34e6ca7f...2f7e | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 94/100
Dynamic Analysis Report
Classification: Keylogger, Spyware, Downloader

34e6ca7fcd9b02405980bd6a92e20b8f972b0988e90576135c4ce12216f12f7e (SHA256)

Attacker.exe

Windows Exe (x86-32)

Created at 2018-10-25 06:43:00

...

Notifications (2/3)

The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.

Code overwrite was observed during this analysis. Note that the analysis results may be affected by this modification by the sample.

The operating system was rebooted during the analysis.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x720 Analysis Target High (Elevated) attacker.exe "C:\Users\CIiHmnxMn6Ps\Desktop\Attacker.exe" -
#2 0xf4 Child Process High (Elevated) cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.bat" "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\Attacker.exe"" #1
#4 0x7a0 Child Process High (Elevated) cmd.exe cmd /C ""C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\Attacker.exe"" #2
#5 0x318 Child Process High (Elevated) autoclb.exe "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\Attacker.exe" #4
#6 0xb7c Autostart Medium autoclb.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe" -
#7 0x534 Child Process Medium svchost.exe C:\Windows\system32\svchost.exe #6
#8 0x824 Injection Medium explorer.exe C:\Windows\Explorer.EXE #7
#9 0x560 Child Process Medium cmd.exe cmd /C "systeminfo.exe > C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" #8
#11 0x848 Child Process Medium makecab.exe makecab.exe /F "C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin" #8
#13 0xa90 Child Process Medium systeminfo.exe systeminfo.exe #9
#19 0x8f4 Child Process Medium cmd.exe cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" #8
#21 0x428 Child Process Medium cmd.exe cmd /C "net view >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" #8
#23 0x2c8 Child Process Medium net.exe net view #21
#24 0x200 Child Process Medium cmd.exe cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" #8
#26 0x8cc Child Process Medium cmd.exe cmd /C "nslookup 127.0.0.1 >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" #8
#28 0x410 Child Process Medium nslookup.exe nslookup 127.0.0.1 #26
#29 0x274 Child Process Medium cmd.exe cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" #8
#31 0xb18 Child Process Medium cmd.exe cmd /C "tasklist.exe /SVC >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" #8
#33 0xa3c Child Process Medium tasklist.exe tasklist.exe /SVC #31
#34 0xbbc Child Process Medium cmd.exe cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" #8
#36 0xb00 Child Process Medium cmd.exe cmd /C "driverquery.exe >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" #8
#38 0x9a8 Child Process Medium driverquery.exe driverquery.exe #36
#39 0x8c0 Child Process Medium cmd.exe cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" #8
#41 0xb6c Child Process Medium cmd.exe cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" #8
#43 0x534 Child Process Medium reg.exe reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s #41
#44 0x8ec Child Process Medium cmd.exe cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" #8
#46 0x3ac Child Process Medium cmd.exe cmd /U /C "type C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 > C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin & del C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" #8
#49 0xa4c Child Process Medium makecab.exe makecab.exe /F "C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin" #8

Behavior Information - Grouped by Category

Process #1: attacker.exe
1509 0
»
Information Value
ID #1
File Name c:\users\ciihmnxmn6ps\desktop\attacker.exe
Command Line "C:\Users\CIiHmnxMn6Ps\Desktop\Attacker.exe"
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:00:27, Reason: Analysis Target
Unmonitor End Time: 00:00:55, Reason: Self Terminated
Monitor Duration 00:00:28
OS Process Information
»
Information Value
PID 0x720
Parent PID 0x508 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B4C
0x 644
0x 8DC
0x AC8
0x A2C
0x 128
0x AE0
0x 7C0
0x 6B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory rw True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory rw True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory rw True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x000a0fff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x000b0fff Private Memory rw True False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x00130fff Private Memory rw True False False -
private_0x0000000000140000 0x00140000 0x00140fff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x00160fff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory rw True False False -
locale.nls 0x001d0000 0x0028dfff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x0030ffff Private Memory rw True False False -
private_0x0000000000310000 0x00310000 0x0031ffff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x0035ffff Private Memory rw True False False -
private_0x0000000000360000 0x00360000 0x00360fff Private Memory rw True False False -
msvfw32.dll.mui 0x00370000 0x00371fff Memory Mapped File r False False False -
private_0x0000000000380000 0x00380000 0x0038ffff Private Memory rw True False False -
private_0x0000000000390000 0x00390000 0x00393fff Private Memory rw True False False -
pagefile_0x00000000003a0000 0x003a0000 0x003a1fff Pagefile Backed Memory r True False False -
private_0x00000000003b0000 0x003b0000 0x003b0fff Private Memory rw True False False -
pagefile_0x00000000003c0000 0x003c0000 0x003c1fff Pagefile Backed Memory r True False False -
private_0x00000000003d0000 0x003d0000 0x003d0fff Private Memory rw True False False -
private_0x00000000003e0000 0x003e0000 0x003e0fff Private Memory rw True False False -
private_0x00000000003f0000 0x003f0000 0x003f0fff Private Memory rw True False False -
attacker.exe 0x00400000 0x004d0fff Memory Mapped File rwx True True False
...
