSDeep: 96:ue+4rwGDIKSwbInsD5OfPGNvgeodL4ZpUCTbDQVDA5MAUYXe1pc4qY+CKv+pzKiC:uelrwBQNOjxdL9CT/Gm4/qYJKvhi/YJ |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.lITr E-u.ots | 53.54 KB |
MD5:
a8a8fd9f0c4c1f676bf6434d82092140
SHA1: b7ae60dd21936b8a8bccd6359622011a28be2fbc SHA256: 80d4868bbf959c9879054ff58cbf308ead109ddaa21dd6f112c408c7d53dc21d SSDeep: 1536:XK7Snc3idWTKU2H4CDTntd85/C5mbyAvrE7:2iATl2TU/ZvA7 |
|
|
| C:\Users\CIIHMN~1\AppData\Local\Temp\aut9F83.tmp | 158.46 KB |
MD5:
cdf733d7407b35777abf9878edcf7eff
SHA1: b9180cdec4ad67db8a3f700908648a777927d4ff SHA256: 628281dc8f38559a8669adbde96e91d7b81899d3ab9f25ae341d91a6b1b9f555 SSDeep: 3072:hjLSuioNwflplXMkw6kFSUMIjRaAAirK6IT9eRM5r3k:hjGzfXlXzlkjjAAAi29wKU |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.2k9SgaKkgk9oGZO2eWO.wav | 7.19 KB |
MD5:
27478ed931c95e07773c94bc1b2ac044
SHA1: dbbd40f0b0fad5ae4b14841c7339538ff6faf805 SHA256: a1721745e4ca75a4188deab353e6446315db52c4a4779191dcff712a304fad13 SSDeep: 192:u6XDiae9E4L8g68O+B33+qN48798aiKmAjLsWzE2rRfA:bXDiGy8g6Y3+E4kRmqTzndo |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.K2q1laBaVd-UhyM66s.mkv | 66.12 KB |
MD5:
e1cacbfbf743ddc22d6bd6756de7a121
SHA1: 4cd3e0e0a3b8e996cfc6ef9292fcfd2d939c08bb SHA256: a009c9be69905dc090f32268ea88e72b2b2ea467ce240eb5927c4045edacdbaf SSDeep: 1536:pgDCqbUdmQ8pQMH6NtseIgIvR/z/n2cMScJq975VFoO/JLWA:pWCoUd7S6NtsdPprww9ND/cA |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.K1kWG.swf | 97.43 KB |
MD5:
39c8efd0de27ea13686a65ae1f31f775
SHA1: f3a36dc08265f72cde0630182a60f83f523e4a68 SHA256: 7eab751f9e61ca6ee3e052d702262ecf81f7d090382d34280210d0a62dce5c9d SSDeep: 1536:gwsCwNG0fWmX6qAqJVRCr5Zj09Ih17JilU3gQ9yqV/k+kUKG7QgAVdwe8LS:gtZpWmXWqzRCjFhHilcsqe+kUPUweGS |
|
|
| C:\Users\CIiHmnxMn6Ps\Pictures/Lock.yrGrT5GM2kHnbKjZs.png | 11.66 KB |
MD5:
f89dd67365b8cb6a0ead8b6418beca42
SHA1: 1fecc1b2ee957cbe72612310d61e7db15e40e273 SHA256: 05e8a2e16cbd302ed5d3c413743133bff21d7b9842f2904eccce47e52fc09a44 SSDeep: 192:/vaoC7dYWCG5FGM00Ayfzx+fkOVnT1yGFP8Ka8b81wG/:/vd7WCqGt5yfzxkVnBN+8b8Co |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.vgl6TzQ9uzGXrbslc.pptx | 63.44 KB |
MD5:
ea754a41a7a6f9e4cf9cd484ab82e0af
SHA1: 723e798dcb0c99e81048e474466a9a3465cf880a SHA256: 932b1c457037662ae6334900eac8a1a18a575a84e9a911de3496448f71414727 SSDeep: 1536:TVtgaT1baujvtfMgAWBuWETSaPdL9YMncNwqnU/Ysfzmqryg762ha:RtgMwKBJETSg99YMn+U/BX3a |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.oOD4uhzm Zkl2zk.mp4 | 99.88 KB |
MD5:
1a4e97b27a6267fec8f1f3fec4c84624
SHA1: ef376db17628ae50c00c2f2c569937d1cef0e3b1 SHA256: 1c13abbe91dfb174afa5ff05a144b885f41f92d9b4f38bdc5f6f284ef3c4356d SSDeep: 3072:cBMnNNdclv0rRlQmEjKU0LsgqlvLv448aamu64rsyd0J9:nnNNI0TQTKBLPqlTvwku64ruJ9 |
|
|
| C:\Users\CIiHmnxMn6Ps\Music/Lock.ZPcES1.wav | 43.38 KB |
MD5:
67381f72e3f7a33306868df97f551bcf
SHA1: a27167948b2ba803dc71c0f464e04af9adf0283c SHA256: d9b5ed215316596fb0d327df53f1feda249956a670211c2dfb97c163b42b612e SSDeep: 768:RxCGY6o0/yzlds45IHona2bZguRHK2w5TBETbhSTwFc+RhCGN/cDIIBdR/:Rdo0alOvk7q2OYI2JYICr/ |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.rDNk37jQ34m.avi | 96.94 KB |
MD5:
aed14f9333b2a93202ff9af7368da476
SHA1: abc9855d1a4f818905fb62fbd6a5ca99657212dd SHA256: d9ba3ea3cc667bf84ec0494d9aff23431be36a4abbc32f165a2008e8413e8648 SSDeep: 1536:e5HAajlTIgcc7mK0IfRZz/N75tfhmAs74XaXzC5+kAeUJbtytvx4n8/4f7wtUSxk:eHAHgcc7fLf/9hs4Xaa+kyty7QTUi |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.V9yoC.mp3 | 74.09 KB |
MD5:
c8580ee6280f3df84530d6e74407a716
SHA1: a937ac148b32efd9703442ac5b8be008ea62fbd5 SHA256: c5b10ac9e5668e66e531d67045b5fcbf0879d443c7c64fd01180367c49bac379 SSDeep: 1536:imagLmAjyVSfPk2ahtgsjApFh6WXUpDtCqhlh3mx/tuEw3IkOwY:i3gqAmV8OgrpiWQZEw3IkdY |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.Y1zhfb0f.pps | 99.62 KB |
MD5:
65c7385cae4ca02c95202134b4755dad
SHA1: 4f2ec5107d4e6f717769d9efcef47522b0c73d16 SHA256: ef757998e795045f35e65586e12fc578c0899dd0784c89c0cfd10ceb422c5424 SSDeep: 3072:YHEnP2Q3jXcsX3Hgl+H286ruO2tP+rbtwNL:lnPX7csnHgl+H2zuntPCwx |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.AkLAPzq8O4g_04G.xlsx | 14.00 KB |
MD5:
18e6554b26dfa99d3f2c2f4be61adf99
SHA1: 99e665dfd77a241a8ed514cdc027374bedcdf987 SHA256: 541f11d8cbbd527e9e8705bd42fd29219d32c3ab852848956fb5b14674a3f1af SSDeep: 384:Z369/3PfNGHw6LzYij6DCKxTcUkDJl+Mg:Z36t3PfSwKk86DCeGHXg |
|
|
| C:\Users\CIiHmnxMn6Ps\Desktop/Lock.desktop.ini | 0.28 KB |
MD5:
ba41cfaa9aff58c3b40c7ac73b4d1cd4
SHA1: 691f19d9330522a47b16c832c6d6b51a3a2efc72 SHA256: 30fb6cb48d4689a02731dedf82483a58738ba4131e4be90b2a44bd1ab9fd6a0a SSDeep: 6:x/unJ6ZESn4iPU+HID8/KOv9C1pO+Q6M/N7P0lXXoU+IHn:x/YcZ74iPoQKG9CDO+eF7P0lXXoFyn |
|
|
| C:\Users\CIiHmnxMn6Ps\Documents/Lock.o5UgHIGv4h72IU.pptx | 66.62 KB |
MD5:
4674d139402fecf1ded4946d49a8998c
SHA1: 9d2b9ede9c14fc85971720c6b0a15d2357309f97 SHA256: d12202bba734b9e2468dd1b0b0dfcc5d83f20b497e53003c569ac2dcfedd3777 SSDeep: 1536:dzPhqxeH/XOyG/GVwolvwPbSjP/PKwCSrg0v6e:dzoxeH//woWPbSznKBe |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.MLN9.csv | 7.78 KB |
MD5:
9f7314a34cfcc8c71eab81bdec14c85b
SHA1: 851d4ec16e4d4b61e3537114cdd7817c9cbf4350 SHA256: 794b29e096c7880d664e97b6d719d7ad4c9bc63cdde2b0c25db75fb588894702 SSDeep: 192:cXPHH6FK8me88AyIp0EbfkmHztTA44EHHPCHe5:G982+hEbfXHlSEHHPs+ |
|
|
| C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.3- s1lsS.gif | 58.35 KB |
MD5:
93453037a01e1a4cefda9b33166b34d1
SHA1: e8663d550f86f564237f042500ef90faa4d0bbfb SHA256: 007bef11bfde71251c031a908ecd91db3bb28387e2c94129c9ddf331b67ec1d4 SSDeep: 1536:kTFtv74/LEY+KXpAwqbdU7/JgqsAwoYVhQ:kT8wY+WgbGOqeoGQ |
|
|
| C:\Users\Public\Pictures/Lock.desktop.ini | 0.38 KB |
MD5:
ab6923299c092b4c0f3fcfbbe65b1621
SHA1: 72261916cc9544c36b6f9c50bd3c1ba12d1f058d SHA256: 25e6ceecdbf5de7a584bb272da67f20ddb8fba4f068a7b15ea05eab2bb60bd0f SSDeep: 6:x/unJ6ZESn4iPU+HID8/KOv9Cwd+Iy+DTybApfQ4a94tu7fu7Kesza865InVVdwA:x/YcZ74iPoQKG9Cwd+IPTcAp4P9p7fuo |
|
|
Host Behavior
File (1393)
| Operation | Filename | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\aut475F.tmp | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\aut475F.tmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\ueiephm | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\ueiephm | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\ueiephm | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/-2zElut.mkv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.-2zElut.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/3 rt.png | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.3 rt.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/5h pi4P G_.ods | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.5h pi4P G_.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/6UcE2 -hZ7ABmj.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.6UcE2 -hZ7ABmj.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/8irUlxoryz9NBEdK.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.8irUlxoryz9NBEdK.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/8ZHaOi1b54EwUUY.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.8ZHaOi1b54EwUUY.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Desktop Ransomware.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.Desktop Ransomware.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/dPayGG-Py.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.dPayGG-Py.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/e5GfWHYXYvLZf4xlvH.odt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.e5GfWHYXYvLZf4xlvH.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/gj X79Jxk-e2.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.gj X79Jxk-e2.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/IKU0-73q9hf36BYJPVXf.flv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.IKU0-73q9hf36BYJPVXf.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/J_D_Smy7X3HCRMT CH6x.mkv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.J_D_Smy7X3HCRMT CH6x.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/K2q1laBaVd-UhyM66s.mkv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.K2q1laBaVd-UhyM66s.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/lITr E-u.ots | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.lITr E-u.ots | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/md9DYhuwlzuJ4s.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.md9DYhuwlzuJ4s.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/OHPAk7bl2NSxuhuQR7XV.flv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.OHPAk7bl2NSxuhuQR7XV.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/oOD4uhzm Zkl2zk.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.oOD4uhzm Zkl2zk.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/P6_LLd2-wg7.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.P6_LLd2-wg7.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/rDNk37jQ34m.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.rDNk37jQ34m.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/S0Njuyb0MbA8NPe7f.odp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.S0Njuyb0MbA8NPe7f.odp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/SN-7hPJVIjPbeSt.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.SN-7hPJVIjPbeSt.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/sUead_MVmaeTHpH.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.sUead_MVmaeTHpH.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/uQdlphYG1dbqk1.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.uQdlphYG1dbqk1.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/V9yoC.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.V9yoC.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/VowNGbAt2Uc.flv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.VowNGbAt2Uc.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/v_rOYmuVae.mkv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.v_rOYmuVae.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/W9JWpaycQhp.pptx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.W9JWpaycQhp.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/wxFZJI-.mkv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.wxFZJI-.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/xH2Q91hAXQ3Pfvttd_N.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.xH2Q91hAXQ3Pfvttd_N.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/xJQWy0H5XjB.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.xJQWy0H5XjB.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/z0fFK_swV0a.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.z0fFK_swV0a.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/07iDkNP.swf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.07iDkNP.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/2k9SgaKkgk9oGZO2eWO.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.2k9SgaKkgk9oGZO2eWO.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/3- s1lsS.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.3- s1lsS.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/4hX BzG8K.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.4hX BzG8K.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/6Ihl59F1EW3Dmio30.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.6Ihl59F1EW3Dmio30.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/6x1noCxpBp1mmFoeCN6T.png | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.6x1noCxpBp1mmFoeCN6T.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/7NLT7b7.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.7NLT7b7.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/a59dR.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.a59dR.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/CHfvN1bcW R8s7_bOrn.xls | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.CHfvN1bcW R8s7_bOrn.xls | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/dCV6-VAR1Amz0.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.dCV6-VAR1Amz0.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/DlhsKoDumMDb.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.DlhsKoDumMDb.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/e47Ptw.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.e47Ptw.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/eA3aYZlB_n2DMgb4vCUM.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.eA3aYZlB_n2DMgb4vCUM.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/eZG2gw6YILMiFluj.csv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.eZG2gw6YILMiFluj.csv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/HD1FLLNmLPJ7igO2XSQ.png | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.HD1FLLNmLPJ7igO2XSQ.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/HPiFfUsmobc0kOQ6Rzg.flv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.HPiFfUsmobc0kOQ6Rzg.flv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/j3xOnM3C5H UUFiE2.pps | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.j3xOnM3C5H UUFiE2.pps | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/K1kWG.swf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.K1kWG.swf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/lcXeGR.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.lcXeGR.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/LRfe.m4a | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.LRfe.m4a | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/LvpXw5odR.mkv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.LvpXw5odR.mkv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/miHZX-Mq6_uJj5Jr.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.miHZX-Mq6_uJj5Jr.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/MLN9.csv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.MLN9.csv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/my4LIyozfPFM.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.my4LIyozfPFM.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/PiMy.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.PiMy.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Qro3U.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.Qro3U.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/R0bpFAwwI.xls | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.R0bpFAwwI.xls | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/rzTdzniVDq.csv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.rzTdzniVDq.csv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/SBImy.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.SBImy.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/SeOV2qpgcHWHh_nbqI.mp3 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.SeOV2qpgcHWHh_nbqI.mp3 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/sgCJT.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.sgCJT.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/T2Cxs_YQD7nPt.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.T2Cxs_YQD7nPt.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/TzQzGhO-DVwBiUIbj v.odp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.TzQzGhO-DVwBiUIbj v.odp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/UiCbiMIX.ods | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.UiCbiMIX.ods | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/XyTO98.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.XyTO98.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/YbpOFECxSdU1o.odp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.YbpOFECxSdU1o.odp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/YeqB3B7c2.odt | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.YeqB3B7c2.odt | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Local/IconCache.db | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Local/Lock.IconCache.db | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Local/TempCHHKSM.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps/AppData/Local/Lock.TempCHHKSM.exe | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music/Lock.desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music\ZPcES1.wav | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Music/Lock.ZPcES1.wav | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures/desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures/Lock.desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures/di ot4o1qyFI.jpg | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures/Lock.di ot4o1qyFI.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures/pCRiuz4PFsi5.png | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures/Lock.pCRiuz4PFsi5.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures/SHgyDm0.gif | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures/Lock.SHgyDm0.gif | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures/WNoBJk6u3i.bmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures/Lock.WNoBJk6u3i.bmp | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures/yrGrT5GM2kHnbKjZs.png | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Pictures/Lock.yrGrT5GM2kHnbKjZs.png | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos/5VHrP.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos/Lock.5VHrP.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos/ctEdCOQfNgS.avi | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos/Lock.ctEdCOQfNgS.avi | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos/desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos/Lock.desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos/Yh3aSzBw6vqSD.mp4 | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Videos/Lock.Yh3aSzBw6vqSD.mp4 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/33ks1nc2w.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.33ks1nc2w.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/4 oKstOLjt Ogj.csv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.4 oKstOLjt Ogj.csv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/5IRX mV-dQwqDIWU8l.docx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.5IRX mV-dQwqDIWU8l.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/AkLAPzq8O4g_04G.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.AkLAPzq8O4g_04G.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/cVtkaJxJuKDO0_4HwRfX.pptx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.cVtkaJxJuKDO0_4HwRfX.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Database1.accdb | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.Database1.accdb | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/dH8KjJr-DCE7s3hc0W.rtf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.dH8KjJr-DCE7s3hc0W.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/DzQxuyYypsLJ110Td.docx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.DzQxuyYypsLJ110Td.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/e4YsgwXPFnJ1eF_aq_.rtf | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.e4YsgwXPFnJ1eF_aq_.rtf | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/FsWV1eA3OkafmtB.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.FsWV1eA3OkafmtB.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/G-L JfK4PzqcH7ER.csv | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.G-L JfK4PzqcH7ER.csv | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Ihhj7L6.docx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.Ihhj7L6.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/IRevt7-Vo2dY1p.docx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.IRevt7-Vo2dY1p.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/jg83kL7EHzk5tOx.pptx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.jg83kL7EHzk5tOx.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/KwL8B1f2HAeXB.ots | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.KwL8B1f2HAeXB.ots | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/lqoCl6y.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.lqoCl6y.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/o5UgHIGv4h72IU.pptx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.o5UgHIGv4h72IU.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/oNfvs3LGk1TKi1J4_aSN.xlsx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.oNfvs3LGk1TKi1J4_aSN.xlsx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Sj6SoGBJ.pptx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.Sj6SoGBJ.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/vgl6TzQ9uzGXrbslc.pptx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.vgl6TzQ9uzGXrbslc.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/VgQS p2zoBtKpHSKB.docx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.VgQS p2zoBtKpHSKB.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/WoAfC7fH.docx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.WoAfC7fH.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/WUpSn9HARv5eBhQKKyI.docx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.WUpSn9HARv5eBhQKKyI.docx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/XYua.pptx | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.XYua.pptx | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Y1zhfb0f.pps | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\Documents/Lock.Y1zhfb0f.pps | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\Public\Documents/desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\Public\Documents/Lock.desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\Public\Pictures/desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\Public\Pictures/Lock.desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\Public\Videos/desktop.ini | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\Public\Videos/Lock.desktop.ini | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp/8x8x8 | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE |
|
1 | |
| Create | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\aut9F83.tmp | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\aut9F83.tmp | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\wl.jpg | desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE |
|
1 | |
| Create | C:\Users\CIIHMN~1\AppData\Local\Temp\wl.jpg | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ |
|
1 | |
| Create Temp File | C:\Users\CIIHMN~1\AppData\Local\Temp\aut475F.tmp | path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = aut |
|
1 | |
| Create Temp File | C:\Users\CIIHMN~1\AppData\Local\Temp\aut9F83.tmp | path = C:\Users\CIIHMN~1\AppData\Local\Temp\, prefix = aut |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\ueiephm | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\aut475F.tmp | type = file_type |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\ueiephm | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\ueiephm | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\wl.jpg | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop/ | type = file_attributes |
|
32 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\-2zElut.mkv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\-2zElut.mkv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\3 rt.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\3 rt.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\5h pi4P G_.ods | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\5h pi4P G_.ods | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\6UcE2 -hZ7ABmj.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\6UcE2 -hZ7ABmj.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\8irUlxoryz9NBEdK.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\8irUlxoryz9NBEdK.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\8ZHaOi1b54EwUUY.wav | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\8ZHaOi1b54EwUUY.wav | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\Desktop Ransomware.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\desktop.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\desktop.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\dPayGG-Py.wav | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\dPayGG-Py.wav | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\e5GfWHYXYvLZf4xlvH.odt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\e5GfWHYXYvLZf4xlvH.odt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\gj X79Jxk-e2.mp3 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\gj X79Jxk-e2.mp3 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\IKU0-73q9hf36BYJPVXf.flv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\IKU0-73q9hf36BYJPVXf.flv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\J_D_Smy7X3HCRMT CH6x.mkv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\J_D_Smy7X3HCRMT CH6x.mkv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\K2q1laBaVd-UhyM66s.mkv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\K2q1laBaVd-UhyM66s.mkv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\lITr E-u.ots | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\lITr E-u.ots | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\md9DYhuwlzuJ4s.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\md9DYhuwlzuJ4s.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\OHPAk7bl2NSxuhuQR7XV.flv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\OHPAk7bl2NSxuhuQR7XV.flv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\oOD4uhzm Zkl2zk.mp4 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\oOD4uhzm Zkl2zk.mp4 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\P6_LLd2-wg7.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\P6_LLd2-wg7.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\rDNk37jQ34m.avi | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\rDNk37jQ34m.avi | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\S0Njuyb0MbA8NPe7f.odp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\S0Njuyb0MbA8NPe7f.odp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\SN-7hPJVIjPbeSt.mp3 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\SN-7hPJVIjPbeSt.mp3 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\sUead_MVmaeTHpH.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\sUead_MVmaeTHpH.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\uQdlphYG1dbqk1.jpg | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\uQdlphYG1dbqk1.jpg | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\V9yoC.mp3 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\V9yoC.mp3 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\VowNGbAt2Uc.flv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\VowNGbAt2Uc.flv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\v_rOYmuVae.mkv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\v_rOYmuVae.mkv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\W9JWpaycQhp.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\W9JWpaycQhp.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\wxFZJI-.mkv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\wxFZJI-.mkv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\xH2Q91hAXQ3Pfvttd_N.wav | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\xH2Q91hAXQ3Pfvttd_N.wav | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\xJQWy0H5XjB.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\xJQWy0H5XjB.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\z0fFK_swV0a.wav | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Desktop\z0fFK_swV0a.wav | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps/AppData/Roaming\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/ | type = file_attributes |
|