private_0x00000000004e0000 0x004e0000 0x0051ffff Private Memory rw True False False -
private_0x0000000000520000 0x00520000 0x00520fff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x00530fff Private Memory rw True False False -
private_0x0000000000540000 0x00540000 0x00540fff Private Memory rw True False False -
private_0x0000000000550000 0x00550000 0x00550fff Private Memory rw True False False -
private_0x0000000000560000 0x00560000 0x00560fff Private Memory rw True False False -
private_0x0000000000570000 0x00570000 0x00570fff Private Memory rw True False False -
private_0x0000000000580000 0x00580000 0x0067ffff Private Memory rw True False False -
private_0x0000000000680000 0x00680000 0x0077ffff Private Memory rw True False False -
private_0x0000000000780000 0x00780000 0x0087ffff Private Memory rw True False False -
private_0x0000000000880000 0x00880000 0x0097ffff Private Memory rw True False False -
pagefile_0x0000000000980000 0x00980000 0x00b07fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000b10000 0x00b10000 0x00c90fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000ca0000 0x00ca0000 0x0209ffff Pagefile Backed Memory r True False False -
private_0x00000000020a0000 0x020a0000 0x0219ffff Private Memory rw True False False -
private_0x00000000021a0000 0x021a0000 0x021a0fff Private Memory rw True False False -
private_0x00000000021b0000 0x021b0000 0x021b0fff Private Memory rw True False False -
private_0x00000000021c0000 0x021c0000 0x021c0fff Private Memory rw True False False -
private_0x00000000021d0000 0x021d0000 0x021dffff Private Memory rw True False False -
sortdefault.nls 0x021e0000 0x02516fff Memory Mapped File r False False False -
private_0x0000000002520000 0x02520000 0x0265ffff Private Memory rw True False False -
private_0x0000000002520000 0x02520000 0x02520fff Private Memory rw True False False -
private_0x0000000002530000 0x02530000 0x02530fff Private Memory rw True False False -
private_0x0000000002540000 0x02540000 0x02540fff Private Memory rw True False False -
private_0x0000000002550000 0x02550000 0x02550fff Private Memory rw True False False -
private_0x0000000002560000 0x02560000 0x02560fff Private Memory rw True False False -
private_0x0000000002570000 0x02570000 0x02570fff Private Memory rw True False False -
private_0x0000000002580000 0x02580000 0x02580fff Private Memory rw True False False -
private_0x0000000002590000 0x02590000 0x02590fff Private Memory rw True False False -
private_0x00000000025a0000 0x025a0000 0x025a0fff Private Memory rw True False False -
private_0x00000000025b0000 0x025b0000 0x025b0fff Private Memory rw True False False -
private_0x00000000025c0000 0x025c0000 0x025c0fff Private Memory rw True False False -
private_0x00000000025d0000 0x025d0000 0x025d0fff Private Memory rw True False False -
private_0x00000000025e0000 0x025e0000 0x025e0fff Private Memory rw True False False -
private_0x00000000025f0000 0x025f0000 0x025f0fff Private Memory rw True False False -
private_0x0000000002600000 0x02600000 0x02600fff Private Memory rw True False False -
private_0x0000000002610000 0x02610000 0x02610fff Private Memory rw True False False -
private_0x0000000002620000 0x02620000 0x02620fff Private Memory rw True False False -
private_0x0000000002630000 0x02630000 0x02630fff Private Memory rw True False False -
private_0x0000000002640000 0x02640000 0x02640fff Private Memory rw True False False -
private_0x0000000002650000 0x02650000 0x0265ffff Private Memory rw True False False -
private_0x0000000002660000 0x02660000 0x027fffff Private Memory rw True False False -
private_0x0000000002660000 0x02660000 0x02660fff Private Memory rw True False False -
private_0x0000000002670000 0x02670000 0x02670fff Private Memory rw True False False -
private_0x0000000002680000 0x02680000 0x02680fff Private Memory rw True False False -
wow64cpu.dll 0x64ae0000 0x64ae7fff Memory Mapped File rwx False False False -
wow64win.dll 0x64af0000 0x64b62fff Memory Mapped File rwx False False False -
wow64.dll 0x64b70000 0x64bbefff Memory Mapped File rwx False False False -
comctl32.dll 0x745f0000 0x747f8fff Memory Mapped File rwx False False False -
dciman32.dll 0x74800000 0x74806fff Memory Mapped File rwx False False False -
ddraw.dll 0x74810000 0x748fafff Memory Mapped File rwx False False False -
glu32.dll 0x74900000 0x74924fff Memory Mapped File rwx False False False -
tapi32.dll 0x74930000 0x74963fff Memory Mapped File rwx False False False -
msvfw32.dll 0x74970000 0x74992fff Memory Mapped File rwx False False False -
devobj.dll 0x749a0000 0x749c0fff Memory Mapped File rwx False False False -
winnsi.dll 0x749d0000 0x749d7fff Memory Mapped File rwx False False False -
winmmbase.dll 0x749e0000 0x74a02fff Memory Mapped File rwx False False False -
opengl32.dll 0x74a10000 0x74aeffff Memory Mapped File rwx False False False -
iphlpapi.dll 0x74af0000 0x74b1ffff Memory Mapped File rwx False False False -
winmm.dll 0x74b20000 0x74b43fff Memory Mapped File rwx False False False -
version.dll 0x74b50000 0x74b57fff Memory Mapped File rwx False False False -
comctl32.dll 0x74b60000 0x74bf1fff Memory Mapped File rwx False False False -
uxtheme.dll 0x74c20000 0x74c94fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74d40000 0x74d98fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74da0000 0x74da9fff Memory Mapped File rwx False False False -
sspicli.dll 0x74db0000 0x74dcdfff Memory Mapped File rwx False False False -
kernelbase.dll 0x74e70000 0x74fe5fff Memory Mapped File rwx False False False -
comdlg32.dll 0x75160000 0x7521dfff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x75220000 0x75255fff Memory Mapped File rwx False False False -
kernel32.dll 0x75260000 0x7534ffff Memory Mapped File rwx False False False -
powrprof.dll 0x753b0000 0x753f3fff Memory Mapped File rwx False False False -
imm32.dll 0x75400000 0x7542afff Memory Mapped File rwx False False False -
shell32.dll 0x75430000 0x767eefff Memory Mapped File rwx False False False -
profapi.dll 0x76810000 0x7681efff Memory Mapped File rwx False False False -
advapi32.dll 0x76a10000 0x76a8afff Memory Mapped File rwx False False False -
setupapi.dll 0x76a90000 0x76c34fff Memory Mapped File rwx False False False -
sechost.dll 0x76c40000 0x76c82fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76d90000 0x76e3bfff Memory Mapped File rwx False False False -
combase.dll 0x76e40000 0x76ff9fff Memory Mapped File rwx False False False -
gdi32.dll 0x77000000 0x7714cfff Memory Mapped File rwx False False False -
user32.dll 0x77150000 0x7728ffff Memory Mapped File rwx False False False -
shlwapi.dll 0x77290000 0x772d3fff Memory Mapped File rwx False False False -
shcore.dll 0x77340000 0x773ccfff Memory Mapped File rwx False False False -
psapi.dll 0x773d0000 0x773d5fff Memory Mapped File rwx False False False -
nsi.dll 0x773e0000 0x773e6fff Memory Mapped File rwx False False False -
windows.storage.dll 0x773f0000 0x778ccfff Memory Mapped File rwx False False False -
msctf.dll 0x778d0000 0x779effff Memory Mapped File rwx False False False -
msvcrt.dll 0x779f0000 0x77aadfff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x77c30000 0x77c3bfff Memory Mapped File rwx False False False -
ntdll.dll 0x77ca0000 0x77e18fff Memory Mapped File rwx False False False -
private_0x000000007fe40000 0x7fe40000 0x7fe9ffff Private Memory rw True False False -
private_0x000000007feaa000 0x7feaa000 0x7feacfff Private Memory rw True False False -
private_0x000000007fead000 0x7fead000 0x7feaffff Private Memory rw True False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7ff8ee37ffff Private Memory r True False False -
ntdll.dll 0x7ff8ee380000 0x7ff8ee541fff Memory Mapped File rwx False False False -
private_0x00007ff8ee542000 0x7ff8ee542000 0x7ffffffeffff Private Memory r True False False -
For performance reasons, the remaining 62 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3:: 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe 816.00 KB MD5: 614d298b8690f04b96c6cabc9daf18d3
SHA1: c75106a869334a99e732159186ea7eaefafa9956
SHA256: 94d3ef9a4d2f84f4b34763c33bb3e5472f65b185b3c46e7dec1e1fdd0a4e25d0
SSDeep: 12288:Hcrq243ICNz1TJ987E77JALCkUBmke6dfDKT2UD4w3E1/JoV0TCV+Z:He4d1q7o7Bkz3NDSpyG6+Z 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.bat 0.11 KB MD5: de62cccde7c3b2d03f0cf2bac762eb4f
SHA1: 0fd51e67b3574ae15b1573260ee571443cc2aca7
SHA256: 37c944f962c0713a0e8b62805ff53c49dcb7780268921b46527986523e9525cd
SSDeep: 3:ERvM06OWRNfeURMjngU64vHXMJATkUE0VRvJSupn:ERvIRhavvHXMJ2dVRvJNn 		False
...