37 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\07iDkNP.swf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\07iDkNP.swf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\2k9SgaKkgk9oGZO2eWO.wav | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\2k9SgaKkgk9oGZO2eWO.wav | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\3- s1lsS.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\3- s1lsS.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4hX BzG8K.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4hX BzG8K.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6Ihl59F1EW3Dmio30.mp3 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6Ihl59F1EW3Dmio30.mp3 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6x1noCxpBp1mmFoeCN6T.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6x1noCxpBp1mmFoeCN6T.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\7NLT7b7.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\7NLT7b7.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\a59dR.mp3 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\a59dR.mp3 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CHfvN1bcW R8s7_bOrn.xls | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CHfvN1bcW R8s7_bOrn.xls | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\dCV6-VAR1Amz0.mp4 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\dCV6-VAR1Amz0.mp4 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DlhsKoDumMDb.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DlhsKoDumMDb.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\e47Ptw.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\e47Ptw.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\eA3aYZlB_n2DMgb4vCUM.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\eA3aYZlB_n2DMgb4vCUM.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\eZG2gw6YILMiFluj.csv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\eZG2gw6YILMiFluj.csv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\HD1FLLNmLPJ7igO2XSQ.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\HD1FLLNmLPJ7igO2XSQ.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\HPiFfUsmobc0kOQ6Rzg.flv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\HPiFfUsmobc0kOQ6Rzg.flv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\j3xOnM3C5H UUFiE2.pps | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\j3xOnM3C5H UUFiE2.pps | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\K1kWG.swf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\K1kWG.swf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lcXeGR.jpg | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lcXeGR.jpg | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LRfe.m4a | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LRfe.m4a | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LvpXw5odR.mkv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LvpXw5odR.mkv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\miHZX-Mq6_uJj5Jr.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\miHZX-Mq6_uJj5Jr.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MLN9.csv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MLN9.csv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\my4LIyozfPFM.mp4 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\my4LIyozfPFM.mp4 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\PiMy.wav | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\PiMy.wav | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Qro3U.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Qro3U.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\R0bpFAwwI.xls | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\R0bpFAwwI.xls | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\rzTdzniVDq.csv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\rzTdzniVDq.csv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\SBImy.wav | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\SBImy.wav | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\SeOV2qpgcHWHh_nbqI.mp3 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\SeOV2qpgcHWHh_nbqI.mp3 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\sgCJT.jpg | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\sgCJT.jpg | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\T2Cxs_YQD7nPt.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\T2Cxs_YQD7nPt.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\TzQzGhO-DVwBiUIbj v.odp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\TzQzGhO-DVwBiUIbj v.odp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\UiCbiMIX.ods | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\UiCbiMIX.ods | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\XyTO98.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\XyTO98.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\YbpOFECxSdU1o.odp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\YbpOFECxSdU1o.odp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\YeqB3B7c2.odt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\YeqB3B7c2.odt | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps/AppData/Local\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps/AppData/Local/ | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Music\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Music/ | type = file_attributes |
|
2 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Music\desktop.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Music\desktop.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Music\ZPcES1.wav | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Music\ZPcES1.wav | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Pictures\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Pictures/ | type = file_attributes |
|
6 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Pictures\desktop.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Pictures\desktop.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Pictures\di ot4o1qyFI.jpg | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Pictures\di ot4o1qyFI.jpg | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Pictures\pCRiuz4PFsi5.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Pictures\pCRiuz4PFsi5.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Pictures\SHgyDm0.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Pictures\SHgyDm0.gif | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Pictures\WNoBJk6u3i.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Pictures\WNoBJk6u3i.bmp | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Pictures\yrGrT5GM2kHnbKjZs.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Pictures\yrGrT5GM2kHnbKjZs.png | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Videos\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Videos/ | type = file_attributes |
|
4 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Videos\5VHrP.avi | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Videos\5VHrP.avi | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Videos\ctEdCOQfNgS.avi | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Videos\ctEdCOQfNgS.avi | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Videos\desktop.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Videos\desktop.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Videos\Yh3aSzBw6vqSD.mp4 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Videos\Yh3aSzBw6vqSD.mp4 | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents/ | type = file_attributes |
|
26 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\33ks1nc2w.xlsx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\33ks1nc2w.xlsx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\4 oKstOLjt Ogj.csv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\4 oKstOLjt Ogj.csv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\5IRX mV-dQwqDIWU8l.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\5IRX mV-dQwqDIWU8l.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\AkLAPzq8O4g_04G.xlsx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\AkLAPzq8O4g_04G.xlsx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\cVtkaJxJuKDO0_4HwRfX.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\cVtkaJxJuKDO0_4HwRfX.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Database1.accdb | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\desktop.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\desktop.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\dH8KjJr-DCE7s3hc0W.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\dH8KjJr-DCE7s3hc0W.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\DzQxuyYypsLJ110Td.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\DzQxuyYypsLJ110Td.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\e4YsgwXPFnJ1eF_aq_.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\e4YsgwXPFnJ1eF_aq_.rtf | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\FsWV1eA3OkafmtB.xlsx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\FsWV1eA3OkafmtB.xlsx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\G-L JfK4PzqcH7ER.csv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\G-L JfK4PzqcH7ER.csv | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Ihhj7L6.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Ihhj7L6.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\IRevt7-Vo2dY1p.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\IRevt7-Vo2dY1p.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\jg83kL7EHzk5tOx.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\jg83kL7EHzk5tOx.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\KwL8B1f2HAeXB.ots | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\KwL8B1f2HAeXB.ots | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\lqoCl6y.xlsx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\lqoCl6y.xlsx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\o5UgHIGv4h72IU.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\o5UgHIGv4h72IU.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\oNfvs3LGk1TKi1J4_aSN.xlsx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\oNfvs3LGk1TKi1J4_aSN.xlsx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Sj6SoGBJ.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Sj6SoGBJ.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\vgl6TzQ9uzGXrbslc.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\vgl6TzQ9uzGXrbslc.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\VgQS p2zoBtKpHSKB.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\VgQS p2zoBtKpHSKB.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\WoAfC7fH.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\WoAfC7fH.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\WUpSn9HARv5eBhQKKyI.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\WUpSn9HARv5eBhQKKyI.docx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\XYua.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\XYua.pptx | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Y1zhfb0f.pps | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\Documents\Y1zhfb0f.pps | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Public\Documents\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Public\Documents/ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Public\Documents\desktop.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Public\Documents\desktop.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Public\Pictures\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Public\Pictures/ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Public\Pictures\desktop.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Public\Pictures\desktop.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Public\Videos\ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Public\Videos/ | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Public\Videos\desktop.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\Public\Videos\desktop.ini | type = file_attributes |
|
1 | |
| Get Info | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\aut9F83.tmp | type = file_type |
|
2 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp\wl.jpg | type = file_type |
|
1 | |
| Get Info | C:\Users\CIIHMN~1\AppData\Local\Temp/8x8x8 | type = file_attributes |
|
166 | |
| Open | STD_INPUT_HANDLE | - |
|
2 | |
| Open | STD_OUTPUT_HANDLE | - |
|
1 | |
| Open | STD_ERROR_HANDLE | - |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 65536, size_out = 65536 |
|
11 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 512, size_out = 512 |
|
6 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 512, size_out = 8 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 65536, size_out = 65536 |
|
11 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 512, size_out = 512 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 16384, size_out = 16384 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 65536, size_out = 65536 |
|
11 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 4096, size_out = 4096 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 512, size_out = 512 |
|
5 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 4096, size_out = 1087 |
|
1 | |
| Read | C:\Users\CIIHMN~1\AppData\Local\Temp\aut475F.tmp | size = 4096, size_out = 1430 |
|
1 | |
| Read | C:\Users\CIIHMN~1\AppData\Local\Temp\aut475F.tmp | size = 61440, size_out = 0 |
|
1 | |
| Read | C:\Users\CIIHMN~1\AppData\Local\Temp\ueiephm | size = 65536, size_out = 7530 |
|
2 | |
| Read | C:\Users\CIIHMN~1\AppData\Local\Temp\ueiephm | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/-2zElut.mkv | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/-2zElut.mkv | size = 65536, size_out = 34824 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/-2zElut.mkv | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/3 rt.png | size = 65536, size_out = 47841 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/3 rt.png | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/5h pi4P G_.ods | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/5h pi4P G_.ods | size = 65536, size_out = 29989 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/5h pi4P G_.ods | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/6UcE2 -hZ7ABmj.bmp | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/6UcE2 -hZ7ABmj.bmp | size = 65536, size_out = 13581 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/6UcE2 -hZ7ABmj.bmp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/8irUlxoryz9NBEdK.gif | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/8irUlxoryz9NBEdK.gif | size = 65536, size_out = 19631 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/8irUlxoryz9NBEdK.gif | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/8ZHaOi1b54EwUUY.wav | size = 65536, size_out = 34522 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/8ZHaOi1b54EwUUY.wav | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/Desktop Ransomware.exe | size = 65536, size_out = 65536 |
|
12 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/Desktop Ransomware.exe | size = 65536, size_out = 40960 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/Desktop Ransomware.exe | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/desktop.ini | size = 65536, size_out = 282 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/desktop.ini | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/dPayGG-Py.wav | size = 65536, size_out = 6965 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/dPayGG-Py.wav | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/e5GfWHYXYvLZf4xlvH.odt | size = 65536, size_out = 53520 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/e5GfWHYXYvLZf4xlvH.odt | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/gj X79Jxk-e2.mp3 | size = 65536, size_out = 29162 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/gj X79Jxk-e2.mp3 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/IKU0-73q9hf36BYJPVXf.flv | size = 65536, size_out = 30110 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/IKU0-73q9hf36BYJPVXf.flv | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/J_D_Smy7X3HCRMT CH6x.mkv | size = 65536, size_out = 4335 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/J_D_Smy7X3HCRMT CH6x.mkv | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/K2q1laBaVd-UhyM66s.mkv | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/K2q1laBaVd-UhyM66s.mkv | size = 65536, size_out = 2173 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/K2q1laBaVd-UhyM66s.mkv | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/lITr E-u.ots | size = 65536, size_out = 54819 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/lITr E-u.ots | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/md9DYhuwlzuJ4s.bmp | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/md9DYhuwlzuJ4s.bmp | size = 65536, size_out = 29994 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/md9DYhuwlzuJ4s.bmp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/OHPAk7bl2NSxuhuQR7XV.flv | size = 65536, size_out = 36259 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/OHPAk7bl2NSxuhuQR7XV.flv | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/oOD4uhzm Zkl2zk.mp4 | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/oOD4uhzm Zkl2zk.mp4 | size = 65536, size_out = 36743 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/oOD4uhzm Zkl2zk.mp4 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/P6_LLd2-wg7.gif | size = 65536, size_out = 39300 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/P6_LLd2-wg7.gif | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/rDNk37jQ34m.avi | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/rDNk37jQ34m.avi | size = 65536, size_out = 33727 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/rDNk37jQ34m.avi | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/S0Njuyb0MbA8NPe7f.odp | size = 65536, size_out = 45891 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/S0Njuyb0MbA8NPe7f.odp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/SN-7hPJVIjPbeSt.mp3 | size = 65536, size_out = 44861 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/SN-7hPJVIjPbeSt.mp3 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/sUead_MVmaeTHpH.bmp | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/sUead_MVmaeTHpH.bmp | size = 65536, size_out = 7463 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/sUead_MVmaeTHpH.bmp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/uQdlphYG1dbqk1.jpg | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/uQdlphYG1dbqk1.jpg | size = 65536, size_out = 7021 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/uQdlphYG1dbqk1.jpg | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/V9yoC.mp3 | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/V9yoC.mp3 | size = 65536, size_out = 10329 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/V9yoC.mp3 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/VowNGbAt2Uc.flv | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/VowNGbAt2Uc.flv | size = 65536, size_out = 32455 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/VowNGbAt2Uc.flv | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/v_rOYmuVae.mkv | size = 65536, size_out = 4956 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/v_rOYmuVae.mkv | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/W9JWpaycQhp.pptx | size = 65536, size_out = 2661 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/W9JWpaycQhp.pptx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/wxFZJI-.mkv | size = 65536, size_out = 18381 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/wxFZJI-.mkv | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/xH2Q91hAXQ3Pfvttd_N.wav | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/xH2Q91hAXQ3Pfvttd_N.wav | size = 65536, size_out = 27818 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/xH2Q91hAXQ3Pfvttd_N.wav | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/xJQWy0H5XjB.bmp | size = 65536, size_out = 65373 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/xJQWy0H5XjB.bmp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/z0fFK_swV0a.wav | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/z0fFK_swV0a.wav | size = 65536, size_out = 4741 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Desktop/z0fFK_swV0a.wav | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/07iDkNP.swf | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/07iDkNP.swf | size = 65536, size_out = 11331 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/07iDkNP.swf | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/2k9SgaKkgk9oGZO2eWO.wav | size = 65536, size_out = 7355 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/2k9SgaKkgk9oGZO2eWO.wav | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/3- s1lsS.gif | size = 65536, size_out = 59746 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/3- s1lsS.gif | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/4hX BzG8K.gif | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/4hX BzG8K.gif | size = 65536, size_out = 982 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/4hX BzG8K.gif | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/6Ihl59F1EW3Dmio30.mp3 | size = 65536, size_out = 22129 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/6Ihl59F1EW3Dmio30.mp3 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/6x1noCxpBp1mmFoeCN6T.png | size = 65536, size_out = 23642 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/6x1noCxpBp1mmFoeCN6T.png | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/7NLT7b7.bmp | size = 65536, size_out = 63953 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/7NLT7b7.bmp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/a59dR.mp3 | size = 65536, size_out = 34156 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/a59dR.mp3 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/CHfvN1bcW R8s7_bOrn.xls | size = 65536, size_out = 29869 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/CHfvN1bcW R8s7_bOrn.xls | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/dCV6-VAR1Amz0.mp4 | size = 65536, size_out = 1833 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/dCV6-VAR1Amz0.mp4 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/DlhsKoDumMDb.bmp | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/DlhsKoDumMDb.bmp | size = 65536, size_out = 26529 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/DlhsKoDumMDb.bmp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/e47Ptw.gif | size = 65536, size_out = 10884 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/e47Ptw.gif | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/eA3aYZlB_n2DMgb4vCUM.bmp | size = 65536, size_out = 51185 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/eA3aYZlB_n2DMgb4vCUM.bmp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/eZG2gw6YILMiFluj.csv | size = 65536, size_out = 6905 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/eZG2gw6YILMiFluj.csv | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/HD1FLLNmLPJ7igO2XSQ.png | size = 65536, size_out = 34933 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/HD1FLLNmLPJ7igO2XSQ.png | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/HPiFfUsmobc0kOQ6Rzg.flv | size = 65536, size_out = 51371 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/HPiFfUsmobc0kOQ6Rzg.flv | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/j3xOnM3C5H UUFiE2.pps | size = 65536, size_out = 17525 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/j3xOnM3C5H UUFiE2.pps | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/K1kWG.swf | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/K1kWG.swf | size = 65536, size_out = 34229 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/K1kWG.swf | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/lcXeGR.jpg | size = 65536, size_out = 10880 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/lcXeGR.jpg | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/LRfe.m4a | size = 65536, size_out = 39856 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/LRfe.m4a | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/LvpXw5odR.mkv | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/LvpXw5odR.mkv | size = 65536, size_out = 12140 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/LvpXw5odR.mkv | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/miHZX-Mq6_uJj5Jr.bmp | size = 65536, size_out = 32733 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/miHZX-Mq6_uJj5Jr.bmp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/MLN9.csv | size = 65536, size_out = 7967 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/MLN9.csv | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/my4LIyozfPFM.mp4 | size = 65536, size_out = 29258 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/my4LIyozfPFM.mp4 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/PiMy.wav | size = 65536, size_out = 1837 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/PiMy.wav | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Qro3U.bmp | size = 65536, size_out = 48579 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Qro3U.bmp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/R0bpFAwwI.xls | size = 65536, size_out = 41755 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/R0bpFAwwI.xls | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/rzTdzniVDq.csv | size = 65536, size_out = 58061 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/rzTdzniVDq.csv | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/SBImy.wav | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/SBImy.wav | size = 65536, size_out = 34243 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/SBImy.wav | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/SeOV2qpgcHWHh_nbqI.mp3 | size = 65536, size_out = 41516 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/SeOV2qpgcHWHh_nbqI.mp3 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/sgCJT.jpg | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/sgCJT.jpg | size = 65536, size_out = 17 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/sgCJT.jpg | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/T2Cxs_YQD7nPt.bmp | size = 65536, size_out = 39323 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/T2Cxs_YQD7nPt.bmp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/TzQzGhO-DVwBiUIbj v.odp | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/TzQzGhO-DVwBiUIbj v.odp | size = 65536, size_out = 30425 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/TzQzGhO-DVwBiUIbj v.odp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/UiCbiMIX.ods | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/UiCbiMIX.ods | size = 65536, size_out = 23633 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/UiCbiMIX.ods | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/XyTO98.bmp | size = 65536, size_out = 21970 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/XyTO98.bmp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/YbpOFECxSdU1o.odp | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/YbpOFECxSdU1o.odp | size = 65536, size_out = 15804 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/YbpOFECxSdU1o.odp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/YeqB3B7c2.odt | size = 65536, size_out = 20100 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/YeqB3B7c2.odt | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Local/IconCache.db | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Local/IconCache.db | size = 65536, size_out = 55864 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Local/IconCache.db | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Local/TempCHHKSM.exe | size = 65536, size_out = 65536 |
|