Host Behavior
File (274)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91 desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Windows\system32\c_1252.nls desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 3
Fn
Create C:\Users\CIiHmnxMn6Ps\Desktop\Attacker.exe desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.bat desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw - True 1
Fn
Create Directory C:\Users\CIIHMN~1\AppData\Local\Temp\4D82 - True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\4D82.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\4D82 True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\Desktop\Attacker.exe type = size True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read STD_ERROR_HANDLE size = 0 False 1
Fn
Read C:\Users\CIiHmnxMn6Ps\Desktop\Attacker.exe size = 835584, size_out = 835584 True 1
Fn
Data
Write - size = 1 False 249
Fn
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe size = 4096 True 2
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe size = 831488 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.bat size = 110 True 1
Fn
Data
Registry (20)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_USERS - True 1
Fn
Open Key HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Open Key HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = InstallDate, data = 65 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = cabilipc, data = 160, type = REG_NONE False 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ True 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Client, data = 0, type = REG_NONE False 1
Fn
Write Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Run value_name = cabilipc, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 118, type = REG_SZ True 1
Fn
Write Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Install, size = 118, type = REG_BINARY True 1
Fn
Data
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - False 1
Fn
Process (2)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.bat show_window = SW_HIDE True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Module (200)
»
Operation Module Additional Information Success Count Logfile
Load ntdll.dll base_address = 0x77ca0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x77290000 True 1
Fn
Load SETUPAPI.dll base_address = 0x76a90000 True 1
Fn
Load KERNEL32.dll base_address = 0x75260000 True 1
Fn
Load USER32.dll base_address = 0x77150000 True 1
Fn
Load ADVAPI32.dll base_address = 0x76a10000 True 1
Fn
Load SHELL32.dll base_address = 0x75430000 True 1
Fn
Load ole32.dll base_address = 0x768b0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75260000 True 16
Fn
Get Handle c:\users\ciihmnxmn6ps\desktop\attacker.exe base_address = 0x400000 True 19
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77ca0000 True 3
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x76a10000 True 2
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x77150000 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\Attacker.exe, size = 260 True 1
Fn
Get Filename c:\users\ciihmnxmn6ps\desktop\attacker.exe process_name = c:\users\ciihmnxmn6ps\desktop\attacker.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\Attacker.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x7527a330 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75277580 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75279910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x7527f400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77cff190 True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77cfa200 True 6
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x75279680 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memset, address_out = 0x77d0ee50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = strstr, address_out = 0x77d10010 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = mbstowcs, address_out = 0x77d0e610 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlNtStatusToDosError, address_out = 0x77cf3010 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memcpy, address_out = 0x77d0e7b0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlGetVersion, address_out = 0x77cffcd0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlUnwind, address_out = 0x77cfaca0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryInformationProcess, address_out = 0x77d08d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySystemInformation, address_out = 0x77d08f40 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwOpenProcessToken, address_out = 0x77d09d20 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryInformationToken, address_out = 0x77d08df0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwClose, address_out = 0x77d08cb0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwOpenProcess, address_out = 0x77d08e40 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtUnmapViewOfSection, address_out = 0x77d08e80 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtMapViewOfSection, address_out = 0x77d08e60 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtCreateSection, address_out = 0x77d09080 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlFreeUnicodeString, address_out = 0x77cdb940 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlUpcaseUnicodeString, address_out = 0x77cee040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _aulldiv, address_out = 0x77d0c680 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQueryVirtualMemory, address_out = 0x77d08e10 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrStrIA, address_out = 0x772acd10 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrChrW, address_out = 0x772a6a00 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x772a80d0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathCombineW, address_out = 0x772acd50 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionA, address_out = 0x772b1db0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrChrA, address_out = 0x772b26c0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrTrimW, address_out = 0x772a83a0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x772a7c40 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrRChrA, address_out = 0x772b2900 True 1
Fn
Get Address c:\windows\syswow64\setupapi.dll function = SetupDiGetDeviceRegistryPropertyA, address_out = 0x76ae19a0 True 1
Fn
Get Address c:\windows\syswow64\setupapi.dll function = SetupDiGetClassDevsA, address_out = 0x76ab8d10 True 1
Fn
Get Address c:\windows\syswow64\setupapi.dll function = SetupDiEnumDeviceInfo, address_out = 0x76aa5620 True 1
Fn
Get Address c:\windows\syswow64\setupapi.dll function = SetupDiDestroyDeviceInfoList, address_out = 0x76aa5340 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x752725e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameA, address_out = 0x7527f4b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x752874f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x75279640 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x7527a4b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitThread, address_out = 0x77d02570 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x75285f20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x75279700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x7527d940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x75279950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEvent, address_out = 0x752860c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x7529d410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileAttributesW, address_out = 0x75286510 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x75272d80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x7527e320 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SwitchToThread, address_out = 