12 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Local/TempCHHKSM.exe | size = 65536, size_out = 59495 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps/AppData/Local/TempCHHKSM.exe | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Music\desktop.ini | size = 65536, size_out = 504 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Music\desktop.ini | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Music\ZPcES1.wav | size = 65536, size_out = 44423 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Music\ZPcES1.wav | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Pictures/desktop.ini | size = 65536, size_out = 504 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Pictures/desktop.ini | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Pictures/di ot4o1qyFI.jpg | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Pictures/di ot4o1qyFI.jpg | size = 65536, size_out = 5035 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Pictures/di ot4o1qyFI.jpg | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Pictures/pCRiuz4PFsi5.png | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Pictures/pCRiuz4PFsi5.png | size = 65536, size_out = 19401 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Pictures/pCRiuz4PFsi5.png | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Pictures/SHgyDm0.gif | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Pictures/SHgyDm0.gif | size = 65536, size_out = 8514 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Pictures/SHgyDm0.gif | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Pictures/WNoBJk6u3i.bmp | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Pictures/WNoBJk6u3i.bmp | size = 65536, size_out = 12877 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Pictures/WNoBJk6u3i.bmp | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Pictures/yrGrT5GM2kHnbKjZs.png | size = 65536, size_out = 11934 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Pictures/yrGrT5GM2kHnbKjZs.png | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Videos/5VHrP.avi | size = 65536, size_out = 37131 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Videos/5VHrP.avi | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Videos/ctEdCOQfNgS.avi | size = 65536, size_out = 13840 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Videos/ctEdCOQfNgS.avi | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Videos/desktop.ini | size = 65536, size_out = 504 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Videos/desktop.ini | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Videos/Yh3aSzBw6vqSD.mp4 | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Videos/Yh3aSzBw6vqSD.mp4 | size = 65536, size_out = 3081 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Videos/Yh3aSzBw6vqSD.mp4 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/33ks1nc2w.xlsx | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/33ks1nc2w.xlsx | size = 65536, size_out = 22227 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/33ks1nc2w.xlsx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/4 oKstOLjt Ogj.csv | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/4 oKstOLjt Ogj.csv | size = 65536, size_out = 8490 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/4 oKstOLjt Ogj.csv | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/5IRX mV-dQwqDIWU8l.docx | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/5IRX mV-dQwqDIWU8l.docx | size = 65536, size_out = 15872 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/5IRX mV-dQwqDIWU8l.docx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/AkLAPzq8O4g_04G.xlsx | size = 65536, size_out = 14330 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/AkLAPzq8O4g_04G.xlsx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/cVtkaJxJuKDO0_4HwRfX.pptx | size = 65536, size_out = 10893 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/cVtkaJxJuKDO0_4HwRfX.pptx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/Database1.accdb | size = 65536, size_out = 65536 |
|
5 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/Database1.accdb | size = 65536, size_out = 28672 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/Database1.accdb | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/desktop.ini | size = 65536, size_out = 402 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/desktop.ini | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/dH8KjJr-DCE7s3hc0W.rtf | size = 65536, size_out = 32160 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/dH8KjJr-DCE7s3hc0W.rtf | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/DzQxuyYypsLJ110Td.docx | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/DzQxuyYypsLJ110Td.docx | size = 65536, size_out = 9833 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/DzQxuyYypsLJ110Td.docx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/e4YsgwXPFnJ1eF_aq_.rtf | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/e4YsgwXPFnJ1eF_aq_.rtf | size = 65536, size_out = 27231 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/e4YsgwXPFnJ1eF_aq_.rtf | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/FsWV1eA3OkafmtB.xlsx | size = 65536, size_out = 65138 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/FsWV1eA3OkafmtB.xlsx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/G-L JfK4PzqcH7ER.csv | size = 65536, size_out = 26274 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/G-L JfK4PzqcH7ER.csv | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/Ihhj7L6.docx | size = 65536, size_out = 37100 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/Ihhj7L6.docx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/IRevt7-Vo2dY1p.docx | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/IRevt7-Vo2dY1p.docx | size = 65536, size_out = 29743 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/IRevt7-Vo2dY1p.docx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/jg83kL7EHzk5tOx.pptx | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/jg83kL7EHzk5tOx.pptx | size = 65536, size_out = 23229 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/jg83kL7EHzk5tOx.pptx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/KwL8B1f2HAeXB.ots | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/KwL8B1f2HAeXB.ots | size = 65536, size_out = 28037 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/KwL8B1f2HAeXB.ots | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/lqoCl6y.xlsx | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/lqoCl6y.xlsx | size = 65536, size_out = 3957 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/lqoCl6y.xlsx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/o5UgHIGv4h72IU.pptx | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/o5UgHIGv4h72IU.pptx | size = 65536, size_out = 2674 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/o5UgHIGv4h72IU.pptx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/oNfvs3LGk1TKi1J4_aSN.xlsx | size = 65536, size_out = 2448 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/oNfvs3LGk1TKi1J4_aSN.xlsx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/Sj6SoGBJ.pptx | size = 65536, size_out = 35240 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/Sj6SoGBJ.pptx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/vgl6TzQ9uzGXrbslc.pptx | size = 65536, size_out = 64953 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/vgl6TzQ9uzGXrbslc.pptx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/VgQS p2zoBtKpHSKB.docx | size = 65536, size_out = 50185 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/VgQS p2zoBtKpHSKB.docx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/WoAfC7fH.docx | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/WoAfC7fH.docx | size = 65536, size_out = 21336 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/WoAfC7fH.docx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/WUpSn9HARv5eBhQKKyI.docx | size = 65536, size_out = 30680 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/WUpSn9HARv5eBhQKKyI.docx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/XYua.pptx | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/XYua.pptx | size = 65536, size_out = 5632 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/XYua.pptx | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/Y1zhfb0f.pps | size = 65536, size_out = 65536 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/Y1zhfb0f.pps | size = 65536, size_out = 36471 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\Documents/Y1zhfb0f.pps | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\Public\Documents/desktop.ini | size = 65536, size_out = 278 |
|
1 | |
| Read | C:\Users\Public\Documents/desktop.ini | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\Public\Pictures/desktop.ini | size = 65536, size_out = 380 |
|
1 | |
| Read | C:\Users\Public\Pictures/desktop.ini | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\Public\Videos/desktop.ini | size = 65536, size_out = 380 |
|
1 | |
| Read | C:\Users\Public\Videos/desktop.ini | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIIHMN~1\AppData\Local\Temp/8x8x8 | size = 65536, size_out = 0 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 65536, size_out = 65536 |
|
11 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 512, size_out = 512 |
|
3 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 61440, size_out = 61440 |
|
2 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 28672, size_out = 28672 |
|
1 | |
| Read | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | size = 4096, size_out = 3750 |
|
1 | |
| Read | C:\Users\CIIHMN~1\AppData\Local\Temp\aut9F83.tmp | size = 4096, size_out = 4096 |
|
3 | |
| Read | C:\Users\CIIHMN~1\AppData\Local\Temp\aut9F83.tmp | size = 61440, size_out = 61440 |
|
2 | |
| Read | C:\Users\CIIHMN~1\AppData\Local\Temp\aut9F83.tmp | size = 61440, size_out = 27098 |
|
1 | |
| Read | C:\Users\CIIHMN~1\AppData\Local\Temp\aut9F83.tmp | size = 32768, size_out = 0 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\aut475F.tmp | size = 1430 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\ueiephm | size = 4096 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\ueiephm | size = 3434 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.-2zElut.mkv | size = 100368 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.3 rt.png | size = 47848 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.5h pi4P G_.ods | size = 95528 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.6UcE2 -hZ7ABmj.bmp | size = 79120 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.8irUlxoryz9NBEdK.gif | size = 85168 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.8ZHaOi1b54EwUUY.wav | size = 34528 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.Desktop Ransomware.exe | size = 827400 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.desktop.ini | size = 288 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.dPayGG-Py.wav | size = 6968 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.e5GfWHYXYvLZf4xlvH.odt | size = 53528 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.gj X79Jxk-e2.mp3 | size = 29168 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.IKU0-73q9hf36BYJPVXf.flv | size = 30112 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.J_D_Smy7X3HCRMT CH6x.mkv | size = 4336 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.K2q1laBaVd-UhyM66s.mkv | size = 67712 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.lITr E-u.ots | size = 54824 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.md9DYhuwlzuJ4s.bmp | size = 95536 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.OHPAk7bl2NSxuhuQR7XV.flv | size = 36264 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.oOD4uhzm Zkl2zk.mp4 | size = 102280 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.P6_LLd2-wg7.gif | size = 39304 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.rDNk37jQ34m.avi | size = 99264 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.S0Njuyb0MbA8NPe7f.odp | size = 45896 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.SN-7hPJVIjPbeSt.mp3 | size = 44864 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.sUead_MVmaeTHpH.bmp | size = 73000 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.uQdlphYG1dbqk1.jpg | size = 72560 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.V9yoC.mp3 | size = 75872 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.VowNGbAt2Uc.flv | size = 97992 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.v_rOYmuVae.mkv | size = 4960 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.W9JWpaycQhp.pptx | size = 2664 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.wxFZJI-.mkv | size = 18384 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.xH2Q91hAXQ3Pfvttd_N.wav | size = 93360 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.xJQWy0H5XjB.bmp | size = 65376 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Desktop/Lock.z0fFK_swV0a.wav | size = 70280 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.07iDkNP.swf | size = 76872 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.2k9SgaKkgk9oGZO2eWO.wav | size = 7360 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.3- s1lsS.gif | size = 59752 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.4hX BzG8K.gif | size = 66520 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.6Ihl59F1EW3Dmio30.mp3 | size = 22136 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.6x1noCxpBp1mmFoeCN6T.png | size = 23648 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.7NLT7b7.bmp | size = 63960 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.a59dR.mp3 | size = 34160 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.CHfvN1bcW R8s7_bOrn.xls | size = 29872 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.dCV6-VAR1Amz0.mp4 | size = 1840 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.DlhsKoDumMDb.bmp | size = 92072 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.e47Ptw.gif | size = 10888 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.eA3aYZlB_n2DMgb4vCUM.bmp | size = 51192 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.eZG2gw6YILMiFluj.csv | size = 6912 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.HD1FLLNmLPJ7igO2XSQ.png | size = 34936 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.HPiFfUsmobc0kOQ6Rzg.flv | size = 51376 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.j3xOnM3C5H UUFiE2.pps | size = 17528 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.K1kWG.swf | size = 99768 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.lcXeGR.jpg | size = 10888 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.LRfe.m4a | size = 39864 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.LvpXw5odR.mkv | size = 77680 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.miHZX-Mq6_uJj5Jr.bmp | size = 32736 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.MLN9.csv | size = 7968 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.my4LIyozfPFM.mp4 | size = 29264 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.PiMy.wav | size = 1840 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.Qro3U.bmp | size = 48584 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.R0bpFAwwI.xls | size = 41760 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.rzTdzniVDq.csv | size = 58064 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.SBImy.wav | size = 99784 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.SeOV2qpgcHWHh_nbqI.mp3 | size = 41520 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.sgCJT.jpg | size = 65560 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.T2Cxs_YQD7nPt.bmp | size = 39328 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.TzQzGhO-DVwBiUIbj v.odp | size = 95968 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.UiCbiMIX.ods | size = 89176 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.XyTO98.bmp | size = 21976 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.YbpOFECxSdU1o.odp | size = 81344 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Roaming/Lock.YeqB3B7c2.odt | size = 20104 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Local/Lock.IconCache.db | size = 121408 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps/AppData/Local/Lock.TempCHHKSM.exe | size = 845928 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Music/Lock.desktop.ini | size = 512 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Music/Lock.ZPcES1.wav | size = 44424 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Pictures/Lock.desktop.ini | size = 512 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Pictures/Lock.di ot4o1qyFI.jpg | size = 70576 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Pictures/Lock.pCRiuz4PFsi5.png | size = 84944 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Pictures/Lock.SHgyDm0.gif | size = 74056 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Pictures/Lock.WNoBJk6u3i.bmp | size = 78416 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Pictures/Lock.yrGrT5GM2kHnbKjZs.png | size = 11936 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Videos/Lock.5VHrP.avi | size = 37136 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Videos/Lock.ctEdCOQfNgS.avi | size = 13848 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Videos/Lock.desktop.ini | size = 512 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Videos/Lock.Yh3aSzBw6vqSD.mp4 | size = 68624 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.33ks1nc2w.xlsx | size = 87768 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.4 oKstOLjt Ogj.csv | size = 74032 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.5IRX mV-dQwqDIWU8l.docx | size = 81416 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.AkLAPzq8O4g_04G.xlsx | size = 14336 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.cVtkaJxJuKDO0_4HwRfX.pptx | size = 10896 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.Database1.accdb | size = 356360 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.desktop.ini | size = 408 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.dH8KjJr-DCE7s3hc0W.rtf | size = 32168 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.DzQxuyYypsLJ110Td.docx | size = 75376 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.e4YsgwXPFnJ1eF_aq_.rtf | size = 92768 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.FsWV1eA3OkafmtB.xlsx | size = 65144 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.G-L JfK4PzqcH7ER.csv | size = 26280 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.Ihhj7L6.docx | size = 37104 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.IRevt7-Vo2dY1p.docx | size = 95280 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.jg83kL7EHzk5tOx.pptx | size = 88768 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.KwL8B1f2HAeXB.ots | size = 93576 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.lqoCl6y.xlsx | size = 69496 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.o5UgHIGv4h72IU.pptx | size = 68216 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.oNfvs3LGk1TKi1J4_aSN.xlsx | size = 2456 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.Sj6SoGBJ.pptx | size = 35248 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.vgl6TzQ9uzGXrbslc.pptx | size = 64960 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.VgQS p2zoBtKpHSKB.docx | size = 50192 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.WoAfC7fH.docx | size = 86880 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.WUpSn9HARv5eBhQKKyI.docx | size = 30688 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.XYua.pptx | size = 71176 |
|
1 | |
| Write | C:\Users\CIiHmnxMn6Ps\Documents/Lock.Y1zhfb0f.pps | size = 102008 |
|
1 | |
| Write | C:\Users\Public\Documents/Lock.desktop.ini | size = 280 |
|
1 | |
| Write | C:\Users\Public\Pictures/Lock.desktop.ini | size = 384 |
|
1 | |
| Write | C:\Users\Public\Videos/Lock.desktop.ini | size = 384 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp/8x8x8 | size = 0 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\aut9F83.tmp | size = 65536 |
|
2 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\aut9F83.tmp | size = 28672 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\aut9F83.tmp | size = 2522 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\wl.jpg | size = 65536 |
|
3 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\wl.jpg | size = 12288 |
|
1 | |
| Write | C:\Users\CIIHMN~1\AppData\Local\Temp\wl.jpg | size = 1980 |
|
1 | |
| Delete | C:\Users\CIIHMN~1\AppData\Local\Temp\aut475F.tmp | - |
|
1 | |
| Delete | C:\Users\CIIHMN~1\AppData\Local\Temp\ueiephm | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\-2zElut.mkv | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\3 rt.png | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\5h pi4P G_.ods | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\6UcE2 -hZ7ABmj.bmp | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\8irUlxoryz9NBEdK.gif | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\8ZHaOi1b54EwUUY.wav | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\Desktop Ransomware.exe | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\desktop.ini | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\dPayGG-Py.wav | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\e5GfWHYXYvLZf4xlvH.odt | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\gj X79Jxk-e2.mp3 | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\IKU0-73q9hf36BYJPVXf.flv | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\J_D_Smy7X3HCRMT CH6x.mkv | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\K2q1laBaVd-UhyM66s.mkv | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\lITr E-u.ots | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\md9DYhuwlzuJ4s.bmp | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\OHPAk7bl2NSxuhuQR7XV.flv | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\oOD4uhzm Zkl2zk.mp4 | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\P6_LLd2-wg7.gif | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\rDNk37jQ34m.avi | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\S0Njuyb0MbA8NPe7f.odp | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\SN-7hPJVIjPbeSt.mp3 | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\sUead_MVmaeTHpH.bmp | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\uQdlphYG1dbqk1.jpg | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\V9yoC.mp3 | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\VowNGbAt2Uc.flv | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\v_rOYmuVae.mkv | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\W9JWpaycQhp.pptx | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\wxFZJI-.mkv | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\xH2Q91hAXQ3Pfvttd_N.wav | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\xJQWy0H5XjB.bmp | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Desktop\z0fFK_swV0a.wav | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\07iDkNP.swf | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\2k9SgaKkgk9oGZO2eWO.wav | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\3- s1lsS.gif | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\4hX BzG8K.gif | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6Ihl59F1EW3Dmio30.mp3 | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\6x1noCxpBp1mmFoeCN6T.png | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\7NLT7b7.bmp | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\a59dR.mp3 | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CHfvN1bcW R8s7_bOrn.xls | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\dCV6-VAR1Amz0.mp4 | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\DlhsKoDumMDb.bmp | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\e47Ptw.gif | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\eA3aYZlB_n2DMgb4vCUM.bmp | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\eZG2gw6YILMiFluj.csv | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\HD1FLLNmLPJ7igO2XSQ.png | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\HPiFfUsmobc0kOQ6Rzg.flv | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\j3xOnM3C5H UUFiE2.pps | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\K1kWG.swf | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\lcXeGR.jpg | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LRfe.m4a | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\LvpXw5odR.mkv | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\miHZX-Mq6_uJj5Jr.bmp | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\MLN9.csv | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\my4LIyozfPFM.mp4 | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\PiMy.wav | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Qro3U.bmp | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\R0bpFAwwI.xls | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\rzTdzniVDq.csv | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\SBImy.wav | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\SeOV2qpgcHWHh_nbqI.mp3 | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\sgCJT.jpg | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\T2Cxs_YQD7nPt.bmp | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\TzQzGhO-DVwBiUIbj v.odp | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\UiCbiMIX.ods | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\XyTO98.bmp | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\YbpOFECxSdU1o.odp | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Roaming\YeqB3B7c2.odt | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Local\IconCache.db | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Music\desktop.ini | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Music\ZPcES1.wav | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Pictures\desktop.ini | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Pictures\di ot4o1qyFI.jpg | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Pictures\pCRiuz4PFsi5.png | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Pictures\SHgyDm0.gif | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Pictures\WNoBJk6u3i.bmp | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Pictures\yrGrT5GM2kHnbKjZs.png | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Videos\5VHrP.avi | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Videos\ctEdCOQfNgS.avi | - |
|
1 | |
| Delete | C:\Users\CIiHmnxMn6Ps\Videos\desktop.ini | - |
|
1 | |
|
For performance reasons, the remaining 31 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Registry (333)
| Operation | Key | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create Key | HKEY_CURRENT_USER\Control Panel\Desktop | - |
|
165 | |
| Open Key | HKEY_CURRENT_USER\Control Panel\Mouse | - |
|
1 | |
| Open Key | HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt | - |
|
1 | |
| Read Value | HKEY_CURRENT_USER\Control Panel\Mouse | value_name = SwapMouseButtons, data = 48 |
|
1 | |
| Write Value | HKEY_CURRENT_USER\Control Panel\Desktop | value_name = Wallpaper, data = C:\Users\CIIHMN~1\AppData\Local\Temp\wl.jpg, size = 88, type = REG_SZ |
|
165 |
Module (1581)
| Operation | Module | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Load | kernel32.dll | base_address = 0x75260000 |
|
3 | |
| Load | uxtheme.dll | base_address = 0x74c20000 |
|
1 | |
| Load | ntdll.dll | base_address = 0x77ca0000 |
|
1 | |
| Load | Advapi32.dll | base_address = 0x76a10000 |
|
112 | |
| Load | user32.dll | base_address = 0x77150000 |
|
165 | |
| Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x75260000 |
|
2 | |
| Get Filename | - | process_name = c:\users\ciihmnxmn6ps\appdata\local\tempchhksm.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Local\TempCHHKSM.exe, size = 260 |
|
3 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsAlloc, address_out = 0x7527a330 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsGetValue, address_out = 0x75277580 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsSetValue, address_out = 0x75279910 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = FlsFree, address_out = 0x7527f400 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = IsWow64Process, address_out = 0x752796e0 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetNativeSystemInfo, address_out = 0x7527a410 |
|
1 | |
| Get Address | c:\windows\syswow64\uxtheme.dll | function = IsThemeActive, address_out = 0x74c54900 |
|
1 | |
| Get Address | c:\windows\syswow64\kernel32.dll | function = GetCurrentProcess, address_out = 0x75272da0 |
|
1 | |
| Get Address | c:\windows\syswow64\ntdll.dll | function = ZwSetInformationProcess, address_out = 0x77d08da0 |
|
1 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptAcquireContext, address_out = 0x0 |
|
112 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptAcquireContextA, address_out = 0x76a30c00 |
|
112 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptCreateHash, address_out = 0x76a2f930 |
|
112 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptHashData, address_out = 0x76a2f950 |
|
112 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptDeriveKey, address_out = 0x76a45b70 |
|
112 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptDestroyHash, address_out = 0x76a2fbf0 |
|
112 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptEncrypt, address_out = 0x76a45bd0 |
|
224 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptDestroyKey, address_out = 0x76a2fc10 |
|
112 | |
| Get Address | c:\windows\syswow64\advapi32.dll | function = CryptReleaseContext, address_out = 0x76a30ad0 |
|
112 | |
| Get Address | c:\windows\syswow64\user32.dll | function = SystemParametersInfoW, address_out = 0x7716bea0 |
|
165 |
Window (2)
| Operation | Window Name | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Create | AutoIt v3 | class_name = AutoIt v3, wndproc_parameter = 0 |
|
1 | |
| Create | - | class_name = edit, wndproc_parameter = 0 |
|
1 |
System (6825)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Sleep | duration = 750 milliseconds (0.750 seconds) |
|
266 | |
| Sleep | duration = 10 milliseconds (0.010 seconds) |
|
6537 | |
| Get Time | type = System Time, time = 2018-11-01 17:13:12 (UTC) |
|
18 | |
| Get Time | type = Ticks, time = 148453 |
|
1 | |
| Get Time | type = System Time, time = 2018-11-01 17:13:35 (UTC) |
|
1 | |
| Get Info | type = Operating System |
|
1 | |
| Get Info | type = Hardware Information |
|
1 |
Environment (315)
| Operation | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|
| Get Environment String | - |
|
1 | |
| Get Environment String | name = USERPROFILE, result_out = C:\Users\CIiHmnxMn6Ps |
|
314 |
Debug (1)
| Operation | Process | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| Check for Presence | c:\users\ciihmnxmn6ps\appdata\local\tempchhksm.exe | - |
|
1 |
Process #3: openwith.exe
1
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\openwith.exe |
| Command Line | C:\Windows\system32\OpenWith.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:11, Reason: RPC Server |
| Unmonitor | End Time: 00:04:37, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:26 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfb8 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FD8
0x
FD4
0x
FD0
0x
FC8
0x
FBC
0x
FDC
0x
300
0x
204
0x
6A8
0x
C70
0x
C04
0x
C20
0x
CE8
0x
7A0
0x
E58
0x
3A8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000c386370000 | 0xc386370000 | 0xc38637ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000c386380000 | 0xc386380000 | 0xc386386fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c386390000 | 0xc386390000 | 0xc3863a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c3863b0000 | 0xc3863b0000 | 0xc38642ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c386430000 | 0xc386430000 | 0xc386433fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c386440000 | 0xc386440000 | 0xc386442fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c386450000 | 0xc386450000 | 0xc386451fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xc386460000 | 0xc38651dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c386520000 | 0xc386520000 | 0xc38659ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c3865a0000 | 0xc3865a0000 | 0xc3865a6fff | Private Memory | rw |
|
|
|
- |
| openwith.exe.mui | 0xc3865b0000 | 0xc3865b0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c3865c0000 | 0xc3865c0000 | 0xc3865c0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c3865d0000 | 0xc3865d0000 | 0xc3865d0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c3865e0000 | 0xc3865e0000 | 0xc3865e0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c3865f0000 | 0xc3865f0000 | 0xc3865f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c386600000 | 0xc386600000 | 0xc386600fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c386610000 | 0xc386610000 | 0xc386610fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c386620000 | 0xc386620000 | 0xc386622fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c386630000 | 0xc386630000 | 0xc38672ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c386730000 | 0xc386730000 | 0xc3868b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c3868c0000 | 0xc3868c0000 | 0xc386a40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c386a50000 | 0xc386a50000 | 0xc386a79fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c386a80000 | 0xc386a80000 | 0xc386a80fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c386a90000 | 0xc386a90000 | 0xc386a91fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c386aa0000 | 0xc386aa0000 | 0xc386aaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c386ab0000 | 0xc386ab0000 | 0xc387eaffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c387eb0000 | 0xc387eb0000 | 0xc387f2ffff | Private Memory | rw |
|
|
|
- |
| dui70.dll.mui | 0xc387f30000 | 0xc387f31fff | Memory Mapped File | r |
|
|
|
- |
| windows.ui.immersive.dll.mui | 0xc387f40000 | 0xc387f43fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c387f50000 | 0xc387f50000 | 0xc387f50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000c387f60000 | 0xc387f60000 | 0xc387f60fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c387f70000 | 0xc387f70000 | 0xc387f70fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c387f80000 | 0xc387f80000 | 0xc387f8ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xc387f90000 | 0xc3882c6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c3882d0000 | 0xc3882d0000 | 0xc38834ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c388350000 | 0xc388350000 | 0xc3883cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c3883d0000 | 0xc3883d0000 | 0xc38844ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c388450000 | 0xc388450000 | 0xc3884cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c3884d0000 | 0xc3884d0000 | 0xc38854ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c388550000 | 0xc388550000 | 0xc3885cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c3885d0000 | 0xc3885d0000 | 0xc3886fafff | Pagefile Backed Memory | rw |
|
|
|
- |
| twinui.dll.mui | 0xc3885d0000 | 0xc3885e3fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll | 0xc3885f0000 | 0xc3885f1fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0xc388600000 | 0xc388604fff | Memory Mapped File | r |
|
|
|
- |
| cversions.1.db | 0xc388610000 | 0xc388613fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0xc388620000 | 0xc388632fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c388640000 | 0xc388640000 | 0xc388640fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000035.db | 0xc388650000 | 0xc38866bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c388670000 | 0xc388670000 | 0xc3886effff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0xc3886f0000 | 0xc3886f3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c388700000 | 0xc388700000 | 0xc3887fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c388800000 | 0xc388800000 | 0xc38887ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c388880000 | 0xc388880000 | 0xc388880fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c388890000 | 0xc388890000 | 0xc388890fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000c3888a0000 | 0xc3888a0000 | 0xc38899ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c3889a0000 | 0xc3889a0000 | 0xc388a1ffff | Private Memory | rw |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0xc388a20000 | 0xc388a62fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xc388a70000 | 0xc388a73fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0xc388a80000 | 0xc388b0afff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c388b10000 | 0xc388b10000 | 0xc388c0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c388c10000 | 0xc388c10000 | 0xc388c12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c388c20000 | 0xc388c20000 | 0xc388c20fff | Private Memory | rw |
|
|
|
- |
| thumbcache_idx.db | 0xc388c30000 | 0xc388c31fff | Memory Mapped File | rw |
|
|
|
- |
| cversions.1.db | 0xc388c40000 | 0xc388c43fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c388c50000 | 0xc388c50000 | 0xc388c58fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c388c60000 | 0xc388c60000 | 0xc388c60fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c388c70000 | 0xc388c70000 | 0xc388c93fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c388ca0000 | 0xc388ca0000 | 0xc388ca8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c388cb0000 | 0xc388cb0000 | 0xc388daffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c388dc0000 | 0xc388dc0000 | 0xc388dc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| iconcache_idx.db | 0xc388dd0000 | 0xc388dd1fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_32.db | 0xc388de0000 | 0xc388edffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000c388ee0000 | 0xc388ee0000 | 0xc388f27fff | Private Memory | rw |
|
|
|
- |
| propsys.dll.mui | 0xc388f30000 | 0xc388f40fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff190000 | 0x7df5ff190000 | 0x7ff5ff18ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7bcf34000 | 0x7ff7bcf34000 | 0x7ff7bcf35fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcf36000 | 0x7ff7bcf36000 | 0x7ff7bcf37fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcf38000 | 0x7ff7bcf38000 | 0x7ff7bcf39fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcf3a000 | 0x7ff7bcf3a000 | 0x7ff7bcf3bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcf3c000 | 0x7ff7bcf3c000 | 0x7ff7bcf3dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcf3e000 | 0x7ff7bcf3e000 | 0x7ff7bcf3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7bcf40000 | 0x7ff7bcf40000 | 0x7ff7bd03ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7bd040000 | 0x7ff7bd040000 | 0x7ff7bd062fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7bd063000 | 0x7ff7bd063000 | 0x7ff7bd064fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd065000 | 0x7ff7bd065000 | 0x7ff7bd066fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd067000 | 0x7ff7bd067000 | 0x7ff7bd068fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd069000 | 0x7ff7bd069000 | 0x7ff7bd06afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd06b000 | 0x7ff7bd06b000 | 0x7ff7bd06cfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd06d000 | 0x7ff7bd06d000 | 0x7ff7bd06efff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd06f000 | 0x7ff7bd06f000 | 0x7ff7bd06ffff | Private Memory | rw |
|
|
|
- |
| openwith.exe | 0x7ff7bd650000 | 0x7ff7bd669fff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ff8d1180000 | 0x7ff8d132ffff | Memory Mapped File | rwx |
|
|
|
- |
| uiautomationcore.dll | 0x7ff8d1330000 | 0x7ff8d147bfff | Memory Mapped File | rwx |
|
|
|
- |
| duser.dll | 0x7ff8d76a0000 | 0x7ff8d7738fff | Memory Mapped File | rwx |
|
|
|
- |
| staterepository.core.dll | 0x7ff8dc6e0000 | 0x7ff8dc778fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.staterepository.dll | 0x7ff8dc780000 | 0x7ff8dca11fff | Memory Mapped File | rwx |
|
|
|
- |
| veeventdispatcher.dll | 0x7ff8dcfd0000 | 0x7ff8dd018fff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.dll | 0x7ff8ddbd0000 | 0x7ff8de6dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x7ff8debc0000 | 0x7ff8dec28fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7ff8e37f0000 | 0x7ff8e3a48fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.immersive.dll | 0x7ff8e3a70000 | 0x7ff8e3c26fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ff8e3c30000 | 0x7ff8e3fa5fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.dll | 0x7ff8e4fb0000 | 0x7ff8e504dfff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ff8e5050000 | 0x7ff8e515efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e57b0000 | 0x7ff8e5a23fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| uianimation.dll | 0x7ff8e8650000 | 0x7ff8e869afff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7ff8e8860000 | 0x7ff8e8acdfff | Memory Mapped File | rwx |
|
|
|
- |
| bcp47langs.dll | 0x7ff8e8af0000 | 0x7ff8e8b55fff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x7ff8e8c60000 | 0x7ff8e8cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7ff8e8d00000 | 0x7ff8e8fa2fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ff8e8fb0000 | 0x7ff8e8fd1fff | Memory Mapped File | rwx |
|
|
|
- |
| ninput.dll | 0x7ff8e9000000 | 0x7ff8e905bfff | Memory Mapped File | rwx |
|
|
|
- |
| dcomp.dll | 0x7ff8e9130000 | 0x7ff8e9200fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ff8e9500000 | 0x7ff8e9577fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| rmclient.dll | 0x7ff8e99e0000 | 0x7ff8e9a07fff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 22 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 94B23D4D-1040-4C4B-9081-85D8D6FA36C4 | CE149B23-5941-4079-9223-52C0A991EC48 | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
Process #4: openwith.exe
1
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\openwith.exe |
| Command Line | C:\Windows\system32\OpenWith.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:13, Reason: RPC Server |
| Unmonitor | End Time: 00:04:37, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:24 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xfe0 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
FF4
0x
FF0
0x
FEC
0x
FE8
0x
FE4
0x
FFC
0x
C5C
0x
B0
0x
C18
0x
C08
0x
C40
0x
C3C
0x
E54
0x
E4C
0x
854
0x
E68
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000e437580000 | 0xe437580000 | 0xe43758ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000e437590000 | 0xe437590000 | 0xe437596fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e4375a0000 | 0xe4375a0000 | 0xe4375b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e4375c0000 | 0xe4375c0000 | 0xe43763ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e437640000 | 0xe437640000 | 0xe437643fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e437650000 | 0xe437650000 | 0xe437652fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e437660000 | 0xe437660000 | 0xe437661fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xe437670000 | 0xe43772dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e437730000 | 0xe437730000 | 0xe437736fff | Private Memory | rw |
|
|
|
- |
| openwith.exe.mui | 0xe437740000 | 0xe437740fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e437750000 | 0xe437750000 | 0xe437750fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e437760000 | 0xe437760000 | 0xe437760fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e437770000 | 0xe437770000 | 0xe437770fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e437780000 | 0xe437780000 | 0xe43787ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e437880000 | 0xe437880000 | 0xe4378fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e437900000 | 0xe437900000 | 0xe437a87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e437a90000 | 0xe437a90000 | 0xe437a91fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e437aa0000 | 0xe437aa0000 | 0xe437aa0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e437ab0000 | 0xe437ab0000 | 0xe437ab0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000e437ac0000 | 0xe437ac0000 | 0xe437acffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e437ad0000 | 0xe437ad0000 | 0xe437b4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e437b50000 | 0xe437b50000 | 0xe437b52fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e437b60000 | 0xe437b60000 | 0xe437b60fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e437b70000 | 0xe437b70000 | 0xe437b71fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e437b80000 | 0xe437b80000 | 0xe437b8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e437b90000 | 0xe437b90000 | 0xe437d10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e437d20000 | 0xe437d20000 | 0xe43911ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0xe439120000 | 0xe439456fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e439460000 | 0xe439460000 | 0xe4394dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e4394e0000 | 0xe4394e0000 | 0xe43955ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e439560000 | 0xe439560000 | 0xe4395dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e4395e0000 | 0xe4395e0000 | 0xe439609fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000e439610000 | 0xe439610000 | 0xe43968ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e439690000 | 0xe439690000 | 0xe43970ffff | Private Memory | rw |
|
|
|
- |
| dui70.dll.mui | 0xe439710000 | 0xe439711fff | Memory Mapped File | r |
|
|
|
- |
| windows.ui.immersive.dll.mui | 0xe439720000 | 0xe439723fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e439730000 | 0xe439730000 | 0xe4397affff | Private Memory | rw |
|
|
|
- |
| private_0x000000e4397b0000 | 0xe4397b0000 | 0xe4398affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e4398b0000 | 0xe4398b0000 | 0xe4398b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000e4398c0000 | 0xe4398c0000 | 0xe4398c0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e4398d0000 | 0xe4398d0000 | 0xe4398d0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e4398e0000 | 0xe4398e0000 | 0xe43995ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e439960000 | 0xe439960000 | 0xe439960fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e439970000 | 0xe439970000 | 0xe439970fff | Pagefile Backed Memory | rw |
|
|
|
- |
| twinui.dll.mui | 0xe439980000 | 0xe439993fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll | 0xe4399a0000 | 0xe4399a1fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0xe4399b0000 | 0xe4399b4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e4399c0000 | 0xe4399c0000 | 0xe439abffff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0xe439ac0000 | 0xe439ac3fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0xe439ad0000 | 0xe439ae2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000e439af0000 | 0xe439af0000 | 0xe439af0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000035.db | 0xe439b00000 | 0xe439b1bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e439b20000 | 0xe439b20000 | 0xe439b9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e439ba0000 | 0xe439ba0000 | 0xe439c1ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0xe439c20000 | 0xe439c23fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0xe439c30000 | 0xe439c72fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xe439c80000 | 0xe439c83fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0xe439c90000 | 0xe439d1afff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e439d20000 | 0xe439d20000 | 0xe439e1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e439e20000 | 0xe439e20000 | 0xe439e22fff | Pagefile Backed Memory | r |
|
|
|
- |
| thumbcache_idx.db | 0xe439e30000 | 0xe439e31fff | Memory Mapped File | rw |
|
|
|
- |
| thumbcache_32.db | 0xe439e40000 | 0xe439f3ffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x000000e439f40000 | 0xe439f40000 | 0xe439f42fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e439f50000 | 0xe439f50000 | 0xe439f50fff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0xe439f60000 | 0xe439f63fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xe439f70000 | 0xe439f73fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e439f80000 | 0xe439f80000 | 0xe439f88fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e439f90000 | 0xe439f90000 | 0xe439f90fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e439fa0000 | 0xe439fa0000 | 0xe439fc3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e439fd0000 | 0xe439fd0000 | 0xe439fd8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e439fe0000 | 0xe439fe0000 | 0xe43a0dffff | Private Memory | rw |
|
|
|
- |
| internet explorer.lnk | 0xe43a0e0000 | 0xe43a0e0fff | Memory Mapped File | r |
|
|
|
- |
| iconcache_idx.db | 0xe43a0f0000 | 0xe43a0f1fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_32.db | 0xe43a100000 | 0xe43a1fffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x00007df5ff440000 | 0x7df5ff440000 | 0x7ff5ff43ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7bc6f2000 | 0x7ff7bc6f2000 | 0x7ff7bc6f3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc6f4000 | 0x7ff7bc6f4000 | 0x7ff7bc6f5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc6f6000 | 0x7ff7bc6f6000 | 0x7ff7bc6f7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc6f8000 | 0x7ff7bc6f8000 | 0x7ff7bc6f9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc6fa000 | 0x7ff7bc6fa000 | 0x7ff7bc6fbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc6fc000 | 0x7ff7bc6fc000 | 0x7ff7bc6fdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc6fe000 | 0x7ff7bc6fe000 | 0x7ff7bc6fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7bc700000 | 0x7ff7bc700000 | 0x7ff7bc7fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7bc800000 | 0x7ff7bc800000 | 0x7ff7bc822fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7bc824000 | 0x7ff7bc824000 | 0x7ff7bc825fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc826000 | 0x7ff7bc826000 | 0x7ff7bc827fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc828000 | 0x7ff7bc828000 | 0x7ff7bc828fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc82a000 | 0x7ff7bc82a000 | 0x7ff7bc82bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc82c000 | 0x7ff7bc82c000 | 0x7ff7bc82dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc82e000 | 0x7ff7bc82e000 | 0x7ff7bc82ffff | Private Memory | rw |
|
|
|
- |
| openwith.exe | 0x7ff7bd650000 | 0x7ff7bd669fff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ff8d1180000 | 0x7ff8d132ffff | Memory Mapped File | rwx |
|
|
|
- |
| uiautomationcore.dll | 0x7ff8d1330000 | 0x7ff8d147bfff | Memory Mapped File | rwx |
|
|
|
- |
| duser.dll | 0x7ff8d76a0000 | 0x7ff8d7738fff | Memory Mapped File | rwx |
|
|
|
- |
| staterepository.core.dll | 0x7ff8dc6e0000 | 0x7ff8dc778fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.staterepository.dll | 0x7ff8dc780000 | 0x7ff8dca11fff | Memory Mapped File | rwx |
|
|
|
- |
| veeventdispatcher.dll | 0x7ff8dcfd0000 | 0x7ff8dd018fff | Memory Mapped File | rwx |
|
|
|
- |
| thumbcache.dll | 0x7ff8dd900000 | 0x7ff8dd94afff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.dll | 0x7ff8ddbd0000 | 0x7ff8de6dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x7ff8debc0000 | 0x7ff8dec28fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7ff8e37f0000 | 0x7ff8e3a48fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.immersive.dll | 0x7ff8e3a70000 | 0x7ff8e3c26fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ff8e3c30000 | 0x7ff8e3fa5fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.dll | 0x7ff8e4fb0000 | 0x7ff8e504dfff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ff8e5050000 | 0x7ff8e515efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e57b0000 | 0x7ff8e5a23fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| uianimation.dll | 0x7ff8e8650000 | 0x7ff8e869afff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7ff8e8860000 | 0x7ff8e8acdfff | Memory Mapped File | rwx |
|
|
|
- |
| bcp47langs.dll | 0x7ff8e8af0000 | 0x7ff8e8b55fff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x7ff8e8c60000 | 0x7ff8e8cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7ff8e8d00000 | 0x7ff8e8fa2fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ff8e8fb0000 | 0x7ff8e8fd1fff | Memory Mapped File | rwx |
|
|
|
- |
| ninput.dll | 0x7ff8e9000000 | 0x7ff8e905bfff | Memory Mapped File | rwx |
|
|
|
- |
| dcomp.dll | 0x7ff8e9130000 | 0x7ff8e9200fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ff8e9500000 | 0x7ff8e9577fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 10 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 94B23D4D-1040-4C4B-9081-85D8D6FA36C4 | CE149B23-5941-4079-9223-52C0A991EC48 | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
Process #6: openwith.exe
1
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\system32\openwith.exe |
| Command Line | C:\Windows\system32\OpenWith.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:17, Reason: RPC Server |
| Unmonitor | End Time: 00:04:37, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:20 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xc1c |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
1B8
0x
A3C
0x
A5C
0x
4D4
0x
A14
0x
708
0x
BE8
0x
F0
0x
340
0x
408
0x
718
0x
BF4
0x
3C8
0x
ED0
0x
7A8
0x
7C0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000a30b7e0000 | 0xa30b7e0000 | 0xa30b7effff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a30b7f0000 | 0xa30b7f0000 | 0xa30b7f6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a30b800000 | 0xa30b800000 | 0xa30b813fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a30b820000 | 0xa30b820000 | 0xa30b89ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a30b8a0000 | 0xa30b8a0000 | 0xa30b8a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a30b8b0000 | 0xa30b8b0000 | 0xa30b8b2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a30b8c0000 | 0xa30b8c0000 | 0xa30b8c1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xa30b8d0000 | 0xa30b98dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a30b990000 | 0xa30b990000 | 0xa30b99ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a30b9a0000 | 0xa30b9a0000 | 0xa30b9a6fff | Private Memory | rw |
|
|
|
- |
| openwith.exe.mui | 0xa30b9b0000 | 0xa30b9b0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a30b9c0000 | 0xa30b9c0000 | 0xa30b9c0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a30b9d0000 | 0xa30b9d0000 | 0xa30b9d0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a30b9e0000 | 0xa30b9e0000 | 0xa30badffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a30bae0000 | 0xa30bae0000 | 0xa30bb5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a30bb60000 | 0xa30bb60000 | 0xa30bce7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a30bcf0000 | 0xa30bcf0000 | 0xa30be70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a30be80000 | 0xa30be80000 | 0xa30d27ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a30d280000 | 0xa30d280000 | 0xa30d280fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a30d290000 | 0xa30d290000 | 0xa30d291fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a30d2a0000 | 0xa30d2a0000 | 0xa30d31ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a30d320000 | 0xa30d320000 | 0xa30d39ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a30d3a0000 | 0xa30d3a0000 | 0xa30d41ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a30d420000 | 0xa30d420000 | 0xa30d420fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a30d430000 | 0xa30d430000 | 0xa30d430fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a30d440000 | 0xa30d440000 | 0xa30d442fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a30d450000 | 0xa30d450000 | 0xa30d45ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xa30d460000 | 0xa30d796fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a30d7a0000 | 0xa30d7a0000 | 0xa30d81ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a30d820000 | 0xa30d820000 | 0xa30d849fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a30d850000 | 0xa30d850000 | 0xa30d850fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000a30d860000 | 0xa30d860000 | 0xa30d861fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a30d870000 | 0xa30d870000 | 0xa30d8effff | Private Memory | rw |
|
|
|
- |
| private_0x000000a30d8f0000 | 0xa30d8f0000 | 0xa30d96ffff | Private Memory | rw |
|
|
|
- |
| dui70.dll.mui | 0xa30d970000 | 0xa30d971fff | Memory Mapped File | r |
|
|
|
- |
| windows.ui.immersive.dll.mui | 0xa30d980000 | 0xa30d983fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a30d990000 | 0xa30d990000 | 0xa30da0ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0xa30da10000 | 0xa30da13fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0xa30da20000 | 0xa30da62fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xa30da70000 | 0xa30da73fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0xa30da80000 | 0xa30db0afff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000a30db10000 | 0xa30db10000 | 0xa30db12fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a30db20000 | 0xa30db20000 | 0xa30db28fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a30db30000 | 0xa30db30000 | 0xa30db30fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a30db40000 | 0xa30db40000 | 0xa30dc3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a30dc40000 | 0xa30dc40000 | 0xa30dc40fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a30dc50000 | 0xa30dc50000 | 0xa30dc50fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a30dc60000 | 0xa30dc60000 | 0xa30dc60fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a30dc70000 | 0xa30dc70000 | 0xa30dceffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a30dcf0000 | 0xa30dcf0000 | 0xa30dcf0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a30dd00000 | 0xa30dd00000 | 0xa30dd00fff | Pagefile Backed Memory | rw |
|
|
|
- |
| twinui.dll.mui | 0xa30dd10000 | 0xa30dd23fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll | 0xa30dd30000 | 0xa30dd31fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0xa30dd40000 | 0xa30dd44fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a30dd50000 | 0xa30dd50000 | 0xa30de4ffff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0xa30de50000 | 0xa30de53fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0xa30de60000 | 0xa30de72fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000a30de80000 | 0xa30de80000 | 0xa30de80fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000a30de90000 | 0xa30de90000 | 0xa30df0ffff | Private Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000035.db | 0xa30df10000 | 0xa30df2bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a30df30000 | 0xa30df30000 | 0xa30dfaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000a30dfb0000 | 0xa30dfb0000 | 0xa30e0affff | Private Memory | rw |
|
|
|
- |