0x75279f30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x752864f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventA, address_out = 0x75285f70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x752862a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x75286410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x75272db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileA, address_out = 0x75286270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x77cdda90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiW, address_out = 0x75277540 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x75277940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetWaitableTimer, address_out = 0x752860d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x752857f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x7529d320 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x752861d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x75286170 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareFileTime, address_out = 0x75286130 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ResetEvent, address_out = 0x752860b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x75286590 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileTime, address_out = 0x75286380 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x752a0960 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x75286150 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x752861b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x75286180 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateWaitableTimerA, address_out = 0x7527db30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ResumeThread, address_out = 0x7527a280 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SuspendThread, address_out = 0x7527ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x7527c1f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynA, address_out = 0x7527f7b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x752787c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsA, address_out = 0x752a0da0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x752777b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75283a30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x7527efc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x75286110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x752864a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x75286140 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtectEx, address_out = 0x752a2a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileA, address_out = 0x75286210 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x7527a040 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x75279560 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x75286360 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x752792b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateRemoteThread, address_out = 0x752a0a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x75278b70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiA, address_out = 0x75277610 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x75278c70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x75272af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x75271d90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x7527a300 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLongPathNameW, address_out = 0x752747c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x75286530 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempFileNameA, address_out = 0x752863f0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x7717ea00 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharUpperA, address_out = 0x771831c0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = FindWindowA, address_out = 0x77180980 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfW, address_out = 0x7717ddf0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x771ccf50 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x76a2ed60 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyExA, address_out = 0x76a32520 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyW, address_out = 0x76a2f590 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegDeleteValueW, address_out = 0x76a30ca0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x76a5bda0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x76a2f0a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetSidSubAuthorityCount, address_out = 0x76a30f50 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetSidSubAuthority, address_out = 0x76a30ea0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenProcessToken, address_out = 0x76a2ee90 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyA, address_out = 0x76a331a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExA, address_out = 0x76a30750 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyA, address_out = 0x76a33150 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetTokenInformation, address_out = 0x76a2ed40 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x76a2efa0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address_out = 0x76a2ee40 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address_out = 0x76a2f000 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x755c4370 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x755c4cb0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = 92, address_out = 0x756a7560 True 1
Fn
Get Address Unknown module name function = CoUninitialize, address_out = 0x76eadca0 True 1
Fn
Get Address Unknown module name function = CoInitializeEx, address_out = 0x76eacd50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsWow64Process, address_out = 0x752796e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowThreadProcessId, address_out = 0x7716ba70 True 1
Fn
Window (2)
»
Operation Window Name Additional Information Success Count Logfile
Create FTP class_name = fetches, wndproc_parameter = 0 False 1
Fn
Find - class_name = ProgMan True 1
Fn
System (752)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = LHNIWSJ True 1
Fn
Get Cursor x_out = 809, y_out = 480 True 732
Fn
Get Cursor x_out = 427, y_out = 682 True 1
Fn
Sleep duration = 500 milliseconds (0.500 seconds) True 10
Fn
Get Time type = System Time, time = 2018-10-25 06:44:20 (UTC) True 1
Fn
Get Time type = Ticks, time = 124984 True 1
Fn
Get Time type = Ticks, time = 130625 True 4
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (249)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\ciihmnxmn6ps\desktop\attacker.exe type = DEBUG_STRING True 249
Fn
Process #2: cmd.exe
144 0
»
Information Value
ID #2
File Name c:\windows\syswow64\cmd.exe
Command Line C:\Windows\system32\cmd.exe /c ""C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.bat" "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\Attacker.exe""
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:00:52, Reason: Child Process
Unmonitor End Time: 00:01:12, Reason: Self Terminated
Monitor Duration 00:00:20
OS Process Information
»
Information Value
PID 0xf4
Parent PID 0x720 (c:\users\ciihmnxmn6ps\desktop\attacker.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 700
0x 630
0x DC0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x00000000006d0000 0x006d0000 0x006effff Private Memory rw True False False -
pagefile_0x00000000006d0000 0x006d0000 0x006dffff Pagefile Backed Memory rw True False False -
private_0x00000000006e0000 0x006e0000 0x006e3fff Private Memory rw True False False -
private_0x00000000006f0000 0x006f0000 0x006f1fff Private Memory rw True False False -
private_0x00000000006f0000 0x006f0000 0x006f3fff Private Memory rw True False False -
pagefile_0x0000000000700000 0x00700000 0x00713fff Pagefile Backed Memory r True False False -
private_0x0000000000720000 0x00720000 0x0075ffff Private Memory rw True False False -
private_0x0000000000760000 0x00760000 0x0085ffff Private Memory rw True False False -
pagefile_0x0000000000860000 0x00860000 0x00863fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000870000 0x00870000 0x00870fff Pagefile Backed Memory r True False False -
private_0x0000000000880000 0x00880000 0x00881fff Private Memory rw True False False -
private_0x0000000000890000 0x00890000 0x008cffff Private Memory rw True False False -
private_0x00000000008d0000 0x008d0000 0x009cffff Private Memory rw True False False -
private_0x00000000009d0000 0x009d0000 0x009dffff Private Memory rw True False False -
locale.nls 0x009e0000 0x00a9dfff Memory Mapped File r False False False -
private_0x0000000000aa0000 0x00aa0000 0x00b9ffff Private Memory rw True False False -
private_0x0000000000ba0000 0x00ba0000 0x00baffff Private Memory rw True False False -
private_0x0000000000d10000 0x00d10000 0x00d1ffff Private Memory rw True False False -
sortdefault.nls 0x00d20000 0x01056fff Memory Mapped File r False False False -
cmd.exe 0x012b0000 0x012fffff Memory Mapped File rwx True False False -
pagefile_0x0000000001300000 0x01300000 0x052fffff Pagefile Backed Memory - True False False -
wow64cpu.dll 0x64ae0000 0x64ae7fff Memory Mapped File rwx False False False -
wow64win.dll 0x64af0000 0x64b62fff Memory Mapped File rwx False False False -
wow64.dll 0x64b70000 0x64bbefff Memory Mapped File rwx False False False -
cmdext.dll 0x74bf0000 0x74bf7fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74d40000 0x74d98fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74da0000 0x74da9fff Memory Mapped File rwx False False False -
sspicli.dll 0x74db0000 0x74dcdfff Memory Mapped File rwx False False False -
kernelbase.dll 0x74e70000 0x74fe5fff Memory Mapped File rwx False False False -
kernel32.dll 0x75260000 0x7534ffff Memory Mapped File rwx False False False -
advapi32.dll 0x76a10000 0x76a8afff Memory Mapped File rwx False False False -
sechost.dll 0x76c40000 0x76c82fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76d90000 0x76e3bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x779f0000 0x77aadfff Memory Mapped File rwx False False False -
ntdll.dll 0x77ca0000 0x77e18fff Memory Mapped File rwx False False False -
pagefile_0x000000007f8b0000 0x7f8b0000 0x7f9affff Pagefile Backed Memory r True False False -
pagefile_0x000000007f9b0000 0x7f9b0000 0x7f9d2fff Pagefile Backed Memory r True False False -
private_0x000000007f9d8000 0x7f9d8000 0x7f9dafff Private Memory rw True False False -
private_0x000000007f9db000 0x7f9db000 0x7f9ddfff Private Memory rw True False False -
private_0x000000007f9de000 0x7f9de000 0x7f9defff Private Memory rw True False False -
private_0x000000007f9df000 0x7f9df000 0x7f9dffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7df8ee37ffff Private Memory r True False False -
pagefile_0x00007df8ee380000 0x7df8ee380000 0x7ff8ee37ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ff8ee380000 0x7ff8ee541fff Memory Mapped File rwx False False False -
private_0x00007ff8ee542000 0x7ff8ee542000 0x7ffffffeffff Private Memory r True False False -
Host Behavior
File (97)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.bat desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 3
Fn
Get Info C:\Users\CIiHmnxMn6Ps\Desktop type = file_attributes True 2
Fn
Get Info "C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.bat" type = file_attributes False 1
Fn
Get Info - type = file_type True 3
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 13
Fn
Open STD_OUTPUT_HANDLE - True 44
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Open - - True 12
Fn
Read - size = 8191, size_out = 110 True 1
Fn
Data
Read - size = 8191, size_out = 99 True 1
Fn
Data
Read - size = 8191, size_out = 66 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 2 True 4
Fn
Data
Write STD_OUTPUT_HANDLE size = 30 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 3 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 4 True 2
Fn
Data
Write STD_OUTPUT_HANDLE size = 63 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 12 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 104 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 216, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\cmd.exe os_pid = 0x7a0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\cmd.exe base_address = 0x12b0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75260000 True 2
Fn
Get Filename - process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address_out = 0x752a2780 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileExW, address_out = 0x7527fa80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x7527a790 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x74f835c0 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 5
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 3
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 4
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Get Environment String name = PROMPT, result_out = $P$G True 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Process #4: cmd.exe
47 0
»
Information Value
ID #4
File Name c:\windows\syswow64\cmd.exe
Command Line cmd /C ""C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\Attacker.exe""
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:00:57, Reason: Child Process
Unmonitor End Time: 00:01:12, Reason: Self Terminated
Monitor Duration 00:00:15
OS Process Information
»
Information Value
PID 0x7a0
Parent PID 0xf4 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 300
0x 570
0x DBC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000810000 0x00810000 0x0082ffff Private Memory rw True False False -
pagefile_0x0000000000810000 0x00810000 0x0081ffff Pagefile Backed Memory rw True False False -
private_0x0000000000820000 0x00820000 0x0082ffff Private Memory rw True False False -
private_0x0000000000830000 0x00830000 0x00831fff Private Memory rw True False False -
private_0x0000000000830000 0x00830000 0x00833fff Private Memory rw True False False -
pagefile_0x0000000000840000 0x00840000 0x00853fff Pagefile Backed Memory r True False False -
private_0x0000000000860000 0x00860000 0x0089ffff Private Memory rw True False False -
private_0x00000000008a0000 0x008a0000 0x0099ffff Private Memory rw True False False -
pagefile_0x00000000009a0000 0x009a0000 0x009a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000009b0000 0x009b0000 0x009b0fff Pagefile Backed Memory r True False False -
private_0x00000000009c0000 0x009c0000 0x009c1fff Private Memory rw True False False -
private_0x00000000009d0000 0x009d0000 0x00a0ffff Private Memory rw True False False -
private_0x0000000000a10000 0x00a10000 0x00a13fff Private Memory rw True False False -
private_0x0000000000a60000 0x00a60000 0x00a6ffff Private Memory rw True False False -
private_0x0000000000ab0000 0x00ab0000 0x00baffff Private Memory rw True False False -
locale.nls 0x00bb0000 0x00c6dfff Memory Mapped File r False False False -
private_0x0000000000c70000 0x00c70000 0x00d6ffff Private Memory rw True False False -
sortdefault.nls 0x00d70000 0x010a6fff Memory Mapped File r False False False -
cmd.exe 0x012b0000 0x012fffff Memory Mapped File rwx True False False -
pagefile_0x0000000001300000 0x01300000 0x052fffff Pagefile Backed Memory - True False False -
wow64cpu.dll 0x64ae0000 0x64ae7fff Memory Mapped File rwx False False False -
wow64win.dll 0x64af0000 0x64b62fff Memory Mapped File rwx False False False -
wow64.dll 0x64b70000 0x64bbefff Memory Mapped File rwx False False False -
apphelp.dll 0x74ca0000 0x74d30fff Memory Mapped File rwx False False False -
kernelbase.dll 0x74e70000 0x74fe5fff Memory Mapped File rwx False False False -
kernel32.dll 0x75260000 0x7534ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x779f0000 0x77aadfff Memory Mapped File rwx False False False -
ntdll.dll 0x77ca0000 0x77e18fff Memory Mapped File rwx False False False -
sysmain.sdb 0x7eab0000 0x7ee3ffff Memory Mapped File r False False False -