| private_0x000000a30e0b0000 | 0xa30e0b0000 | 0xa30e0b0fff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0xa30e0c0000 | 0xa30e0c3fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_idx.db | 0xa30e0d0000 | 0xa30e0d1fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000a30e0e0000 | 0xa30e0e0000 | 0xa30e103fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a30e110000 | 0xa30e110000 | 0xa30e118fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a30e120000 | 0xa30e120000 | 0xa30e21ffff | Private Memory | rw |
|
|
|
- |
| iconcache_idx.db | 0xa30e220000 | 0xa30e221fff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x000000a30e230000 | 0xa30e230000 | 0xa30e232fff | Pagefile Backed Memory | r |
|
|
|
- |
| iconcache_idx.db | 0xa30e240000 | 0xa30e241fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_32.db | 0xa30e250000 | 0xa30e34ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000a30e350000 | 0xa30e350000 | 0xa30e397fff | Private Memory | rw |
|
|
|
- |
| propsys.dll.mui | 0xa30e3a0000 | 0xa30e3b0fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_32.db | 0xa30e3c0000 | 0xa30e4bffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000a30e4c0000 | 0xa30e4c0000 | 0xa30e4c0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000a30e4d0000 | 0xa30e4d0000 | 0xa30e4dffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a30e4e0000 | 0xa30e4e0000 | 0xa30e4effff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000a30e4f0000 | 0xa30e4f0000 | 0xa30e4fffff | Pagefile Backed Memory | rw |
|
|
|
- |
| iconcache_32.db | 0xa30e500000 | 0xa30e5fffff | Memory Mapped File | rw |
|
|
|
- |
| pagefile_0x000000a30e600000 | 0xa30e600000 | 0xa30e602fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000a30e610000 | 0xa30e610000 | 0xa30e610fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a30e620000 | 0xa30e620000 | 0xa30e620fff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0xa30e630000 | 0xa30e633fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000a30e650000 | 0xa30e650000 | 0xa30e650fff | Private Memory | rw |
|
|
|
- |
| private_0x000000a30e660000 | 0xa30e660000 | 0xa30e6dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff6b0000 | 0x7df5ff6b0000 | 0x7ff5ff6affff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7bcbb2000 | 0x7ff7bcbb2000 | 0x7ff7bcbb3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcbb4000 | 0x7ff7bcbb4000 | 0x7ff7bcbb5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcbb6000 | 0x7ff7bcbb6000 | 0x7ff7bcbb7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcbb8000 | 0x7ff7bcbb8000 | 0x7ff7bcbb9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcbba000 | 0x7ff7bcbba000 | 0x7ff7bcbbbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcbbc000 | 0x7ff7bcbbc000 | 0x7ff7bcbbdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcbbe000 | 0x7ff7bcbbe000 | 0x7ff7bcbbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7bcbc0000 | 0x7ff7bcbc0000 | 0x7ff7bccbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7bccc0000 | 0x7ff7bccc0000 | 0x7ff7bcce2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7bcce3000 | 0x7ff7bcce3000 | 0x7ff7bcce3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcce4000 | 0x7ff7bcce4000 | 0x7ff7bcce5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcce6000 | 0x7ff7bcce6000 | 0x7ff7bcce7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcce8000 | 0x7ff7bcce8000 | 0x7ff7bcce9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bccea000 | 0x7ff7bccea000 | 0x7ff7bccebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bccec000 | 0x7ff7bccec000 | 0x7ff7bccedfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bccee000 | 0x7ff7bccee000 | 0x7ff7bcceffff | Private Memory | rw |
|
|
|
- |
| openwith.exe | 0x7ff7bd650000 | 0x7ff7bd669fff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ff8d1180000 | 0x7ff8d132ffff | Memory Mapped File | rwx |
|
|
|
- |
| uiautomationcore.dll | 0x7ff8d1330000 | 0x7ff8d147bfff | Memory Mapped File | rwx |
|
|
|
- |
| duser.dll | 0x7ff8d76a0000 | 0x7ff8d7738fff | Memory Mapped File | rwx |
|
|
|
- |
| staterepository.core.dll | 0x7ff8dc6e0000 | 0x7ff8dc778fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.staterepository.dll | 0x7ff8dc780000 | 0x7ff8dca11fff | Memory Mapped File | rwx |
|
|
|
- |
| veeventdispatcher.dll | 0x7ff8dcfd0000 | 0x7ff8dd018fff | Memory Mapped File | rwx |
|
|
|
- |
| linkinfo.dll | 0x7ff8dd8f0000 | 0x7ff8dd8fcfff | Memory Mapped File | rwx |
|
|
|
- |
| thumbcache.dll | 0x7ff8dd900000 | 0x7ff8dd94afff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.dll | 0x7ff8ddbd0000 | 0x7ff8de6dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x7ff8debc0000 | 0x7ff8dec28fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.immersive.dll | 0x7ff8e3a70000 | 0x7ff8e3c26fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e57b0000 | 0x7ff8e5a23fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ff8e8fb0000 | 0x7ff8e8fd1fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 17 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 94B23D4D-1040-4C4B-9081-85D8D6FA36C4 | CE149B23-5941-4079-9223-52C0A991EC48 | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
Process #9: openwith.exe
1
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\system32\openwith.exe |
| Command Line | C:\Windows\system32\OpenWith.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:20, Reason: RPC Server |
| Unmonitor | End Time: 00:01:49, Reason: Self Terminated |
| Monitor Duration | 00:00:29 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x4d8 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
C28
0x
C38
0x
C34
0x
C2C
0x
C24
0x
A2C
0x
AEC
0x
8D8
0x
450
0x
A6C
0x
574
0x
5FC
0x
DF4
0x
DFC
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000001ebc9a0000 | 0x1ebc9a0000 | 0x1ebc9affff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001ebc9b0000 | 0x1ebc9b0000 | 0x1ebc9b6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001ebc9c0000 | 0x1ebc9c0000 | 0x1ebc9d3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001ebc9e0000 | 0x1ebc9e0000 | 0x1ebca5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001ebca60000 | 0x1ebca60000 | 0x1ebca63fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001ebca70000 | 0x1ebca70000 | 0x1ebca72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001ebca80000 | 0x1ebca80000 | 0x1ebca81fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001ebca90000 | 0x1ebca90000 | 0x1ebcb0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001ebcb10000 | 0x1ebcb10000 | 0x1ebcb16fff | Private Memory | rw |
|
|
|
- |
| openwith.exe.mui | 0x1ebcb20000 | 0x1ebcb20fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001ebcb30000 | 0x1ebcb30000 | 0x1ebcb30fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001ebcb40000 | 0x1ebcb40000 | 0x1ebcc3ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x1ebcc40000 | 0x1ebccfdfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000001ebcd00000 | 0x1ebcd00000 | 0x1ebce87fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001ebce90000 | 0x1ebce90000 | 0x1ebd010fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001ebd020000 | 0x1ebd020000 | 0x1ebd020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001ebd030000 | 0x1ebd030000 | 0x1ebd030fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001ebd040000 | 0x1ebd040000 | 0x1ebd041fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001ebd050000 | 0x1ebd050000 | 0x1ebd050fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001ebd060000 | 0x1ebd060000 | 0x1ebd060fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000001ebd070000 | 0x1ebd070000 | 0x1ebd072fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001ebd080000 | 0x1ebd080000 | 0x1ebd08ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001ebd090000 | 0x1ebd090000 | 0x1ebe48ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001ebe490000 | 0x1ebe490000 | 0x1ebe50ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001ebe510000 | 0x1ebe510000 | 0x1ebe58ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001ebe590000 | 0x1ebe590000 | 0x1ebe60ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001ebe610000 | 0x1ebe610000 | 0x1ebe639fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001ebe640000 | 0x1ebe640000 | 0x1ebe64ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x1ebe650000 | 0x1ebe986fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001ebe990000 | 0x1ebe990000 | 0x1ebea0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001ebea10000 | 0x1ebea10000 | 0x1ebea10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001ebea20000 | 0x1ebea20000 | 0x1ebea21fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001ebea30000 | 0x1ebea30000 | 0x1ebeaaffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001ebeab0000 | 0x1ebeab0000 | 0x1ebeb2ffff | Private Memory | rw |
|
|
|
- |
| dui70.dll.mui | 0x1ebeb30000 | 0x1ebeb31fff | Memory Mapped File | r |
|
|
|
- |
| windows.ui.immersive.dll.mui | 0x1ebeb40000 | 0x1ebeb43fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001ebeb50000 | 0x1ebeb50000 | 0x1ebebcffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001ebebd0000 | 0x1ebebd0000 | 0x1ebeccffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001ebecd0000 | 0x1ebecd0000 | 0x1ebecd0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001ebece0000 | 0x1ebece0000 | 0x1ebece0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001ebecf0000 | 0x1ebecf0000 | 0x1ebecf0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001ebed00000 | 0x1ebed00000 | 0x1ebed7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001ebed80000 | 0x1ebed80000 | 0x1ebed80fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001ebed90000 | 0x1ebed90000 | 0x1ebed90fff | Pagefile Backed Memory | rw |
|
|
|
- |
| twinui.dll.mui | 0x1ebeda0000 | 0x1ebedb3fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll | 0x1ebedc0000 | 0x1ebedc1fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0x1ebedd0000 | 0x1ebedd4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001ebede0000 | 0x1ebede0000 | 0x1ebeedffff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0x1ebeee0000 | 0x1ebeee3fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x1ebeef0000 | 0x1ebef02fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000001ebef10000 | 0x1ebef10000 | 0x1ebef10fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001ebef20000 | 0x1ebef20000 | 0x1ebef9ffff | Private Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000035.db | 0x1ebefa0000 | 0x1ebefbbfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001ebefc0000 | 0x1ebefc0000 | 0x1ebf03ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x1ebf040000 | 0x1ebf043fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0x1ebf050000 | 0x1ebf092fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x1ebf0a0000 | 0x1ebf0a3fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x1ebf0b0000 | 0x1ebf13afff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001ebf140000 | 0x1ebf140000 | 0x1ebf23ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001ebf240000 | 0x1ebf240000 | 0x1ebf242fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001ebf250000 | 0x1ebf250000 | 0x1ebf250fff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0x1ebf260000 | 0x1ebf263fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_idx.db | 0x1ebf270000 | 0x1ebf271fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000001ebf280000 | 0x1ebf280000 | 0x1ebf288fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001ebf290000 | 0x1ebf290000 | 0x1ebf290fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001ebf2a0000 | 0x1ebf2a0000 | 0x1ebf2c3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001ebf2d0000 | 0x1ebf2d0000 | 0x1ebf2d8fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001ebf2e0000 | 0x1ebf2e0000 | 0x1ebf3dffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x1ebf3e0000 | 0x1ebf3e3fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000001ebf3f0000 | 0x1ebf3f0000 | 0x1ebf3f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| iconcache_idx.db | 0x1ebf400000 | 0x1ebf401fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_32.db | 0x1ebf410000 | 0x1ebf50ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000001ebf510000 | 0x1ebf510000 | 0x1ebf557fff | Private Memory | rw |
|
|
|
- |
| propsys.dll.mui | 0x1ebf560000 | 0x1ebf570fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_32.db | 0x1ebf580000 | 0x1ebf67ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000001ebf680000 | 0x1ebf680000 | 0x1ebf680fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001ebf690000 | 0x1ebf690000 | 0x1ebf690fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001ebf6a0000 | 0x1ebf6a0000 | 0x1ebf6a0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001ebf6c0000 | 0x1ebf6c0000 | 0x1ebf6c0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001ebf6d0000 | 0x1ebf6d0000 | 0x1ebf74ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff2d0000 | 0x7df5ff2d0000 | 0x7ff5ff2cffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7bd0e2000 | 0x7ff7bd0e2000 | 0x7ff7bd0e3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd0e4000 | 0x7ff7bd0e4000 | 0x7ff7bd0e5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd0e6000 | 0x7ff7bd0e6000 | 0x7ff7bd0e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd0e8000 | 0x7ff7bd0e8000 | 0x7ff7bd0e9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd0ea000 | 0x7ff7bd0ea000 | 0x7ff7bd0ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd0ec000 | 0x7ff7bd0ec000 | 0x7ff7bd0edfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd0ee000 | 0x7ff7bd0ee000 | 0x7ff7bd0effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7bd0f0000 | 0x7ff7bd0f0000 | 0x7ff7bd1effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7bd1f0000 | 0x7ff7bd1f0000 | 0x7ff7bd212fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7bd213000 | 0x7ff7bd213000 | 0x7ff7bd214fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd215000 | 0x7ff7bd215000 | 0x7ff7bd216fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd217000 | 0x7ff7bd217000 | 0x7ff7bd218fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd219000 | 0x7ff7bd219000 | 0x7ff7bd219fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd21a000 | 0x7ff7bd21a000 | 0x7ff7bd21bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd21c000 | 0x7ff7bd21c000 | 0x7ff7bd21dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd21e000 | 0x7ff7bd21e000 | 0x7ff7bd21ffff | Private Memory | rw |
|
|
|
- |
| openwith.exe | 0x7ff7bd650000 | 0x7ff7bd669fff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ff8d1180000 | 0x7ff8d132ffff | Memory Mapped File | rwx |
|
|
|
- |
| uiautomationcore.dll | 0x7ff8d1330000 | 0x7ff8d147bfff | Memory Mapped File | rwx |
|
|
|
- |
| duser.dll | 0x7ff8d76a0000 | 0x7ff8d7738fff | Memory Mapped File | rwx |
|
|
|
- |
| staterepository.core.dll | 0x7ff8dc6e0000 | 0x7ff8dc778fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.staterepository.dll | 0x7ff8dc780000 | 0x7ff8dca11fff | Memory Mapped File | rwx |
|
|
|
- |
| veeventdispatcher.dll | 0x7ff8dcfd0000 | 0x7ff8dd018fff | Memory Mapped File | rwx |
|
|
|
- |
| thumbcache.dll | 0x7ff8dd900000 | 0x7ff8dd94afff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.dll | 0x7ff8ddbd0000 | 0x7ff8de6dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x7ff8debc0000 | 0x7ff8dec28fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7ff8e37f0000 | 0x7ff8e3a48fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.immersive.dll | 0x7ff8e3a70000 | 0x7ff8e3c26fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ff8e3c30000 | 0x7ff8e3fa5fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.dll | 0x7ff8e4fb0000 | 0x7ff8e504dfff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ff8e5050000 | 0x7ff8e515efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e57b0000 | 0x7ff8e5a23fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| uianimation.dll | 0x7ff8e8650000 | 0x7ff8e869afff | Memory Mapped File | rwx |
|
|
|
- |
| windowscodecs.dll | 0x7ff8e86a0000 | 0x7ff8e8851fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ff8e8fb0000 | 0x7ff8e8fd1fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 24 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 94B23D4D-1040-4C4B-9081-85D8D6FA36C4 | CE149B23-5941-4079-9223-52C0A991EC48 | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
Process #10: openwith.exe
1
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\system32\openwith.exe |
| Command Line | C:\Windows\system32\OpenWith.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:23, Reason: RPC Server |
| Unmonitor | End Time: 00:04:37, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:14 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa54 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
654
0x
420
0x
784
0x
630
0x
B50
0x
AE0
0x
D6C
0x
318
0x
D2C
0x
D10
0x
370
0x
F4
0x
35C
0x
32C
0x
B84
0x
1F8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000e0f9380000 | 0xe0f9380000 | 0xe0f938ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000e0f9390000 | 0xe0f9390000 | 0xe0f9396fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e0f93a0000 | 0xe0f93a0000 | 0xe0f93b3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e0f93c0000 | 0xe0f93c0000 | 0xe0f943ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e0f9440000 | 0xe0f9440000 | 0xe0f9443fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e0f9450000 | 0xe0f9450000 | 0xe0f9452fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e0f9460000 | 0xe0f9460000 | 0xe0f9461fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xe0f9470000 | 0xe0f952dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e0f9530000 | 0xe0f9530000 | 0xe0f95affff | Private Memory | rw |
|
|
|
- |
| private_0x000000e0f95b0000 | 0xe0f95b0000 | 0xe0f95b6fff | Private Memory | rw |
|
|
|
- |
| openwith.exe.mui | 0xe0f95c0000 | 0xe0f95c0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e0f95d0000 | 0xe0f95d0000 | 0xe0f95d0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e0f95e0000 | 0xe0f95e0000 | 0xe0f95e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e0f95f0000 | 0xe0f95f0000 | 0xe0f95f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e0f9600000 | 0xe0f9600000 | 0xe0f9601fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e0f9610000 | 0xe0f9610000 | 0xe0f9610fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e0f9620000 | 0xe0f9620000 | 0xe0f971ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e0f9720000 | 0xe0f9720000 | 0xe0f98a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e0f98b0000 | 0xe0f98b0000 | 0xe0f992ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e0f9930000 | 0xe0f9930000 | 0xe0f993ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e0f9940000 | 0xe0f9940000 | 0xe0f9ac0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e0f9ad0000 | 0xe0f9ad0000 | 0xe0faecffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e0faed0000 | 0xe0faed0000 | 0xe0faf4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e0faf50000 | 0xe0faf50000 | 0xe0fafcffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e0fafd0000 | 0xe0fafd0000 | 0xe0fb04ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e0fb050000 | 0xe0fb050000 | 0xe0fb050fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000e0fb060000 | 0xe0fb060000 | 0xe0fb062fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e0fb070000 | 0xe0fb070000 | 0xe0fb099fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000e0fb0a0000 | 0xe0fb0a0000 | 0xe0fb0a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000e0fb0b0000 | 0xe0fb0b0000 | 0xe0fb0b1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000e0fb0c0000 | 0xe0fb0c0000 | 0xe0fb0cffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xe0fb0d0000 | 0xe0fb406fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e0fb410000 | 0xe0fb410000 | 0xe0fb48ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e0fb490000 | 0xe0fb490000 | 0xe0fb50ffff | Private Memory | rw |
|
|
|
- |
| dui70.dll.mui | 0xe0fb510000 | 0xe0fb511fff | Memory Mapped File | r |
|
|
|
- |
| windows.ui.immersive.dll.mui | 0xe0fb520000 | 0xe0fb523fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e0fb530000 | 0xe0fb530000 | 0xe0fb5affff | Private Memory | rw |
|
|
|
- |
| private_0x000000e0fb5b0000 | 0xe0fb5b0000 | 0xe0fb6affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e0fb6b0000 | 0xe0fb6b0000 | 0xe0fb6b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000e0fb6c0000 | 0xe0fb6c0000 | 0xe0fb6c0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e0fb6d0000 | 0xe0fb6d0000 | 0xe0fb6d0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000e0fb6e0000 | 0xe0fb6e0000 | 0xe0fb75ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000e0fb760000 | 0xe0fb760000 | 0xe0fb760fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000e0fb770000 | 0xe0fb770000 | 0xe0fb770fff | Pagefile Backed Memory | rw |
|
|
|
- |
| twinui.dll.mui | 0xe0fb780000 | 0xe0fb793fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll | 0xe0fb7a0000 | 0xe0fb7a1fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0xe0fb7b0000 | 0xe0fb7b4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000e0fb7c0000 | 0xe0fb7c0000 | 0xe0fb8bffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0xe0fb8d0000 | 0xe0fb8e2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000e0fb8f0000 | 0xe0fb8f0000 | 0xe0fb8f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ff210000 | 0x7df5ff210000 | 0x7ff5ff20ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7bcd48000 | 0x7ff7bcd48000 | 0x7ff7bcd49fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcd4a000 | 0x7ff7bcd4a000 | 0x7ff7bcd4bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcd4c000 | 0x7ff7bcd4c000 | 0x7ff7bcd4dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcd4e000 | 0x7ff7bcd4e000 | 0x7ff7bcd4ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7bcd50000 | 0x7ff7bcd50000 | 0x7ff7bce4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7bce50000 | 0x7ff7bce50000 | 0x7ff7bce72fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7bce73000 | 0x7ff7bce73000 | 0x7ff7bce74fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bce75000 | 0x7ff7bce75000 | 0x7ff7bce76fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bce77000 | 0x7ff7bce77000 | 0x7ff7bce77fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bce78000 | 0x7ff7bce78000 | 0x7ff7bce79fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bce7a000 | 0x7ff7bce7a000 | 0x7ff7bce7bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bce7c000 | 0x7ff7bce7c000 | 0x7ff7bce7dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bce7e000 | 0x7ff7bce7e000 | 0x7ff7bce7ffff | Private Memory | rw |
|
|
|
- |
| openwith.exe | 0x7ff7bd650000 | 0x7ff7bd669fff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ff8d1180000 | 0x7ff8d132ffff | Memory Mapped File | rwx |
|
|
|
- |
| uiautomationcore.dll | 0x7ff8d1330000 | 0x7ff8d147bfff | Memory Mapped File | rwx |
|
|
|
- |
| duser.dll | 0x7ff8d76a0000 | 0x7ff8d7738fff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.dll | 0x7ff8ddbd0000 | 0x7ff8de6dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x7ff8debc0000 | 0x7ff8dec28fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7ff8e37f0000 | 0x7ff8e3a48fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.immersive.dll | 0x7ff8e3a70000 | 0x7ff8e3c26fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ff8e3c30000 | 0x7ff8e3fa5fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.dll | 0x7ff8e4fb0000 | 0x7ff8e504dfff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ff8e5050000 | 0x7ff8e515efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e57b0000 | 0x7ff8e5a23fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| uianimation.dll | 0x7ff8e8650000 | 0x7ff8e869afff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7ff8e8860000 | 0x7ff8e8acdfff | Memory Mapped File | rwx |
|
|
|
- |
| bcp47langs.dll | 0x7ff8e8af0000 | 0x7ff8e8b55fff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x7ff8e8c60000 | 0x7ff8e8cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7ff8e8d00000 | 0x7ff8e8fa2fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ff8e8fb0000 | 0x7ff8e8fd1fff | Memory Mapped File | rwx |
|
|
|
- |
| ninput.dll | 0x7ff8e9000000 | 0x7ff8e905bfff | Memory Mapped File | rwx |
|
|
|
- |
| dcomp.dll | 0x7ff8e9130000 | 0x7ff8e9200fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ff8e9500000 | 0x7ff8e9577fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 94B23D4D-1040-4C4B-9081-85D8D6FA36C4 | CE149B23-5941-4079-9223-52C0A991EC48 | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
Process #11: openwith.exe
1
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\system32\openwith.exe |
| Command Line | C:\Windows\system32\OpenWith.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:26, Reason: RPC Server |
| Unmonitor | End Time: 00:01:53, Reason: Self Terminated |
| Monitor Duration | 00:00:27 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x7c0 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
854
0x
2FC
0x
CC8
0x
B58
0x
B14
0x
CE0
0x
7A8
0x
B84
0x
3A8
0x
DE4
0x
DE0
0x
DC0
0x
744
0x
5D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000000e9af30000 | 0xe9af30000 | 0xe9af3ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000e9af40000 | 0xe9af40000 | 0xe9af46fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000e9af50000 | 0xe9af50000 | 0xe9af63fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000e9af70000 | 0xe9af70000 | 0xe9afeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000e9aff0000 | 0xe9aff0000 | 0xe9aff3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000e9b000000 | 0xe9b000000 | 0xe9b002fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000e9b010000 | 0xe9b010000 | 0xe9b011fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9b020000 | 0xe9b020000 | 0xe9b026fff | Private Memory | rw |
|
|
|
- |
| openwith.exe.mui | 0xe9b030000 | 0xe9b030fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000e9b040000 | 0xe9b040000 | 0xe9b040fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9b050000 | 0xe9b050000 | 0xe9b050fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9b060000 | 0xe9b060000 | 0xe9b06ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000e9b070000 | 0xe9b070000 | 0xe9b070fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000e9b080000 | 0xe9b080000 | 0xe9b17ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xe9b180000 | 0xe9b23dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000e9b240000 | 0xe9b240000 | 0xe9b2bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000e9b2c0000 | 0xe9b2c0000 | 0xe9b447fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000e9b450000 | 0xe9b450000 | 0xe9b5d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000e9b5e0000 | 0xe9b5e0000 | 0xe9c9dffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000e9c9e0000 | 0xe9c9e0000 | 0xe9c9e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000e9c9f0000 | 0xe9c9f0000 | 0xe9ca6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9ca70000 | 0xe9ca70000 | 0xe9caeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9caf0000 | 0xe9caf0000 | 0xe9cb6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9cb70000 | 0xe9cb70000 | 0xe9cb7ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xe9cb80000 | 0xe9ceb6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000e9cec0000 | 0xe9cec0000 | 0xe9cf3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000e9cf40000 | 0xe9cf40000 | 0xe9cf40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000e9cf50000 | 0xe9cf50000 | 0xe9cf50fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000e9cf60000 | 0xe9cf60000 | 0xe9cf62fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000e9cf70000 | 0xe9cf70000 | 0xe9cf99fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000e9cfa0000 | 0xe9cfa0000 | 0xe9cfa0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000e9cfb0000 | 0xe9cfb0000 | 0xe9cfb1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000e9cfc0000 | 0xe9cfc0000 | 0xe9d03ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9d040000 | 0xe9d040000 | 0xe9d0bffff | Private Memory | rw |
|
|
|
- |
| dui70.dll.mui | 0xe9d0c0000 | 0xe9d0c1fff | Memory Mapped File | r |
|
|
|
- |