pagefile_0x000000007ee40000 0x7ee40000 0x7ef3ffff Pagefile Backed Memory r True False False -
pagefile_0x000000007ef40000 0x7ef40000 0x7ef62fff Pagefile Backed Memory r True False False -
private_0x000000007ef63000 0x7ef63000 0x7ef63fff Private Memory rw True False False -
private_0x000000007ef68000 0x7ef68000 0x7ef6afff Private Memory rw True False False -
private_0x000000007ef6b000 0x7ef6b000 0x7ef6bfff Private Memory rw True False False -
private_0x000000007ef6d000 0x7ef6d000 0x7ef6ffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7df8ee37ffff Private Memory r True False False -
pagefile_0x00007df8ee380000 0x7df8ee380000 0x7ff8ee37ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ff8ee380000 0x7ff8ee541fff Memory Mapped File rwx False False False -
private_0x00007ff8ee542000 0x7ff8ee542000 0x7ffffffeffff Private Memory r True False False -
Host Behavior
File (7)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\CIiHmnxMn6Ps\Desktop type = file_attributes True 2
Fn
Get Info "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" type = file_attributes False 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 209, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe os_pid = 0x318, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\cmd.exe base_address = 0x12b0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75260000 True 2
Fn
Get Filename - process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address_out = 0x752a2780 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileExW, address_out = 0x7527fa80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x7527a790 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x74f835c0 True 1
Fn
Environment (12)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT, result_out = $P$G True 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = =C:, value = C:\Users\CIiHmnxMn6Ps\Desktop True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Process #5: autoclb.exe
1435 0
»
Information Value
ID #5
File Name c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe
Command Line "C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe" "C:\Users\CIIHMN~1\Desktop\Attacker.exe"
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:00:58, Reason: Child Process
Unmonitor End Time: 00:01:11, Reason: Self Terminated
Monitor Duration 00:00:13
OS Process Information
»
Information Value
PID 0x318
Parent PID 0x7a0 (c:\windows\syswow64\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6B4
0x 8DC
0x AE0
0x C24
0x DB8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory rw True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory rw True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory rw True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x000a0fff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x000b0fff Private Memory rw True False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x00130fff Private Memory rw True False False -
private_0x0000000000140000 0x00140000 0x00140fff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x00160fff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x001d0fff Private Memory rw True False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory rw True False False -
locale.nls 0x001f0000 0x002adfff Memory Mapped File r False False False -
private_0x00000000002b0000 0x002b0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
msvfw32.dll.mui 0x003f0000 0x003f1fff Memory Mapped File r False False False -
autoclb.exe 0x00400000 0x004d0fff Memory Mapped File rwx True False False -
pagefile_0x00000000004e0000 0x004e0000 0x00667fff Pagefile Backed Memory r True False False -
private_0x0000000000670000 0x00670000 0x00673fff Private Memory rw True False False -
pagefile_0x0000000000680000 0x00680000 0x00681fff Pagefile Backed Memory r True False False -
private_0x0000000000690000 0x00690000 0x00690fff Private Memory rw True False False -
private_0x00000000006a0000 0x006a0000 0x0079ffff Private Memory rw True False False -
pagefile_0x00000000007a0000 0x007a0000 0x007a1fff Pagefile Backed Memory r True False False -
private_0x00000000007b0000 0x007b0000 0x007effff Private Memory rw True False False -
private_0x00000000007f0000 0x007f0000 0x007fffff Private Memory rw True False False -
pagefile_0x0000000000800000 0x00800000 0x00980fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000990000 0x00990000 0x01d8ffff Pagefile Backed Memory r True False False -
private_0x0000000001d90000 0x01d90000 0x01f2ffff Private Memory rw True False False -
private_0x0000000001d90000 0x01d90000 0x01e3ffff Private Memory rw True False False -
private_0x0000000001d90000 0x01d90000 0x01d90fff Private Memory rw True False False -
private_0x0000000001da0000 0x01da0000 0x01da0fff Private Memory rw True False False -
private_0x0000000001db0000 0x01db0000 0x01db0fff Private Memory rw True False False -
private_0x0000000001dc0000 0x01dc0000 0x01dc0fff Private Memory rw True False False -
private_0x0000000001dd0000 0x01dd0000 0x01dd0fff Private Memory rw True False False -
private_0x0000000001de0000 0x01de0000 0x01de0fff Private Memory rw True False False -
private_0x0000000001df0000 0x01df0000 0x01df0fff Private Memory rw True False False -
private_0x0000000001e00000 0x01e00000 0x01e00fff Private Memory rw True False False -
private_0x0000000001e10000 0x01e10000 0x01e10fff Private Memory rw True False False -
private_0x0000000001e20000 0x01e20000 0x01e20fff Private Memory rw True False False -
private_0x0000000001e30000 0x01e30000 0x01e3ffff Private Memory rw True False False -
private_0x0000000001e40000 0x01e40000 0x01e40fff Private Memory rw True False False -
private_0x0000000001e50000 0x01e50000 0x01e50fff Private Memory rw True False False -
private_0x0000000001e60000 0x01e60000 0x01e60fff Private Memory rw True False False -
private_0x0000000001e70000 0x01e70000 0x01e70fff Private Memory rw True False False -
private_0x0000000001e80000 0x01e80000 0x01e80fff Private Memory rw True False False -
private_0x0000000001e90000 0x01e90000 0x01e90fff Private Memory rw True False False -
private_0x0000000001ea0000 0x01ea0000 0x01ea0fff Private Memory rw True False False -
private_0x0000000001eb0000 0x01eb0000 0x01eb0fff Private Memory rw True False False -
private_0x0000000001ec0000 0x01ec0000 0x01ec0fff Private Memory rw True False False -
private_0x0000000001ed0000 0x01ed0000 0x01ed0fff Private Memory rw True False False -
private_0x0000000001ee0000 0x01ee0000 0x01ee0fff Private Memory rw True False False -
private_0x0000000001ef0000 0x01ef0000 0x01ef0fff Private Memory rw True False False -
private_0x0000000001f00000 0x01f00000 0x01f00fff Private Memory rw True False False -
private_0x0000000001f10000 0x01f10000 0x01f10fff Private Memory rw True False False -
private_0x0000000001f20000 0x01f20000 0x01f2ffff Private Memory rw True False False -
private_0x0000000001f30000 0x01f30000 0x01f30fff Private Memory rw True False False -
private_0x0000000001f40000 0x01f40000 0x01f40fff Private Memory rw True False False -
private_0x0000000001f50000 0x01f50000 0x01f50fff Private Memory rw True False False -
private_0x0000000001f60000 0x01f60000 0x01f60fff Private Memory rw True False False -
private_0x0000000001f70000 0x01f70000 0x01f7ffff Private Memory rw True False False -
sortdefault.nls 0x01f80000 0x022b6fff Memory Mapped File r False False False -
private_0x00000000022c0000 0x022c0000 0x023bffff Private Memory rw True False False -
private_0x00000000023c0000 0x023c0000 0x023c0fff Private Memory rw True False False -
private_0x00000000023d0000 0x023d0000 0x023d0fff Private Memory rw True False False -
private_0x00000000023e0000 0x023e0000 0x023e0fff Private Memory rw True False False -
private_0x00000000023f0000 0x023f0000 0x023f0fff Private Memory rw True False False -
private_0x0000000002400000 0x02400000 0x02400fff Private Memory rw True False False -
private_0x0000000002410000 0x02410000 0x02410fff Private Memory rw True False False -
private_0x0000000002420000 0x02420000 0x02420fff Private Memory rw True False False -
private_0x0000000002430000 0x02430000 0x02430fff Private Memory rw True False False -
private_0x0000000002440000 0x02440000 0x02440fff Private Memory rw True False False -
private_0x0000000002450000 0x02450000 0x02450fff Private Memory rw True False False -
wow64cpu.dll 0x64ae0000 0x64ae7fff Memory Mapped File rwx False False False -
wow64win.dll 0x64af0000 0x64b62fff Memory Mapped File rwx False False False -
wow64.dll 0x64b70000 0x64bbefff Memory Mapped File rwx False False False -
comctl32.dll 0x745e0000 0x747e8fff Memory Mapped File rwx False False False -
tapi32.dll 0x747f0000 0x74823fff Memory Mapped File rwx False False False -
devobj.dll 0x74830000 0x74850fff Memory Mapped File rwx False False False -
dciman32.dll 0x74860000 0x74866fff Memory Mapped File rwx False False False -
winnsi.dll 0x74870000 0x74877fff Memory Mapped File rwx False False False -
winmmbase.dll 0x74880000 0x748a2fff Memory Mapped File rwx False False False -
ddraw.dll 0x748b0000 0x7499afff Memory Mapped File rwx False False False -
glu32.dll 0x749a0000 0x749c4fff Memory Mapped File rwx False False False -
iphlpapi.dll 0x749d0000 0x749fffff Memory Mapped File rwx False False False -
winmm.dll 0x74a00000 0x74a23fff Memory Mapped File rwx False False False -
msvfw32.dll 0x74a30000 0x74a52fff Memory Mapped File rwx False False False -
version.dll 0x74a60000 0x74a67fff Memory Mapped File rwx False False False -
opengl32.dll 0x74a70000 0x74b4ffff Memory Mapped File rwx False False False -
comctl32.dll 0x74b50000 0x74be1fff Memory Mapped File rwx False False False -
uxtheme.dll 0x74c20000 0x74c94fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74d40000 0x74d98fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74da0000 0x74da9fff Memory Mapped File rwx False False False -
sspicli.dll 0x74db0000 0x74dcdfff Memory Mapped File rwx False False False -
kernelbase.dll 0x74e70000 0x74fe5fff Memory Mapped File rwx False False False -
comdlg32.dll 0x75160000 0x7521dfff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x75220000 0x75255fff Memory Mapped File rwx False False False -
kernel32.dll 0x75260000 0x7534ffff Memory Mapped File rwx False False False -
powrprof.dll 0x753b0000 0x753f3fff Memory Mapped File rwx False False False -
imm32.dll 0x75400000 0x7542afff Memory Mapped File rwx False False False -
shell32.dll 0x75430000 0x767eefff Memory Mapped File rwx False False False -
profapi.dll 0x76810000 0x7681efff Memory Mapped File rwx False False False -
advapi32.dll 0x76a10000 0x76a8afff Memory Mapped File rwx False False False -
setupapi.dll 0x76a90000 0x76c34fff Memory Mapped File rwx False False False -
sechost.dll 0x76c40000 0x76c82fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76d90000 0x76e3bfff Memory Mapped File rwx False False False -
combase.dll 0x76e40000 0x76ff9fff Memory Mapped File rwx False False False -
gdi32.dll 0x77000000 0x7714cfff Memory Mapped File rwx False False False -
user32.dll 0x77150000 0x7728ffff Memory Mapped File rwx False False False -
shlwapi.dll 0x77290000 0x772d3fff Memory Mapped File rwx False False False -
shcore.dll 0x77340000 0x773ccfff Memory Mapped File rwx False False False -
psapi.dll 0x773d0000 0x773d5fff Memory Mapped File rwx False False False -
nsi.dll 0x773e0000 0x773e6fff Memory Mapped File rwx False False False -
windows.storage.dll 0x773f0000 0x778ccfff Memory Mapped File rwx False False False -
msctf.dll 0x778d0000 0x779effff Memory Mapped File rwx False False False -
msvcrt.dll 0x779f0000 0x77aadfff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x77c30000 0x77c3bfff Memory Mapped File rwx False False False -
ntdll.dll 0x77ca0000 0x77e18fff Memory Mapped File rwx False False False -
private_0x000000007fe50000 0x7fe50000 0x7feaffff Private Memory rw True False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7ff8ee37ffff Private Memory r True False False -
ntdll.dll 0x7ff8ee380000 0x7ff8ee541fff Memory Mapped File rwx False False False -
private_0x00007ff8ee542000 0x7ff8ee542000 0x7ffffffeffff Private Memory r True False False -
For performance reasons, the remaining 25 entries are omitted.
The remaining entries can be found in flog.txt.
Hook Information
»
Type Installer Target Size Information Actions
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1000 13 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x100e 5 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1014 11 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1020 6 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1027 5 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x102d 1 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1030 6 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1039 5 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1041 7 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1049 21 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x105f 14 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1070 11 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x107c 9 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1086 10 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1091 4 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1096 6 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x109d 13 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x10ab 8 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x10b4 23 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x10cc 8 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x10d6 14 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x10e6 8 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x10ef 19 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1105 6 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x110e 3 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1113 23 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x112b 8 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1134 13 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1143 9 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x114d 7 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1155 7 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x115d 4 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1162 1 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1165 8 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x116e 4 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1174 4 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1179 4 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x117e 1 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1181 13 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x118f 5 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1195 6 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x119c 5 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x11a2 8 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x11ab 4 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x11b0 6 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x11b7 10 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x11c2 1 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x11c4 5 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x11ca 10 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x11d5 14 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x11e5 7 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x11ed 10 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x11f8 10 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1205 6 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x120d 30 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x122c 5 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1232 5 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1238 10 bytes -
...