| windows.ui.immersive.dll.mui | 0xe9d0d0000 | 0xe9d0d3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000e9d0e0000 | 0xe9d0e0000 | 0xe9d15ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000e9d160000 | 0xe9d160000 | 0xe9d28afff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0xe9d160000 | 0xe9d163fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0xe9d170000 | 0xe9d1b2fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xe9d1c0000 | 0xe9d1c3fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0xe9d1d0000 | 0xe9d25afff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000e9d260000 | 0xe9d260000 | 0xe9d262fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000e9d270000 | 0xe9d270000 | 0xe9d278fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9d280000 | 0xe9d280000 | 0xe9d280fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9d290000 | 0xe9d290000 | 0xe9d38ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000e9d390000 | 0xe9d390000 | 0xe9d390fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000e9d3a0000 | 0xe9d3a0000 | 0xe9d3a0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9d3b0000 | 0xe9d3b0000 | 0xe9d3b0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9d3c0000 | 0xe9d3c0000 | 0xe9d43ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9d440000 | 0xe9d440000 | 0xe9d440fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000e9d450000 | 0xe9d450000 | 0xe9d450fff | Pagefile Backed Memory | rw |
|
|
|
- |
| twinui.dll.mui | 0xe9d460000 | 0xe9d473fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll | 0xe9d480000 | 0xe9d481fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0xe9d490000 | 0xe9d494fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000e9d4a0000 | 0xe9d4a0000 | 0xe9d59ffff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0xe9d5a0000 | 0xe9d5a3fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0xe9d5b0000 | 0xe9d5c2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000e9d5d0000 | 0xe9d5d0000 | 0xe9d5d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000035.db | 0xe9d5e0000 | 0xe9d5fbfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000e9d600000 | 0xe9d600000 | 0xe9d67ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9d680000 | 0xe9d680000 | 0xe9d6fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9d700000 | 0xe9d700000 | 0xe9d7fffff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0xe9d810000 | 0xe9d813fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_idx.db | 0xe9d820000 | 0xe9d821fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000e9d830000 | 0xe9d830000 | 0xe9d853fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9d860000 | 0xe9d860000 | 0xe9d868fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9d870000 | 0xe9d870000 | 0xe9d96ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0xe9d970000 | 0xe9d973fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000e9d980000 | 0xe9d980000 | 0xe9d982fff | Pagefile Backed Memory | r |
|
|
|
- |
| iconcache_idx.db | 0xe9d990000 | 0xe9d991fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_32.db | 0xe9d9a0000 | 0xe9da9ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000e9daa0000 | 0xe9daa0000 | 0xe9dae7fff | Private Memory | rw |
|
|
|
- |
| propsys.dll.mui | 0xe9daf0000 | 0xe9db00fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_32.db | 0xe9db10000 | 0xe9dc0ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000e9dc50000 | 0xe9dc50000 | 0xe9dc57fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9dc60000 | 0xe9dc60000 | 0xe9de5ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9de60000 | 0xe9de60000 | 0xe9dedffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000e9def0000 | 0xe9def0000 | 0xe9def0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5fff10000 | 0x7df5fff10000 | 0x7ff5fff0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7bc6b4000 | 0x7ff7bc6b4000 | 0x7ff7bc6b5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc6b6000 | 0x7ff7bc6b6000 | 0x7ff7bc6b7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc6b8000 | 0x7ff7bc6b8000 | 0x7ff7bc6b9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc6ba000 | 0x7ff7bc6ba000 | 0x7ff7bc6bbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc6bc000 | 0x7ff7bc6bc000 | 0x7ff7bc6bdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc6be000 | 0x7ff7bc6be000 | 0x7ff7bc6bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7bc6c0000 | 0x7ff7bc6c0000 | 0x7ff7bc7bffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7bc7c0000 | 0x7ff7bc7c0000 | 0x7ff7bc7e2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7bc7e4000 | 0x7ff7bc7e4000 | 0x7ff7bc7e5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc7e6000 | 0x7ff7bc7e6000 | 0x7ff7bc7e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc7e8000 | 0x7ff7bc7e8000 | 0x7ff7bc7e9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc7ea000 | 0x7ff7bc7ea000 | 0x7ff7bc7ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc7ec000 | 0x7ff7bc7ec000 | 0x7ff7bc7edfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc7ee000 | 0x7ff7bc7ee000 | 0x7ff7bc7eefff | Private Memory | rw |
|
|
|
- |
| openwith.exe | 0x7ff7bd650000 | 0x7ff7bd669fff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ff8d1180000 | 0x7ff8d132ffff | Memory Mapped File | rwx |
|
|
|
- |
| uiautomationcore.dll | 0x7ff8d1330000 | 0x7ff8d147bfff | Memory Mapped File | rwx |
|
|
|
- |
| duser.dll | 0x7ff8d76a0000 | 0x7ff8d7738fff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.dll | 0x7ff8ddbd0000 | 0x7ff8de6dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x7ff8debc0000 | 0x7ff8dec28fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7ff8e37f0000 | 0x7ff8e3a48fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.immersive.dll | 0x7ff8e3a70000 | 0x7ff8e3c26fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ff8e3c30000 | 0x7ff8e3fa5fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.dll | 0x7ff8e4fb0000 | 0x7ff8e504dfff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ff8e5050000 | 0x7ff8e515efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e57b0000 | 0x7ff8e5a23fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| uianimation.dll | 0x7ff8e8650000 | 0x7ff8e869afff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7ff8e8860000 | 0x7ff8e8acdfff | Memory Mapped File | rwx |
|
|
|
- |
| bcp47langs.dll | 0x7ff8e8af0000 | 0x7ff8e8b55fff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x7ff8e8c60000 | 0x7ff8e8cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7ff8e8d00000 | 0x7ff8e8fa2fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ff8e8fb0000 | 0x7ff8e8fd1fff | Memory Mapped File | rwx |
|
|
|
- |
| ninput.dll | 0x7ff8e9000000 | 0x7ff8e905bfff | Memory Mapped File | rwx |
|
|
|
- |
| dcomp.dll | 0x7ff8e9130000 | 0x7ff8e9200fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ff8e9500000 | 0x7ff8e9577fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 15 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 94B23D4D-1040-4C4B-9081-85D8D6FA36C4 | CE149B23-5941-4079-9223-52C0A991EC48 | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
Process #12: openwith.exe
1
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\system32\openwith.exe |
| Command Line | C:\Windows\system32\OpenWith.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:30, Reason: RPC Server |
| Unmonitor | End Time: 00:04:37, Reason: Terminated by Timeout |
| Monitor Duration | 00:03:07 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x898 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
430
0x
7B4
0x
41C
0x
D3C
0x
128
0x
8DC
0x
D84
0x
D8C
0x
D90
0x
D88
0x
D80
0x
CF0
0x
A9C
0x
A84
0x
F44
0x
EE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000059ac500000 | 0x59ac500000 | 0x59ac50ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000059ac510000 | 0x59ac510000 | 0x59ac516fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000059ac520000 | 0x59ac520000 | 0x59ac533fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000059ac540000 | 0x59ac540000 | 0x59ac5bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000059ac5c0000 | 0x59ac5c0000 | 0x59ac5c3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000059ac5d0000 | 0x59ac5d0000 | 0x59ac5d2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000059ac5e0000 | 0x59ac5e0000 | 0x59ac5e1fff | Private Memory | rw |
|
|
|
- |
| private_0x00000059ac5f0000 | 0x59ac5f0000 | 0x59ac5f6fff | Private Memory | rw |
|
|
|
- |
| openwith.exe.mui | 0x59ac600000 | 0x59ac600fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000059ac610000 | 0x59ac610000 | 0x59ac610fff | Private Memory | rw |
|
|
|
- |
| private_0x00000059ac620000 | 0x59ac620000 | 0x59ac620fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000059ac630000 | 0x59ac630000 | 0x59ac630fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000059ac640000 | 0x59ac640000 | 0x59ac641fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000059ac650000 | 0x59ac650000 | 0x59ac650fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000059ac660000 | 0x59ac660000 | 0x59ac75ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x59ac760000 | 0x59ac81dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000059ac820000 | 0x59ac820000 | 0x59ac89ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000059ac8a0000 | 0x59ac8a0000 | 0x59aca27fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000059aca30000 | 0x59aca30000 | 0x59acaaffff | Private Memory | rw |
|
|
|
- |
| private_0x00000059acab0000 | 0x59acab0000 | 0x59acabffff | Private Memory | rw |
|
|
|
- |
| private_0x00000059acac0000 | 0x59acac0000 | 0x59acb3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000059acb40000 | 0x59acb40000 | 0x59acb40fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000059acb50000 | 0x59acb50000 | 0x59acb52fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000059acb60000 | 0x59acb60000 | 0x59acb60fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000059acb70000 | 0x59acb70000 | 0x59acb7ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000059acb80000 | 0x59acb80000 | 0x59acd00fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000059acd10000 | 0x59acd10000 | 0x59ae10ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x59ae110000 | 0x59ae446fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000059ae450000 | 0x59ae450000 | 0x59ae4cffff | Private Memory | rw |
|
|
|
- |
| private_0x00000059ae4d0000 | 0x59ae4d0000 | 0x59ae54ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000059ae550000 | 0x59ae550000 | 0x59ae579fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00000059ae580000 | 0x59ae580000 | 0x59ae581fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000059ae590000 | 0x59ae590000 | 0x59ae60ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000059ae610000 | 0x59ae610000 | 0x59ae68ffff | Private Memory | rw |
|
|
|
- |
| dui70.dll.mui | 0x59ae690000 | 0x59ae691fff | Memory Mapped File | r |
|
|
|
- |
| windows.ui.immersive.dll.mui | 0x59ae6a0000 | 0x59ae6a3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000059ae6b0000 | 0x59ae6b0000 | 0x59ae72ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000059ae730000 | 0x59ae730000 | 0x59ae82ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000059ae830000 | 0x59ae830000 | 0x59ae830fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000059ae840000 | 0x59ae840000 | 0x59ae840fff | Private Memory | rw |
|
|
|
- |
| private_0x00000059ae850000 | 0x59ae850000 | 0x59ae850fff | Private Memory | rw |
|
|
|
- |
| private_0x00000059ae860000 | 0x59ae860000 | 0x59ae8dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000059ae8e0000 | 0x59ae8e0000 | 0x59ae8e0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000059ae8f0000 | 0x59ae8f0000 | 0x59ae8f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| twinui.dll.mui | 0x59ae900000 | 0x59ae913fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll | 0x59ae920000 | 0x59ae921fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0x59ae930000 | 0x59ae934fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000059ae940000 | 0x59ae940000 | 0x59aea3ffff | Private Memory | rw |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x59aea50000 | 0x59aea62fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000059aea70000 | 0x59aea70000 | 0x59aea70fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00007df5fff10000 | 0x7df5fff10000 | 0x7ff5fff0ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7bcc58000 | 0x7ff7bcc58000 | 0x7ff7bcc59fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcc5a000 | 0x7ff7bcc5a000 | 0x7ff7bcc5bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcc5c000 | 0x7ff7bcc5c000 | 0x7ff7bcc5dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcc5e000 | 0x7ff7bcc5e000 | 0x7ff7bcc5ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7bcc60000 | 0x7ff7bcc60000 | 0x7ff7bcd5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7bcd60000 | 0x7ff7bcd60000 | 0x7ff7bcd82fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7bcd83000 | 0x7ff7bcd83000 | 0x7ff7bcd84fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcd85000 | 0x7ff7bcd85000 | 0x7ff7bcd86fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcd87000 | 0x7ff7bcd87000 | 0x7ff7bcd87fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcd88000 | 0x7ff7bcd88000 | 0x7ff7bcd89fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcd8a000 | 0x7ff7bcd8a000 | 0x7ff7bcd8bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcd8c000 | 0x7ff7bcd8c000 | 0x7ff7bcd8dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcd8e000 | 0x7ff7bcd8e000 | 0x7ff7bcd8ffff | Private Memory | rw |
|
|
|
- |
| openwith.exe | 0x7ff7bd650000 | 0x7ff7bd669fff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ff8d1180000 | 0x7ff8d132ffff | Memory Mapped File | rwx |
|
|
|
- |
| uiautomationcore.dll | 0x7ff8d1330000 | 0x7ff8d147bfff | Memory Mapped File | rwx |
|
|
|
- |
| duser.dll | 0x7ff8d76a0000 | 0x7ff8d7738fff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.dll | 0x7ff8ddbd0000 | 0x7ff8de6dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x7ff8debc0000 | 0x7ff8dec28fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7ff8e37f0000 | 0x7ff8e3a48fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.immersive.dll | 0x7ff8e3a70000 | 0x7ff8e3c26fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ff8e3c30000 | 0x7ff8e3fa5fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.dll | 0x7ff8e4fb0000 | 0x7ff8e504dfff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ff8e5050000 | 0x7ff8e515efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e57b0000 | 0x7ff8e5a23fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| uianimation.dll | 0x7ff8e8650000 | 0x7ff8e869afff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7ff8e8860000 | 0x7ff8e8acdfff | Memory Mapped File | rwx |
|
|
|
- |
| bcp47langs.dll | 0x7ff8e8af0000 | 0x7ff8e8b55fff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x7ff8e8c60000 | 0x7ff8e8cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7ff8e8d00000 | 0x7ff8e8fa2fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ff8e8fb0000 | 0x7ff8e8fd1fff | Memory Mapped File | rwx |
|
|
|
- |
| ninput.dll | 0x7ff8e9000000 | 0x7ff8e905bfff | Memory Mapped File | rwx |
|
|
|
- |
| dcomp.dll | 0x7ff8e9130000 | 0x7ff8e9200fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ff8e9500000 | 0x7ff8e9577fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 94B23D4D-1040-4C4B-9081-85D8D6FA36C4 | CE149B23-5941-4079-9223-52C0A991EC48 | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
Process #13: openwith.exe
1
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\system32\openwith.exe |
| Command Line | C:\Windows\system32\OpenWith.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:32, Reason: RPC Server |
| Unmonitor | End Time: 00:01:53, Reason: Self Terminated |
| Monitor Duration | 00:00:21 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x5cc |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D98
0x
CF4
0x
380
0x
91C
0x
88C
0x
DAC
0x
E68
0x
E6C
0x
E70
0x
E58
0x
E94
0x
A34
0x
F44
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000008511d60000 | 0x8511d60000 | 0x8511d6ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000008511d70000 | 0x8511d70000 | 0x8511d76fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008511d80000 | 0x8511d80000 | 0x8511d93fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008511da0000 | 0x8511da0000 | 0x8511e1ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008511e20000 | 0x8511e20000 | 0x8511e23fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008511e30000 | 0x8511e30000 | 0x8511e32fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008511e40000 | 0x8511e40000 | 0x8511e41fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x8511e50000 | 0x8511f0dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008511f10000 | 0x8511f10000 | 0x8511f8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008511f90000 | 0x8511f90000 | 0x8511f96fff | Private Memory | rw |
|
|
|
- |
| openwith.exe.mui | 0x8511fa0000 | 0x8511fa0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008511fb0000 | 0x8511fb0000 | 0x8511fb0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008511fc0000 | 0x8511fc0000 | 0x8511fc0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008511fd0000 | 0x8511fd0000 | 0x8511fd0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008511fe0000 | 0x8511fe0000 | 0x8511fe1fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008511ff0000 | 0x8511ff0000 | 0x8511ff0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008512000000 | 0x8512000000 | 0x85120fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008512100000 | 0x8512100000 | 0x8512287fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008512290000 | 0x8512290000 | 0x8512410fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008512420000 | 0x8512420000 | 0x8512420fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000008512430000 | 0x8512430000 | 0x851243ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008512440000 | 0x8512440000 | 0x851383ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008513840000 | 0x8513840000 | 0x85138bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000085138c0000 | 0x85138c0000 | 0x85138c2fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000085138d0000 | 0x85138d0000 | 0x85138d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000085138e0000 | 0x85138e0000 | 0x85138e1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000085138f0000 | 0x85138f0000 | 0x85138fffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x8513900000 | 0x8513c36fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008513c40000 | 0x8513c40000 | 0x8513cbffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008513cc0000 | 0x8513cc0000 | 0x8513d3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008513d40000 | 0x8513d40000 | 0x8513dbffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008513dc0000 | 0x8513dc0000 | 0x8513de9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000008513df0000 | 0x8513df0000 | 0x8513e6ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008513e70000 | 0x8513e70000 | 0x8513eeffff | Private Memory | rw |
|
|
|
- |
| dui70.dll.mui | 0x8513ef0000 | 0x8513ef1fff | Memory Mapped File | r |
|
|
|
- |
| windows.ui.immersive.dll.mui | 0x8513f00000 | 0x8513f03fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008513f10000 | 0x8513f10000 | 0x8513f8ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008513f90000 | 0x8513f90000 | 0x85140bafff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0x8513f90000 | 0x8513f93fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0x8513fa0000 | 0x8513fe2fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x8513ff0000 | 0x8513ff3fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x8514000000 | 0x851408afff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000008514090000 | 0x8514090000 | 0x8514092fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000085140a0000 | 0x85140a0000 | 0x85140a8fff | Private Memory | rw |
|
|
|
- |
| private_0x00000085140b0000 | 0x85140b0000 | 0x85140b0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000085140c0000 | 0x85140c0000 | 0x85141bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000085141c0000 | 0x85141c0000 | 0x85141c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000085141d0000 | 0x85141d0000 | 0x85141d0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000085141e0000 | 0x85141e0000 | 0x85141e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000085141f0000 | 0x85141f0000 | 0x851426ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008514270000 | 0x8514270000 | 0x8514270fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008514280000 | 0x8514280000 | 0x8514280fff | Pagefile Backed Memory | rw |
|
|
|
- |
| twinui.dll.mui | 0x8514290000 | 0x85142a3fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll | 0x85142b0000 | 0x85142b1fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0x85142c0000 | 0x85142c4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000085142d0000 | 0x85142d0000 | 0x85143cffff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0x85143d0000 | 0x85143d3fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x85143e0000 | 0x85143f2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000008514400000 | 0x8514400000 | 0x8514400fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000035.db | 0x8514410000 | 0x851442bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008514430000 | 0x8514430000 | 0x85144affff | Private Memory | rw |
|
|
|
- |
| private_0x00000085144b0000 | 0x85144b0000 | 0x85145affff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0x85145c0000 | 0x85145c3fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_idx.db | 0x85145d0000 | 0x85145d1fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000085145e0000 | 0x85145e0000 | 0x8514603fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008514610000 | 0x8514610000 | 0x8514618fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008514620000 | 0x8514620000 | 0x851471ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x8514720000 | 0x8514723fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000008514730000 | 0x8514730000 | 0x8514732fff | Pagefile Backed Memory | r |
|
|
|
- |
| iconcache_idx.db | 0x8514740000 | 0x8514741fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_32.db | 0x8514750000 | 0x851484ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000008514850000 | 0x8514850000 | 0x8514897fff | Private Memory | rw |
|
|
|
- |
| propsys.dll.mui | 0x85148a0000 | 0x85148b0fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_32.db | 0x85148c0000 | 0x85149bffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000008514a00000 | 0x8514a00000 | 0x8514a07fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008514a10000 | 0x8514a10000 | 0x8514a8ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000008514a90000 | 0x8514a90000 | 0x8514a90fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008514aa0000 | 0x8514aa0000 | 0x8514aa0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008514b00000 | 0x8514b00000 | 0x8514b0ffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-system.dat | 0x8514b90000 | 0x8514c05fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffd70000 | 0x7df5ffd70000 | 0x7ff5ffd6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7bd4e6000 | 0x7ff7bd4e6000 | 0x7ff7bd4e7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd4e8000 | 0x7ff7bd4e8000 | 0x7ff7bd4e9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd4ea000 | 0x7ff7bd4ea000 | 0x7ff7bd4ebfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd4ec000 | 0x7ff7bd4ec000 | 0x7ff7bd4edfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd4ee000 | 0x7ff7bd4ee000 | 0x7ff7bd4effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7bd4f0000 | 0x7ff7bd4f0000 | 0x7ff7bd5effff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7bd5f0000 | 0x7ff7bd5f0000 | 0x7ff7bd612fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7bd614000 | 0x7ff7bd614000 | 0x7ff7bd614fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd616000 | 0x7ff7bd616000 | 0x7ff7bd617fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd618000 | 0x7ff7bd618000 | 0x7ff7bd619fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd61a000 | 0x7ff7bd61a000 | 0x7ff7bd61bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd61c000 | 0x7ff7bd61c000 | 0x7ff7bd61dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd61e000 | 0x7ff7bd61e000 | 0x7ff7bd61ffff | Private Memory | rw |
|
|
|
- |
| openwith.exe | 0x7ff7bd650000 | 0x7ff7bd669fff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ff8d1180000 | 0x7ff8d132ffff | Memory Mapped File | rwx |
|
|
|
- |
| uiautomationcore.dll | 0x7ff8d1330000 | 0x7ff8d147bfff | Memory Mapped File | rwx |
|
|
|
- |
| duser.dll | 0x7ff8d76a0000 | 0x7ff8d7738fff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.dll | 0x7ff8ddbd0000 | 0x7ff8de6dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x7ff8debc0000 | 0x7ff8dec28fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7ff8e37f0000 | 0x7ff8e3a48fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.immersive.dll | 0x7ff8e3a70000 | 0x7ff8e3c26fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ff8e3c30000 | 0x7ff8e3fa5fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.dll | 0x7ff8e4fb0000 | 0x7ff8e504dfff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ff8e5050000 | 0x7ff8e515efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e57b0000 | 0x7ff8e5a23fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| uianimation.dll | 0x7ff8e8650000 | 0x7ff8e869afff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7ff8e8860000 | 0x7ff8e8acdfff | Memory Mapped File | rwx |
|
|
|
- |
| bcp47langs.dll | 0x7ff8e8af0000 | 0x7ff8e8b55fff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x7ff8e8c60000 | 0x7ff8e8cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7ff8e8d00000 | 0x7ff8e8fa2fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ff8e8fb0000 | 0x7ff8e8fd1fff | Memory Mapped File | rwx |
|
|
|
- |
| ninput.dll | 0x7ff8e9000000 | 0x7ff8e905bfff | Memory Mapped File | rwx |
|
|
|
- |
| dcomp.dll | 0x7ff8e9130000 | 0x7ff8e9200fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ff8e9500000 | 0x7ff8e9577fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 13 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 94B23D4D-1040-4C4B-9081-85D8D6FA36C4 | CE149B23-5941-4079-9223-52C0A991EC48 | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
Process #15: openwith.exe
1
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\system32\openwith.exe |
| Command Line | C:\Windows\system32\OpenWith.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:36, Reason: RPC Server |
| Unmonitor | End Time: 00:01:54, Reason: Self Terminated |
| Monitor Duration | 00:00:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xdb8 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
D04
0x
CE4
0x
CD8
0x
CEC
0x
DBC
0x
DC4
0x
EC4
0x
EC0
0x
E60
0x
EE0
0x
EDC
0x
EEC
0x
DF8
0x
E24
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000f888130000 | 0xf888130000 | 0xf88813ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000f888140000 | 0xf888140000 | 0xf888146fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f888150000 | 0xf888150000 | 0xf888163fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f888170000 | 0xf888170000 | 0xf8881effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f8881f0000 | 0xf8881f0000 | 0xf8881f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f888200000 | 0xf888200000 | 0xf888202fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f888210000 | 0xf888210000 | 0xf888211fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xf888220000 | 0xf8882ddfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f8882e0000 | 0xf8882e0000 | 0xf88835ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f888360000 | 0xf888360000 | 0xf888366fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f888370000 | 0xf888370000 | 0xf88846ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f888470000 | 0xf888470000 | 0xf8885f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| openwith.exe.mui | 0xf888600000 | 0xf888600fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f888610000 | 0xf888610000 | 0xf888610fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f888620000 | 0xf888620000 | 0xf888620fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f888630000 | 0xf888630000 | 0xf888630fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f888640000 | 0xf888640000 | 0xf888641fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f888650000 | 0xf888650000 | 0xf8886cffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f8886d0000 | 0xf8886d0000 | 0xf8886dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f8886e0000 | 0xf8886e0000 | 0xf888860fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f888870000 | 0xf888870000 | 0xf889c6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f889c70000 | 0xf889c70000 | 0xf889ceffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f889cf0000 | 0xf889cf0000 | 0xf889d6ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f889d70000 | 0xf889d70000 | 0xf889deffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f889df0000 | 0xf889df0000 | 0xf889df0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f889e00000 | 0xf889e00000 | 0xf889e00fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000f889e10000 | 0xf889e10000 | 0xf889e12fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f889e20000 | 0xf889e20000 | 0xf889e20fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000f889e30000 | 0xf889e30000 | 0xf889e31fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f889e40000 | 0xf889e40000 | 0xf889e4ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xf889e50000 | 0xf88a186fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000f88a190000 | 0xf88a190000 | 0xf88a1b9fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000f88a1c0000 | 0xf88a1c0000 | 0xf88a23ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f88a240000 | 0xf88a240000 | 0xf88a2bffff | Private Memory | rw |
|
|
|
- |
| dui70.dll.mui | 0xf88a2c0000 | 0xf88a2c1fff | Memory Mapped File | r |
|
|
|
- |
| windows.ui.immersive.dll.mui | 0xf88a2d0000 | 0xf88a2d3fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f88a2e0000 | 0xf88a2e0000 | 0xf88a35ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f88a360000 | 0xf88a360000 | 0xf88a48afff | Pagefile Backed Memory | rw |
|
|
|
- |
| cversions.2.db | 0xf88a360000 | 0xf88a363fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0xf88a370000 | 0xf88a3b2fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xf88a3c0000 | 0xf88a3c3fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0xf88a3d0000 | 0xf88a45afff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000f88a460000 | 0xf88a460000 | 0xf88a462fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000f88a470000 | 0xf88a470000 | 0xf88a478fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f88a480000 | 0xf88a480000 | 0xf88a480fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f88a490000 | 0xf88a490000 | 0xf88a490fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000f88a4a0000 | 0xf88a4a0000 | 0xf88a4a0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f88a4b0000 | 0xf88a4b0000 | 0xf88a4b0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f88a4c0000 | 0xf88a4c0000 | 0xf88a53ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f88a540000 | 0xf88a540000 | 0xf88a63ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f88a640000 | 0xf88a640000 | 0xf88a640fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000f88a650000 | 0xf88a650000 | 0xf88a650fff | Pagefile Backed Memory | rw |
|
|
|
- |
| twinui.dll.mui | 0xf88a660000 | 0xf88a673fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll | 0xf88a680000 | 0xf88a681fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0xf88a690000 | 0xf88a694fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f88a6a0000 | 0xf88a6a0000 | 0xf88a79ffff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0xf88a7a0000 | 0xf88a7a3fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0xf88a7b0000 | 0xf88a7c2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000f88a7d0000 | 0xf88a7d0000 | 0xf88a7d0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000f88a7e0000 | 0xf88a7e0000 | 0xf88a85ffff | Private Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000035.db | 0xf88a860000 | 0xf88a87bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000f88a880000 | 0xf88a880000 | 0xf88a8fffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f88a900000 | 0xf88a900000 | 0xf88a9fffff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0xf88aa10000 | 0xf88aa13fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_idx.db | 0xf88aa20000 | 0xf88aa21fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000f88aa30000 | 0xf88aa30000 | 0xf88aa53fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f88aa60000 | 0xf88aa60000 | 0xf88aa68fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f88aa70000 | 0xf88aa70000 | 0xf88ab6ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0xf88ab70000 | 0xf88ab73fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000f88ab80000 | 0xf88ab80000 | 0xf88ab82fff | Pagefile Backed Memory | r |
|
|
|
- |
| iconcache_idx.db | 0xf88ab90000 | 0xf88ab91fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_32.db | 0xf88aba0000 | 0xf88ac9ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000f88aca0000 | 0xf88aca0000 | 0xf88ace7fff | Private Memory | rw |
|
|
|
- |
| propsys.dll.mui | 0xf88acf0000 | 0xf88ad00fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_32.db | 0xf88ad10000 | 0xf88ae0ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000f88ae50000 | 0xf88ae50000 | 0xf88ae57fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f88ae60000 | 0xf88ae60000 | 0xf88aedffff | Private Memory | rw |
|
|
|
- |
| private_0x000000f88af60000 | 0xf88af60000 | 0xf88af60fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f88af70000 | 0xf88af70000 | 0xf88af70fff | Private Memory | rw |
|
|
|
- |
| private_0x000000f88afc0000 | 0xf88afc0000 | 0xf88afcffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007df5fff50000 | 0x7df5fff50000 | 0x7ff5fff4ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7bd3f6000 | 0x7ff7bd3f6000 | 0x7ff7bd3f7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd3f8000 | 0x7ff7bd3f8000 | 0x7ff7bd3f9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd3fa000 | 0x7ff7bd3fa000 | 0x7ff7bd3fbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd3fc000 | 0x7ff7bd3fc000 | 0x7ff7bd3fdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd3fe000 | 0x7ff7bd3fe000 | 0x7ff7bd3fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7bd400000 | 0x7ff7bd400000 | 0x7ff7bd4fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7bd500000 | 0x7ff7bd500000 | 0x7ff7bd522fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7bd524000 | 0x7ff7bd524000 | 0x7ff7bd525fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd526000 | 0x7ff7bd526000 | 0x7ff7bd527fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd528000 | 0x7ff7bd528000 | 0x7ff7bd529fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd52a000 | 0x7ff7bd52a000 | 0x7ff7bd52afff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd52c000 | 0x7ff7bd52c000 | 0x7ff7bd52dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd52e000 | 0x7ff7bd52e000 | 0x7ff7bd52ffff | Private Memory | rw |
|
|
|
- |
| openwith.exe | 0x7ff7bd650000 | 0x7ff7bd669fff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ff8d1180000 | 0x7ff8d132ffff | Memory Mapped File | rwx |
|
|
|
- |
| uiautomationcore.dll | 0x7ff8d1330000 | 0x7ff8d147bfff | Memory Mapped File | rwx |
|
|
|
- |
| duser.dll | 0x7ff8d76a0000 | 0x7ff8d7738fff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.dll | 0x7ff8ddbd0000 | 0x7ff8de6dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x7ff8debc0000 | 0x7ff8dec28fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7ff8e37f0000 | 0x7ff8e3a48fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.immersive.dll | 0x7ff8e3a70000 | 0x7ff8e3c26fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ff8e3c30000 | 0x7ff8e3fa5fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.dll | 0x7ff8e4fb0000 | 0x7ff8e504dfff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ff8e5050000 | 0x7ff8e515efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e57b0000 | 0x7ff8e5a23fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| uianimation.dll | 0x7ff8e8650000 | 0x7ff8e869afff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7ff8e8860000 | 0x7ff8e8acdfff | Memory Mapped File | rwx |
|
|
|
- |
| bcp47langs.dll | 0x7ff8e8af0000 | 0x7ff8e8b55fff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x7ff8e8c60000 | 0x7ff8e8cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7ff8e8d00000 | 0x7ff8e8fa2fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ff8e8fb0000 | 0x7ff8e8fd1fff | Memory Mapped File | rwx |
|
|
|
- |
| ninput.dll | 0x7ff8e9000000 | 0x7ff8e905bfff | Memory Mapped File | rwx |
|
|
|
- |
| dcomp.dll | 0x7ff8e9130000 | 0x7ff8e9200fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ff8e9500000 | 0x7ff8e9577fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 17 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 94B23D4D-1040-4C4B-9081-85D8D6FA36C4 | CE149B23-5941-4079-9223-52C0A991EC48 | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
Process #16: openwith.exe
1
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\system32\openwith.exe |
| Command Line | C:\Windows\system32\OpenWith.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:38, Reason: RPC Server |
| Unmonitor | End Time: 00:01:56, Reason: Self Terminated |
| Monitor Duration | 00:00:18 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xcdc |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
EB0
0x
EAC
0x
E9C
0x
E40
0x
CD4
0x
EBC
0x
E7C
0x
C64
0x
C68
0x
F4C
0x
F48
0x
228
0x
E28
0x
D14
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x0000001f5efd0000 | 0x1f5efd0000 | 0x1f5efdffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001f5efe0000 | 0x1f5efe0000 | 0x1f5efe6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001f5eff0000 | 0x1f5eff0000 | 0x1f5f003fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001f5f010000 | 0x1f5f010000 | 0x1f5f08ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001f5f090000 | 0x1f5f090000 | 0x1f5f093fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001f5f0a0000 | 0x1f5f0a0000 | 0x1f5f0a2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001f5f0b0000 | 0x1f5f0b0000 | 0x1f5f0b1fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001f5f0c0000 | 0x1f5f0c0000 | 0x1f5f0c6fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001f5f0d0000 | 0x1f5f0d0000 | 0x1f5f1cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x1f5f1d0000 | 0x1f5f28dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001f5f290000 | 0x1f5f290000 | 0x1f5f30ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001f5f310000 | 0x1f5f310000 | 0x1f5f497fff | Pagefile Backed Memory | r |
|
|
|
- |
| openwith.exe.mui | 0x1f5f4a0000 | 0x1f5f4a0fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001f5f4b0000 | 0x1f5f4b0000 | 0x1f5f4bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001f5f4c0000 | 0x1f5f4c0000 | 0x1f5f640fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001f5f650000 | 0x1f5f650000 | 0x1f60a4ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001f60a50000 | 0x1f60a50000 | 0x1f60a50fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001f60a60000 | 0x1f60a60000 | 0x1f60a60fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001f60a70000 | 0x1f60a70000 | 0x1f60a70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001f60a80000 | 0x1f60a80000 | 0x1f60a81fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001f60a90000 | 0x1f60a90000 | 0x1f60b0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001f60b10000 | 0x1f60b10000 | 0x1f60b10fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001f60b20000 | 0x1f60b20000 | 0x1f60b20fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001f60b30000 | 0x1f60b30000 | 0x1f60b3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x1f60b40000 | 0x1f60e76fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001f60e80000 | 0x1f60e80000 | 0x1f60efffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001f60f00000 | 0x1f60f00000 | 0x1f60f7ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001f60f80000 | 0x1f60f80000 | 0x1f60ffffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001f61000000 | 0x1f61000000 | 0x1f61002fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001f61010000 | 0x1f61010000 | 0x1f61039fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000001f61040000 | 0x1f61040000 | 0x1f61040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000001f61050000 | 0x1f61050000 | 0x1f61051fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000001f61060000 | 0x1f61060000 | 0x1f610dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001f610e0000 | 0x1f610e0000 | 0x1f6115ffff | Private Memory | rw |
|
|
|
- |
| dui70.dll.mui | 0x1f61160000 | 0x1f61161fff | Memory Mapped File | r |
|
|
|
- |
| windows.ui.immersive.dll.mui | 0x1f61170000 | 0x1f61173fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001f61180000 | 0x1f61180000 | 0x1f611fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001f61200000 | 0x1f61200000 | 0x1f612fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001f61300000 | 0x1f61300000 | 0x1f61300fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000001f61310000 | 0x1f61310000 | 0x1f61310fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001f61320000 | 0x1f61320000 | 0x1f61320fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001f61330000 | 0x1f61330000 | 0x1f613affff | Private Memory | rw |
|
|
|
- |
| private_0x0000001f613b0000 | 0x1f613b0000 | 0x1f613b0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001f613c0000 | 0x1f613c0000 | 0x1f613c0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| twinui.dll.mui | 0x1f613d0000 | 0x1f613e3fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll | 0x1f613f0000 | 0x1f613f1fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0x1f61400000 | 0x1f61404fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001f61410000 | 0x1f61410000 | 0x1f6150ffff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0x1f61510000 | 0x1f61513fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x1f61520000 | 0x1f61532fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000001f61540000 | 0x1f61540000 | 0x1f61540fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000035.db | 0x1f61550000 | 0x1f6156bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001f61570000 | 0x1f61570000 | 0x1f615effff | Private Memory | rw |
|
|
|
- |
| private_0x0000001f615f0000 | 0x1f615f0000 | 0x1f6166ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x1f61670000 | 0x1f61673fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0x1f61680000 | 0x1f616c2fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x1f616d0000 | 0x1f616d3fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x1f616e0000 | 0x1f6176afff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001f61770000 | 0x1f61770000 | 0x1f6186ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001f61870000 | 0x1f61870000 | 0x1f61872fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x1f61890000 | 0x1f61893fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_idx.db | 0x1f618a0000 | 0x1f618a1fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000001f618b0000 | 0x1f618b0000 | 0x1f618b8fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001f618c0000 | 0x1f618c0000 | 0x1f618c0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001f618d0000 | 0x1f618d0000 | 0x1f618f3fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001f61900000 | 0x1f61900000 | 0x1f61908fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001f61910000 | 0x1f61910000 | 0x1f61a0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000001f61a20000 | 0x1f61a20000 | 0x1f61a22fff | Pagefile Backed Memory | r |
|
|
|
- |
| iconcache_idx.db | 0x1f61a30000 | 0x1f61a31fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_32.db | 0x1f61a40000 | 0x1f61b3ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000001f61b40000 | 0x1f61b40000 | 0x1f61b87fff | Private Memory | rw |
|
|
|
- |
| propsys.dll.mui | 0x1f61b90000 | 0x1f61ba0fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_32.db | 0x1f61bb0000 | 0x1f61caffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000001f61cd0000 | 0x1f61cd0000 | 0x1f61ecffff | Private Memory | rw |
|
|
|
- |
| private_0x0000001f61ee0000 | 0x1f61ee0000 | 0x1f61ee7fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001f61ef0000 | 0x1f61ef0000 | 0x1f61f6ffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-system.dat | 0x1f61ff0000 | 0x1f62065fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000001f62100000 | 0x1f62100000 | 0x1f62100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000001f62110000 | 0x1f62110000 | 0x1f6211ffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-fontface.dat | 0x1f62120000 | 0x1f6311ffff | Memory Mapped File | r |
|
|
|
- |
| ~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat | 0x1f63120000 | 0x1f6391ffff | Memory Mapped File | r |
|
|
|
- |
| segoeui.ttf | 0x1f63920000 | 0x1f639fefff | Memory Mapped File | r |
|
|
|
- |
| seguisb.ttf | 0x1f63a00000 | 0x1f63ae2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ffa70000 | 0x7df5ffa70000 | 0x7ff5ffa6ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7bcf30000 | 0x7ff7bcf30000 | 0x7ff7bcf31fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcf32000 | 0x7ff7bcf32000 | 0x7ff7bcf33fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcf34000 | 0x7ff7bcf34000 | 0x7ff7bcf35fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcf36000 | 0x7ff7bcf36000 | 0x7ff7bcf37fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcf38000 | 0x7ff7bcf38000 | 0x7ff7bcf39fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcf3a000 | 0x7ff7bcf3a000 | 0x7ff7bcf3bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcf3c000 | 0x7ff7bcf3c000 | 0x7ff7bcf3dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcf3e000 | 0x7ff7bcf3e000 | 0x7ff7bcf3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7bcf40000 | 0x7ff7bcf40000 | 0x7ff7bd03ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7bd040000 | 0x7ff7bd040000 | 0x7ff7bd062fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7bd064000 | 0x7ff7bd064000 | 0x7ff7bd065fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd066000 | 0x7ff7bd066000 | 0x7ff7bd067fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd068000 | 0x7ff7bd068000 | 0x7ff7bd069fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd06a000 | 0x7ff7bd06a000 | 0x7ff7bd06bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd06c000 | 0x7ff7bd06c000 | 0x7ff7bd06dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd06e000 | 0x7ff7bd06e000 | 0x7ff7bd06efff | Private Memory | rw |
|
|
|
- |
| openwith.exe | 0x7ff7bd650000 | 0x7ff7bd669fff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ff8d1180000 | 0x7ff8d132ffff | Memory Mapped File | rwx |
|
|
|
- |
| uiautomationcore.dll | 0x7ff8d1330000 | 0x7ff8d147bfff | Memory Mapped File | rwx |
|
|
|
- |
| duser.dll | 0x7ff8d76a0000 | 0x7ff8d7738fff | Memory Mapped File | rwx |
|
|
|
- |
| staterepository.core.dll | 0x7ff8dc6e0000 | 0x7ff8dc778fff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.dll | 0x7ff8ddbd0000 | 0x7ff8de6dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x7ff8debc0000 | 0x7ff8dec28fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7ff8e37f0000 | 0x7ff8e3a48fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.immersive.dll | 0x7ff8e3a70000 | 0x7ff8e3c26fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e57b0000 | 0x7ff8e5a23fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| uianimation.dll | 0x7ff8e8650000 | 0x7ff8e869afff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7ff8e8860000 | 0x7ff8e8acdfff | Memory Mapped File | rwx |
|
|
|
- |
| bcp47langs.dll | 0x7ff8e8af0000 | 0x7ff8e8b55fff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x7ff8e8c60000 | 0x7ff8e8cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7ff8e8d00000 | 0x7ff8e8fa2fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ff8e8fb0000 | 0x7ff8e8fd1fff | Memory Mapped File | rwx |
|
|
|
- |
| dcomp.dll | 0x7ff8e9130000 | 0x7ff8e9200fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 13 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 94B23D4D-1040-4C4B-9081-85D8D6FA36C4 | CE149B23-5941-4079-9223-52C0A991EC48 | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
Process #17: openwith.exe
1
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\system32\openwith.exe |
| Command Line | C:\Windows\system32\OpenWith.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:40, Reason: RPC Server |
| Unmonitor | End Time: 00:01:57, Reason: Self Terminated |
| Monitor Duration | 00:00:17 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xeb4 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
DE8
0x
DEC
0x
EF0
0x
EA8
0x
E90
0x
E04
0x
27C
0x
76C
0x
73C
0x
610
0x
67C
0x
A98
0x
6C4
0x
6C8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000b3d5570000 | 0xb3d5570000 | 0xb3d557ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b3d5580000 | 0xb3d5580000 | 0xb3d5586fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b3d5590000 | 0xb3d5590000 | 0xb3d55a3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b3d55b0000 | 0xb3d55b0000 | 0xb3d562ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b3d5630000 | 0xb3d5630000 | 0xb3d5633fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b3d5640000 | 0xb3d5640000 | 0xb3d5642fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b3d5650000 | 0xb3d5650000 | 0xb3d5651fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d5660000 | 0xb3d5660000 | 0xb3d5666fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d5670000 | 0xb3d5670000 | 0xb3d576ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xb3d5770000 | 0xb3d582dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b3d5830000 | 0xb3d5830000 | 0xb3d58affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b3d58b0000 | 0xb3d58b0000 | 0xb3d5a37fff | Pagefile Backed Memory | r |
|
|
|
- |
| openwith.exe.mui | 0xb3d5a40000 | 0xb3d5a40fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b3d5a50000 | 0xb3d5a50000 | 0xb3d5a50fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d5a60000 | 0xb3d5a60000 | 0xb3d5a60fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b3d5a70000 | 0xb3d5a70000 | 0xb3d5a70fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b3d5a80000 | 0xb3d5a80000 | 0xb3d5a81fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b3d5a90000 | 0xb3d5a90000 | 0xb3d5a90fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b3d5aa0000 | 0xb3d5aa0000 | 0xb3d5aa0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b3d5ab0000 | 0xb3d5ab0000 | 0xb3d5abffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b3d5ac0000 | 0xb3d5ac0000 | 0xb3d5c40fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b3d5c50000 | 0xb3d5c50000 | 0xb3d704ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b3d7050000 | 0xb3d7050000 | 0xb3d7052fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000b3d7060000 | 0xb3d7060000 | 0xb3d7089fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000b3d7090000 | 0xb3d7090000 | 0xb3d7090fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b3d70a0000 | 0xb3d70a0000 | 0xb3d70affff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xb3d70b0000 | 0xb3d73e6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b3d73f0000 | 0xb3d73f0000 | 0xb3d746ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d7470000 | 0xb3d7470000 | 0xb3d74effff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d74f0000 | 0xb3d74f0000 | 0xb3d756ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d7570000 | 0xb3d7570000 | 0xb3d75effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b3d75f0000 | 0xb3d75f0000 | 0xb3d75f1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000b3d7600000 | 0xb3d7600000 | 0xb3d767ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d7680000 | 0xb3d7680000 | 0xb3d76fffff | Private Memory | rw |
|
|
|
- |
| dui70.dll.mui | 0xb3d7700000 | 0xb3d7701fff | Memory Mapped File | r |
|
|
|
- |
| windows.ui.immersive.dll.mui | 0xb3d7710000 | 0xb3d7713fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b3d7720000 | 0xb3d7720000 | 0xb3d779ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d77a0000 | 0xb3d77a0000 | 0xb3d789ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b3d78a0000 | 0xb3d78a0000 | 0xb3d78a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000b3d78b0000 | 0xb3d78b0000 | 0xb3d78b0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d78c0000 | 0xb3d78c0000 | 0xb3d78c0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d78d0000 | 0xb3d78d0000 | 0xb3d794ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d7950000 | 0xb3d7950000 | 0xb3d7950fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b3d7960000 | 0xb3d7960000 | 0xb3d7960fff | Pagefile Backed Memory | rw |
|
|
|
- |
| twinui.dll.mui | 0xb3d7970000 | 0xb3d7983fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll | 0xb3d7990000 | 0xb3d7991fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0xb3d79a0000 | 0xb3d79a4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b3d79b0000 | 0xb3d79b0000 | 0xb3d7aaffff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0xb3d7ab0000 | 0xb3d7ab3fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0xb3d7ac0000 | 0xb3d7ad2fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b3d7ae0000 | 0xb3d7ae0000 | 0xb3d7ae0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000035.db | 0xb3d7af0000 | 0xb3d7b0bfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b3d7b10000 | 0xb3d7b10000 | 0xb3d7b8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d7b90000 | 0xb3d7b90000 | 0xb3d7c0ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0xb3d7c10000 | 0xb3d7c13fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0xb3d7c20000 | 0xb3d7c62fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xb3d7c70000 | 0xb3d7c73fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0xb3d7c80000 | 0xb3d7d0afff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b3d7d10000 | 0xb3d7d10000 | 0xb3d7e0ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b3d7e10000 | 0xb3d7e10000 | 0xb3d7e12fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0xb3d7e30000 | 0xb3d7e33fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_idx.db | 0xb3d7e40000 | 0xb3d7e41fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000b3d7e50000 | 0xb3d7e50000 | 0xb3d7e58fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d7e60000 | 0xb3d7e60000 | 0xb3d7e60fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d7e70000 | 0xb3d7e70000 | 0xb3d7e93fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d7ea0000 | 0xb3d7ea0000 | 0xb3d7ea8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d7eb0000 | 0xb3d7eb0000 | 0xb3d7faffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000b3d7fc0000 | 0xb3d7fc0000 | 0xb3d7fc2fff | Pagefile Backed Memory | r |
|
|
|
- |
| iconcache_idx.db | 0xb3d7fd0000 | 0xb3d7fd1fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_32.db | 0xb3d7fe0000 | 0xb3d80dffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000b3d80e0000 | 0xb3d80e0000 | 0xb3d8127fff | Private Memory | rw |
|
|
|
- |
| propsys.dll.mui | 0xb3d8130000 | 0xb3d8140fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_32.db | 0xb3d8150000 | 0xb3d824ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000b3d8280000 | 0xb3d8280000 | 0xb3d8287fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d8290000 | 0xb3d8290000 | 0xb3d830ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d8310000 | 0xb3d8310000 | 0xb3d850ffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-system.dat | 0xb3d8590000 | 0xb3d8605fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000b3d86a0000 | 0xb3d86a0000 | 0xb3d86a0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000b3d86c0000 | 0xb3d86c0000 | 0xb3d86cffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-fontface.dat | 0xb3d86d0000 | 0xb3d96cffff | Memory Mapped File | r |
|
|
|
- |
| ~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat | 0xb3d96d0000 | 0xb3d9ecffff | Memory Mapped File | r |
|
|
|
- |
| segoeui.ttf | 0xb3d9ed0000 | 0xb3d9faefff | Memory Mapped File | r |
|
|
|
- |
| seguisb.ttf | 0xb3d9fb0000 | 0xb3da092fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000b3da0a0000 | 0xb3da0a0000 | 0xb3da162fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x00007df5ffdb0000 | 0x7df5ffdb0000 | 0x7ff5ffdaffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7bcda2000 | 0x7ff7bcda2000 | 0x7ff7bcda3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcda4000 | 0x7ff7bcda4000 | 0x7ff7bcda5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcda6000 | 0x7ff7bcda6000 | 0x7ff7bcda7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcda8000 | 0x7ff7bcda8000 | 0x7ff7bcda9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcdaa000 | 0x7ff7bcdaa000 | 0x7ff7bcdabfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcdac000 | 0x7ff7bcdac000 | 0x7ff7bcdadfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcdae000 | 0x7ff7bcdae000 | 0x7ff7bcdaffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7bcdb0000 | 0x7ff7bcdb0000 | 0x7ff7bceaffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7bceb0000 | 0x7ff7bceb0000 | 0x7ff7bced2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7bced3000 | 0x7ff7bced3000 | 0x7ff7bced4fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bced5000 | 0x7ff7bced5000 | 0x7ff7bced6fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bced7000 | 0x7ff7bced7000 | 0x7ff7bced8fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bced9000 | 0x7ff7bced9000 | 0x7ff7bced9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bceda000 | 0x7ff7bceda000 | 0x7ff7bcedbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcedc000 | 0x7ff7bcedc000 | 0x7ff7bceddfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bcede000 | 0x7ff7bcede000 | 0x7ff7bcedffff | Private Memory | rw |
|
|
|
- |
| openwith.exe | 0x7ff7bd650000 | 0x7ff7bd669fff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ff8d1180000 | 0x7ff8d132ffff | Memory Mapped File | rwx |
|
|
|
- |
| uiautomationcore.dll | 0x7ff8d1330000 | 0x7ff8d147bfff | Memory Mapped File | rwx |
|
|
|
- |
| duser.dll | 0x7ff8d76a0000 | 0x7ff8d7738fff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.dll | 0x7ff8ddbd0000 | 0x7ff8de6dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x7ff8debc0000 | 0x7ff8dec28fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7ff8e37f0000 | 0x7ff8e3a48fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.immersive.dll | 0x7ff8e3a70000 | 0x7ff8e3c26fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e57b0000 | 0x7ff8e5a23fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| uianimation.dll | 0x7ff8e8650000 | 0x7ff8e869afff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7ff8e8860000 | 0x7ff8e8acdfff | Memory Mapped File | rwx |
|
|
|
- |
| bcp47langs.dll | 0x7ff8e8af0000 | 0x7ff8e8b55fff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x7ff8e8c60000 | 0x7ff8e8cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7ff8e8d00000 | 0x7ff8e8fa2fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ff8e8fb0000 | 0x7ff8e8fd1fff | Memory Mapped File | rwx |
|
|
|
- |
| dcomp.dll | 0x7ff8e9130000 | 0x7ff8e9200fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 14 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 94B23D4D-1040-4C4B-9081-85D8D6FA36C4 | CE149B23-5941-4079-9223-52C0A991EC48 | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
Process #18: openwith.exe
1
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\system32\openwith.exe |
| Command Line | C:\Windows\system32\OpenWith.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:43, Reason: RPC Server |
| Unmonitor | End Time: 00:01:58, Reason: Self Terminated |
| Monitor Duration | 00:00:15 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xe78 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
378
0x
350
0x
344
0x
E84
0x
E80
0x
304
0x
A78
0x
9D4
0x
A60
0x
9E4
0x
85C
0x
868
0x
FA8
0x
F30
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x00000081090b0000 | 0x81090b0000 | 0x81090bffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000081090c0000 | 0x81090c0000 | 0x81090c6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000081090d0000 | 0x81090d0000 | 0x81090e3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000081090f0000 | 0x81090f0000 | 0x810916ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008109170000 | 0x8109170000 | 0x8109173fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008109180000 | 0x8109180000 | 0x8109182fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008109190000 | 0x8109190000 | 0x8109191fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x81091a0000 | 0x810925dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008109260000 | 0x8109260000 | 0x8109266fff | Private Memory | rw |
|
|
|
- |
| openwith.exe.mui | 0x8109270000 | 0x8109270fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000008109280000 | 0x8109280000 | 0x8109280fff | Private Memory | rw |
|
|
|
- |
| private_0x0000008109290000 | 0x8109290000 | 0x8109290fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000081092a0000 | 0x81092a0000 | 0x81092a0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000081092b0000 | 0x81092b0000 | 0x81093affff | Private Memory | rw |
|
|
|
- |
| private_0x00000081093b0000 | 0x81093b0000 | 0x810942ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008109430000 | 0x8109430000 | 0x81095b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000081095c0000 | 0x81095c0000 | 0x8109740fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008109750000 | 0x8109750000 | 0x8109751fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000008109760000 | 0x8109760000 | 0x8109760fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000008109770000 | 0x8109770000 | 0x810977ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000008109780000 | 0x8109780000 | 0x810ab7ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000810ab80000 | 0x810ab80000 | 0x810abfffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000810ac00000 | 0x810ac00000 | 0x810ac00fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000810ac10000 | 0x810ac10000 | 0x810ac12fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000810ac20000 | 0x810ac20000 | 0x810ac20fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000810ac30000 | 0x810ac30000 | 0x810ac3ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x810ac40000 | 0x810af76fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000810af80000 | 0x810af80000 | 0x810affffff | Private Memory | rw |
|
|
|
- |
| private_0x000000810b000000 | 0x810b000000 | 0x810b07ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000810b080000 | 0x810b080000 | 0x810b0fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000810b100000 | 0x810b100000 | 0x810b129fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000810b130000 | 0x810b130000 | 0x810b131fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000810b140000 | 0x810b140000 | 0x810b1bffff | Private Memory | rw |
|
|
|
- |
| private_0x000000810b1c0000 | 0x810b1c0000 | 0x810b23ffff | Private Memory | rw |
|
|
|
- |
| dui70.dll.mui | 0x810b240000 | 0x810b241fff | Memory Mapped File | r |
|
|
|
- |
| windows.ui.immersive.dll.mui | 0x810b250000 | 0x810b253fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000810b260000 | 0x810b260000 | 0x810b2dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000810b2e0000 | 0x810b2e0000 | 0x810b3dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000810b3e0000 | 0x810b3e0000 | 0x810b3e0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000810b3f0000 | 0x810b3f0000 | 0x810b3f0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000810b400000 | 0x810b400000 | 0x810b400fff | Private Memory | rw |
|
|
|
- |
| private_0x000000810b410000 | 0x810b410000 | 0x810b48ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000810b490000 | 0x810b490000 | 0x810b490fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000810b4a0000 | 0x810b4a0000 | 0x810b4a0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| twinui.dll.mui | 0x810b4b0000 | 0x810b4c3fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll | 0x810b4d0000 | 0x810b4d1fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0x810b4e0000 | 0x810b4e4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000810b4f0000 | 0x810b4f0000 | 0x810b5effff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0x810b5f0000 | 0x810b5f3fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0x810b600000 | 0x810b612fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000810b620000 | 0x810b620000 | 0x810b620fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000810b630000 | 0x810b630000 | 0x810b6affff | Private Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000035.db | 0x810b6b0000 | 0x810b6cbfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000810b6d0000 | 0x810b6d0000 | 0x810b74ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0x810b750000 | 0x810b753fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0x810b760000 | 0x810b7a2fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0x810b7b0000 | 0x810b7b3fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0x810b7c0000 | 0x810b84afff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000810b850000 | 0x810b850000 | 0x810b94ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000810b950000 | 0x810b950000 | 0x810b952fff | Pagefile Backed Memory | r |
|
|
|
- |
| cversions.1.db | 0x810b970000 | 0x810b973fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_idx.db | 0x810b980000 | 0x810b981fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000810b990000 | 0x810b990000 | 0x810b998fff | Private Memory | rw |
|
|
|
- |
| private_0x000000810b9a0000 | 0x810b9a0000 | 0x810b9a0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000810b9b0000 | 0x810b9b0000 | 0x810b9d3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000810b9e0000 | 0x810b9e0000 | 0x810b9e8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000810b9f0000 | 0x810b9f0000 | 0x810baeffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000810bb00000 | 0x810bb00000 | 0x810bb02fff | Pagefile Backed Memory | r |
|
|
|
- |
| iconcache_idx.db | 0x810bb10000 | 0x810bb11fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_32.db | 0x810bb20000 | 0x810bc1ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000810bc20000 | 0x810bc20000 | 0x810bc67fff | Private Memory | rw |
|
|
|
- |
| propsys.dll.mui | 0x810bc70000 | 0x810bc80fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_32.db | 0x810bc90000 | 0x810bd8ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000810bdc0000 | 0x810bdc0000 | 0x810bdc7fff | Private Memory | rw |
|
|
|
- |
| private_0x000000810bdd0000 | 0x810bdd0000 | 0x810be4ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000810be50000 | 0x810be50000 | 0x810c04ffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-system.dat | 0x810c0d0000 | 0x810c145fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000810c1d0000 | 0x810c1d0000 | 0x810c1d0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000810c1e0000 | 0x810c1e0000 | 0x810c1effff | Private Memory | rw |
|
|
|
- |
| ~fontcache-fontface.dat | 0x810c1f0000 | 0x810d1effff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff800000 | 0x7df5ff800000 | 0x7ff5ff7fffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7bd2f8000 | 0x7ff7bd2f8000 | 0x7ff7bd2f9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd2fa000 | 0x7ff7bd2fa000 | 0x7ff7bd2fbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd2fc000 | 0x7ff7bd2fc000 | 0x7ff7bd2fdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd2fe000 | 0x7ff7bd2fe000 | 0x7ff7bd2fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7bd300000 | 0x7ff7bd300000 | 0x7ff7bd3fffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7bd400000 | 0x7ff7bd400000 | 0x7ff7bd422fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7bd423000 | 0x7ff7bd423000 | 0x7ff7bd424fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd425000 | 0x7ff7bd425000 | 0x7ff7bd425fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd426000 | 0x7ff7bd426000 | 0x7ff7bd427fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd428000 | 0x7ff7bd428000 | 0x7ff7bd429fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd42a000 | 0x7ff7bd42a000 | 0x7ff7bd42bfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd42c000 | 0x7ff7bd42c000 | 0x7ff7bd42dfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bd42e000 | 0x7ff7bd42e000 | 0x7ff7bd42ffff | Private Memory | rw |
|
|
|
- |
| openwith.exe | 0x7ff7bd650000 | 0x7ff7bd669fff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ff8d1180000 | 0x7ff8d132ffff | Memory Mapped File | rwx |
|
|
|
- |
| uiautomationcore.dll | 0x7ff8d1330000 | 0x7ff8d147bfff | Memory Mapped File | rwx |
|
|
|
- |
| duser.dll | 0x7ff8d76a0000 | 0x7ff8d7738fff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.dll | 0x7ff8ddbd0000 | 0x7ff8de6dcfff | Memory Mapped File | rwx |
|
|
|
- |
| oleacc.dll | 0x7ff8debc0000 | 0x7ff8dec28fff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7ff8e37f0000 | 0x7ff8e3a48fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.immersive.dll | 0x7ff8e3a70000 | 0x7ff8e3c26fff | Memory Mapped File | rwx |
|
|
|
- |
| iertutil.dll | 0x7ff8e3c30000 | 0x7ff8e3fa5fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.dll | 0x7ff8e4fb0000 | 0x7ff8e504dfff | Memory Mapped File | rwx |
|
|
|
- |
| mrmcorer.dll | 0x7ff8e5050000 | 0x7ff8e515efff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e57b0000 | 0x7ff8e5a23fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| propsys.dll | 0x7ff8e79b0000 | 0x7ff8e7b32fff | Memory Mapped File | rwx |
|
|
|
- |
| uianimation.dll | 0x7ff8e8650000 | 0x7ff8e869afff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7ff8e8860000 | 0x7ff8e8acdfff | Memory Mapped File | rwx |
|
|
|
- |
| bcp47langs.dll | 0x7ff8e8af0000 | 0x7ff8e8b55fff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x7ff8e8c60000 | 0x7ff8e8cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7ff8e8d00000 | 0x7ff8e8fa2fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ff8e8fb0000 | 0x7ff8e8fd1fff | Memory Mapped File | rwx |
|
|
|
- |
| ninput.dll | 0x7ff8e9000000 | 0x7ff8e905bfff | Memory Mapped File | rwx |
|
|
|
- |
| dcomp.dll | 0x7ff8e9130000 | 0x7ff8e9200fff | Memory Mapped File | rwx |
|
|
|
- |
| apphelp.dll | 0x7ff8e9500000 | 0x7ff8e9577fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| cfgmgr32.dll | 0x7ff8eaf60000 | 0x7ff8eafa3fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 14 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 94B23D4D-1040-4C4B-9081-85D8D6FA36C4 | CE149B23-5941-4079-9223-52C0A991EC48 | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
Process #19: openwith.exe
1
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\system32\openwith.exe |
| Command Line | C:\Windows\system32\OpenWith.exe -Embedding |
| Initial Working Directory | C:\Windows\system32\ |
| Monitor | Start Time: 00:01:47, Reason: RPC Server |
| Unmonitor | End Time: 00:02:02, Reason: Self Terminated |
| Monitor Duration | 00:00:15 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa88 |
| Parent PID | 0x248 (c:\windows\system32\svchost.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | LHNIWSJ\CIiHmnxMn6Ps |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A90
0x
96C
0x
950
0x
928
0x
9A8
0x
A64
0x
F28
0x
F24
0x
9AC
0x
C6C
0x
374
0x
BAC
0x
FA4
0x
FA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000c6a90c0000 | 0xc6a90c0000 | 0xc6a90cffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000c6a90d0000 | 0xc6a90d0000 | 0xc6a90d6fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c6a90e0000 | 0xc6a90e0000 | 0xc6a90f3fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c6a9100000 | 0xc6a9100000 | 0xc6a917ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c6a9180000 | 0xc6a9180000 | 0xc6a9183fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c6a9190000 | 0xc6a9190000 | 0xc6a9192fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c6a91a0000 | 0xc6a91a0000 | 0xc6a91a1fff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0xc6a91b0000 | 0xc6a926dfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c6a9270000 | 0xc6a9270000 | 0xc6a92effff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6a92f0000 | 0xc6a92f0000 | 0xc6a92f6fff | Private Memory | rw |
|
|
|
- |
| openwith.exe.mui | 0xc6a9300000 | 0xc6a9300fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c6a9310000 | 0xc6a9310000 | 0xc6a940ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c6a9410000 | 0xc6a9410000 | 0xc6a9597fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c6a95a0000 | 0xc6a95a0000 | 0xc6a95a0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6a95b0000 | 0xc6a95b0000 | 0xc6a95b0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c6a95c0000 | 0xc6a95c0000 | 0xc6a95c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c6a95d0000 | 0xc6a95d0000 | 0xc6a95d1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c6a95e0000 | 0xc6a95e0000 | 0xc6a965ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c6a9660000 | 0xc6a9660000 | 0xc6a9660fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c6a9670000 | 0xc6a9670000 | 0xc6a9670fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c6a9680000 | 0xc6a9680000 | 0xc6a9682fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c6a9690000 | 0xc6a9690000 | 0xc6a9690fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c6a96a0000 | 0xc6a96a0000 | 0xc6a96affff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c6a96b0000 | 0xc6a96b0000 | 0xc6a9830fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x000000c6a9840000 | 0xc6a9840000 | 0xc6aac3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c6aac40000 | 0xc6aac40000 | 0xc6aacbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6aacc0000 | 0xc6aacc0000 | 0xc6aad3ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c6aad40000 | 0xc6aad40000 | 0xc6aad69fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x000000c6aad70000 | 0xc6aad70000 | 0xc6aad71fff | Pagefile Backed Memory | r |
|
|
|
- |
| dui70.dll.mui | 0xc6aad80000 | 0xc6aad81fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c6aad90000 | 0xc6aad90000 | 0xc6aad9ffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0xc6aada0000 | 0xc6ab0d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c6ab0e0000 | 0xc6ab0e0000 | 0xc6ab15ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6ab160000 | 0xc6ab160000 | 0xc6ab1dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6ab1e0000 | 0xc6ab1e0000 | 0xc6ab25ffff | Private Memory | rw |
|
|
|
- |
| windows.ui.immersive.dll.mui | 0xc6ab260000 | 0xc6ab263fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c6ab270000 | 0xc6ab270000 | 0xc6ab2effff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6ab2f0000 | 0xc6ab2f0000 | 0xc6ab3effff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c6ab3f0000 | 0xc6ab3f0000 | 0xc6ab3f0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000c6ab400000 | 0xc6ab400000 | 0xc6ab400fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6ab410000 | 0xc6ab410000 | 0xc6ab410fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6ab420000 | 0xc6ab420000 | 0xc6ab49ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6ab4a0000 | 0xc6ab4a0000 | 0xc6ab4a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c6ab4b0000 | 0xc6ab4b0000 | 0xc6ab4b0fff | Pagefile Backed Memory | rw |
|
|
|
- |
| twinui.dll.mui | 0xc6ab4c0000 | 0xc6ab4d3fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll | 0xc6ab4e0000 | 0xc6ab4e1fff | Memory Mapped File | r |
|
|
|
- |
| oleaccrc.dll.mui | 0xc6ab4f0000 | 0xc6ab4f4fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c6ab500000 | 0xc6ab500000 | 0xc6ab5fffff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0xc6ab600000 | 0xc6ab603fff | Memory Mapped File | r |
|
|
|
- |
| {afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001c.db | 0xc6ab610000 | 0xc6ab622fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x000000c6ab630000 | 0xc6ab630000 | 0xc6ab630fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x000000c6ab640000 | 0xc6ab640000 | 0xc6ab6bffff | Private Memory | rw |
|
|
|
- |
| {3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000035.db | 0xc6ab6c0000 | 0xc6ab6dbfff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c6ab6e0000 | 0xc6ab6e0000 | 0xc6ab75ffff | Private Memory | rw |
|
|
|
- |
| cversions.2.db | 0xc6ab760000 | 0xc6ab763fff | Memory Mapped File | r |
|
|
|
- |
| {6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db | 0xc6ab770000 | 0xc6ab7b2fff | Memory Mapped File | r |
|
|
|
- |
| cversions.2.db | 0xc6ab7c0000 | 0xc6ab7c3fff | Memory Mapped File | r |
|
|
|
- |
| {ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db | 0xc6ab7d0000 | 0xc6ab85afff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000c6ab860000 | 0xc6ab860000 | 0xc6ab95ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c6ab960000 | 0xc6ab960000 | 0xc6ab962fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000c6ab970000 | 0xc6ab970000 | 0xc6ab970fff | Private Memory | rw |
|
|
|
- |
| cversions.1.db | 0xc6ab980000 | 0xc6ab983fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_idx.db | 0xc6ab990000 | 0xc6ab991fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000c6ab9a0000 | 0xc6ab9a0000 | 0xc6ab9a8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6ab9b0000 | 0xc6ab9b0000 | 0xc6ab9b0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6ab9c0000 | 0xc6ab9c0000 | 0xc6ab9e3fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6ab9f0000 | 0xc6ab9f0000 | 0xc6ab9f8fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6aba00000 | 0xc6aba00000 | 0xc6abafffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6abb00000 | 0xc6abb00000 | 0xc6abb04fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x000000c6abb10000 | 0xc6abb10000 | 0xc6abb12fff | Pagefile Backed Memory | r |
|
|
|
- |
| iconcache_idx.db | 0xc6abb20000 | 0xc6abb21fff | Memory Mapped File | rw |
|
|
|
- |
| iconcache_32.db | 0xc6abb30000 | 0xc6abc2ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000c6abc30000 | 0xc6abc30000 | 0xc6abc77fff | Private Memory | rw |
|
|
|
- |
| propsys.dll.mui | 0xc6abc80000 | 0xc6abc90fff | Memory Mapped File | r |
|
|
|
- |
| thumbcache_32.db | 0xc6abca0000 | 0xc6abd9ffff | Memory Mapped File | rw |
|
|
|
- |
| private_0x000000c6abda0000 | 0xc6abda0000 | 0xc6abda0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6abdb0000 | 0xc6abdb0000 | 0xc6abdb0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6abdc0000 | 0xc6abdc0000 | 0xc6abdc0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6abdd0000 | 0xc6abdd0000 | 0xc6abdd0fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6abde0000 | 0xc6abde0000 | 0xc6abe5ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6abe60000 | 0xc6abe60000 | 0xc6abe60fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6abe70000 | 0xc6abe70000 | 0xc6abe70fff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6abe80000 | 0xc6abe80000 | 0xc6abe8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000c6abe90000 | 0xc6abe90000 | 0xc6abf0ffff | Private Memory | rw |
|
|
|
- |
| ~fontcache-system.dat | 0xc6abf10000 | 0xc6abf85fff | Memory Mapped File | r |
|
|
|
- |
| ~fontcache-fontface.dat | 0xc6abf90000 | 0xc6acf8ffff | Memory Mapped File | r |
|
|
|
- |
| ~fontcache-s-1-5-21-1462094071-1423818996-289466292-1000.dat | 0xc6acf90000 | 0xc6ad78ffff | Memory Mapped File | r |
|
|
|
- |
| segoeui.ttf | 0xc6ad790000 | 0xc6ad86efff | Memory Mapped File | r |
|
|
|
- |
| seguisb.ttf | 0xc6ad870000 | 0xc6ad952fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00007df5ff970000 | 0x7df5ff970000 | 0x7ff5ff96ffff | Pagefile Backed Memory | - |
|
|
|
- |
| private_0x00007ff7bc7c8000 | 0x7ff7bc7c8000 | 0x7ff7bc7c9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc7ca000 | 0x7ff7bc7ca000 | 0x7ff7bc7cbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc7cc000 | 0x7ff7bc7cc000 | 0x7ff7bc7cdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc7ce000 | 0x7ff7bc7ce000 | 0x7ff7bc7cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00007ff7bc7d0000 | 0x7ff7bc7d0000 | 0x7ff7bc8cffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00007ff7bc8d0000 | 0x7ff7bc8d0000 | 0x7ff7bc8f2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00007ff7bc8f3000 | 0x7ff7bc8f3000 | 0x7ff7bc8f3fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc8f4000 | 0x7ff7bc8f4000 | 0x7ff7bc8f5fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc8f6000 | 0x7ff7bc8f6000 | 0x7ff7bc8f7fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc8f8000 | 0x7ff7bc8f8000 | 0x7ff7bc8f9fff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc8fa000 | 0x7ff7bc8fa000 | 0x7ff7bc8fbfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc8fc000 | 0x7ff7bc8fc000 | 0x7ff7bc8fdfff | Private Memory | rw |
|
|
|
- |
| private_0x00007ff7bc8fe000 | 0x7ff7bc8fe000 | 0x7ff7bc8fffff | Private Memory | rw |
|
|
|
- |
| openwith.exe | 0x7ff7bd650000 | 0x7ff7bd669fff | Memory Mapped File | rwx |
|
|
|
- |
| dui70.dll | 0x7ff8d1180000 | 0x7ff8d132ffff | Memory Mapped File | rwx |
|
|
|
- |
| uiautomationcore.dll | 0x7ff8d1330000 | 0x7ff8d147bfff | Memory Mapped File | rwx |
|
|
|
- |
| duser.dll | 0x7ff8d76a0000 | 0x7ff8d7738fff | Memory Mapped File | rwx |
|
|
|
- |
| twinui.dll | 0x7ff8ddbd0000 | 0x7ff8de6dcfff | Memory Mapped File | rwx |
|
|
|
- |
| actxprxy.dll | 0x7ff8df640000 | 0x7ff8dfaa9fff | Memory Mapped File | rwx |
|
|
|
- |
| dwrite.dll | 0x7ff8e37f0000 | 0x7ff8e3a48fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.ui.immersive.dll | 0x7ff8e3a70000 | 0x7ff8e3c26fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7ff8e57b0000 | 0x7ff8e5a23fff | Memory Mapped File | rwx |
|
|
|
- |
| wintypes.dll | 0x7ff8e7430000 | 0x7ff8e7560fff | Memory Mapped File | rwx |
|
|
|
- |
| uianimation.dll | 0x7ff8e8650000 | 0x7ff8e869afff | Memory Mapped File | rwx |
|
|
|
- |
| d3d10warp.dll | 0x7ff8e8860000 | 0x7ff8e8acdfff | Memory Mapped File | rwx |
|
|
|
- |
| bcp47langs.dll | 0x7ff8e8af0000 | 0x7ff8e8b55fff | Memory Mapped File | rwx |
|
|
|
- |
| dxgi.dll | 0x7ff8e8c60000 | 0x7ff8e8cfbfff | Memory Mapped File | rwx |
|
|
|
- |
| d3d11.dll | 0x7ff8e8d00000 | 0x7ff8e8fa2fff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7ff8e8fb0000 | 0x7ff8e8fd1fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7ff8e9680000 | 0x7ff8e9715fff | Memory Mapped File | rwx |
|
|
|
- |
| twinapi.appcore.dll | 0x7ff8e9860000 | 0x7ff8e994dfff | Memory Mapped File | rwx |
|
|
|
- |
| rsaenh.dll | 0x7ff8ea270000 | 0x7ff8ea2a2fff | Memory Mapped File | rwx |
|
|
|
- |
| userenv.dll | 0x7ff8ea360000 | 0x7ff8ea37efff | Memory Mapped File | rwx |
|
|
|
- |
| cryptsp.dll | 0x7ff8ea620000 | 0x7ff8ea636fff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7ff8ea790000 | 0x7ff8ea79afff | Memory Mapped File | rwx |
|
|
|
- |
| bcrypt.dll | 0x7ff8eabd0000 | 0x7ff8eabf7fff | Memory Mapped File | rwx |
|
|
|
- |
| bcryptprimitives.dll | 0x7ff8eac00000 | 0x7ff8eac6afff | Memory Mapped File | rwx |
|
|
|
- |
| powrprof.dll | 0x7ff8eadd0000 | 0x7ff8eae19fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel.appcore.dll | 0x7ff8eae20000 | 0x7ff8eae2efff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7ff8eae30000 | 0x7ff8eae42fff | Memory Mapped File | rwx |
|
|
|
- |
| windows.storage.dll | 0x7ff8eb180000 | 0x7ff8eb7a7fff | Memory Mapped File | rwx |
|
|
|
- |
| shcore.dll | 0x7ff8eb7b0000 | 0x7ff8eb862fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7ff8eb870000 | 0x7ff8eba4cfff | Memory Mapped File | rwx |
|
|
|
- |
| oleaut32.dll | 0x7ff8ebb30000 | 0x7ff8ebbedfff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x7ff8ebdc0000 | 0x7ff8ebf0dfff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7ff8ec0c0000 | 0x7ff8ec21bfff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7ff8ec240000 | 0x7ff8ec29afff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7ff8ec300000 | 0x7ff8ec440fff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7ff8ec450000 | 0x7ff8ec575fff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7ff8ec580000 | 0x7ff8edaa4fff | Memory Mapped File | rwx |
|
|
|
- |
| clbcatq.dll | 0x7ff8edb10000 | 0x7ff8edbb4fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7ff8edbc0000 | 0x7ff8edd44fff | Memory Mapped File | rwx |
|
|
|
- |
| combase.dll | 0x7ff8edd60000 | 0x7ff8edfdbfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7ff8edfe0000 | 0x7ff8ee030fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7ff8ee0b0000 | 0x7ff8ee14cfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7ff8ee150000 | 0x7ff8ee185fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7ff8ee190000 | 0x7ff8ee235fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x7ff8ee2d0000 | 0x7ff8ee37cfff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x7ff8ee380000 | 0x7ff8ee541fff | Memory Mapped File | rwx |
|
|
|
- |
|
For performance reasons, the remaining 26 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Host Behavior
COM (1)
| Operation | Class | Interface | Additional Information | Success | Count | Logfile |
|---|---|---|---|---|---|---|
| Create | 94B23D4D-1040-4C4B-9081-85D8D6FA36C4 | CE149B23-5941-4079-9223-52C0A991EC48 | cls_context = CLSCTX_INPROC_SERVER |
|
1 |