Code private_0x0000000002460000:+0x39f4 autoclb.exe:+0x1243 1 bytes -
...
Host Behavior
File (254)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91 desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read STD_ERROR_HANDLE size = 0 False 1
Fn
Write - size = 1 False 249
Fn
Registry (2)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = InstallDate, data = 65 True 1
Fn
Module (193)
»
Operation Module Additional Information Success Count Logfile
Load ntdll.dll base_address = 0x77ca0000 True 1
Fn
Load SHLWAPI.dll base_address = 0x77290000 True 1
Fn
Load SETUPAPI.dll base_address = 0x76a90000 True 1
Fn
Load KERNEL32.dll base_address = 0x75260000 True 1
Fn
Load USER32.dll base_address = 0x77150000 True 1
Fn
Load ADVAPI32.dll base_address = 0x76a10000 True 1
Fn
Load SHELL32.dll base_address = 0x75430000 True 1
Fn
Load ole32.dll base_address = 0x768b0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75260000 True 15
Fn
Get Handle c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe base_address = 0x400000 True 18
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77ca0000 True 2
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x76a10000 True 2
Fn
Get Filename - process_name = c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe, file_name_orig = C:\Users\CIIHMN~1\AppData\Roaming\adsldraw\autoclb.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x7527a330 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75277580 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75279910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x7527f400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x77cff190 True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x77cfa200 True 6
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x75279680 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memset, address_out = 0x77d0ee50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = strstr, address_out = 0x77d10010 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = mbstowcs, address_out = 0x77d0e610 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlNtStatusToDosError, address_out = 0x77cf3010 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memcpy, address_out = 0x77d0e7b0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlGetVersion, address_out = 0x77cffcd0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlUnwind, address_out = 0x77cfaca0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryInformationProcess, address_out = 0x77d08d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySystemInformation, address_out = 0x77d08f40 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwOpenProcessToken, address_out = 0x77d09d20 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryInformationToken, address_out = 0x77d08df0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwClose, address_out = 0x77d08cb0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwOpenProcess, address_out = 0x77d08e40 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtUnmapViewOfSection, address_out = 0x77d08e80 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtMapViewOfSection, address_out = 0x77d08e60 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtCreateSection, address_out = 0x77d09080 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlFreeUnicodeString, address_out = 0x77cdb940 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlUpcaseUnicodeString, address_out = 0x77cee040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _aulldiv, address_out = 0x77d0c680 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQueryVirtualMemory, address_out = 0x77d08e10 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrStrIA, address_out = 0x772acd10 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrChrW, address_out = 0x772a6a00 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x772a80d0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathCombineW, address_out = 0x772acd50 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionA, address_out = 0x772b1db0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrChrA, address_out = 0x772b26c0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrTrimW, address_out = 0x772a83a0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x772a7c40 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrRChrA, address_out = 0x772b2900 True 1
Fn
Get Address c:\windows\syswow64\setupapi.dll function = SetupDiGetDeviceRegistryPropertyA, address_out = 0x76ae19a0 True 1
Fn
Get Address c:\windows\syswow64\setupapi.dll function = SetupDiGetClassDevsA, address_out = 0x76ab8d10 True 1
Fn
Get Address c:\windows\syswow64\setupapi.dll function = SetupDiEnumDeviceInfo, address_out = 0x76aa5620 True 1
Fn
Get Address c:\windows\syswow64\setupapi.dll function = SetupDiDestroyDeviceInfoList, address_out = 0x76aa5340 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x752725e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameA, address_out = 0x7527f4b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x752874f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x75279640 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x7527a4b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitThread, address_out = 0x77d02570 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x75285f20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x75279700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x7527d940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x75279950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEvent, address_out = 0x752860c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x7529d410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileAttributesW, address_out = 0x75286510 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x75272d80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x7527e320 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SwitchToThread, address_out = 0x75279f30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x752864f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventA, address_out = 0x75285f70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x752862a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x75286410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x75272db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileA, address_out = 0x75286270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x77cdda90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiW, address_out = 0x75277540 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x75277940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetWaitableTimer, address_out = 0x752860d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x752857f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x7529d320 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x752861d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x75286170 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareFileTime, address_out = 0x75286130 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ResetEvent, address_out = 0x752860b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x75286590 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileTime, address_out = 0x75286380 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x752a0960 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x75286150 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x752861b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x75286180 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateWaitableTimerA, address_out = 0x7527db30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ResumeThread, address_out = 0x7527a280 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SuspendThread, address_out = 0x7527ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x7527c1f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynA, address_out = 0x7527f7b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x752787c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsA, address_out = 0x752a0da0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x752777b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x75283a30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x7527efc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x75286110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x752864a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x7527c8c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x75286140 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtectEx, address_out = 0x752a2a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileA, address_out = 0x75286210 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x7527a040 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x75279560 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x75286360 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x752792b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateRemoteThread, address_out = 0x752a0a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x75278b70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiA, address_out = 0x75277610 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x75278c70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x75272af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x75271d90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x7527a300 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLongPathNameW, address_out = 0x752747c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x75286530 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempFileNameA, address_out = 0x752863f0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x7717ea00 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharUpperA, address_out = 0x771831c0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = FindWindowA, address_out = 0x77180980 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfW, address_out = 0x7717ddf0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x771ccf50 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x76a2ed60 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyExA, address_out = 0x76a32520 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyW, address_out = 0x76a2f590 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegDeleteValueW, address_out = 0x76a30ca0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x76a5bda0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x76a2f0a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetSidSubAuthorityCount, address_out = 0x76a30f50 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetSidSubAuthority, address_out = 0x76a30ea0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenProcessToken, address_out = 0x76a2ee90 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyA, address_out = 0x76a331a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExA, address_out = 0x76a30750 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyA, address_out = 0x76a33150 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetTokenInformation, address_out = 0x76a2ed40 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x76a2efa0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address_out = 0x76a2ee40 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address_out = 0x76a2f000 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x755c4370 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x755c4cb0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = 92, address_out = 0x756a7560 True 1
Fn
Get Address Unknown module name function = CoUninitialize, address_out = 0x76eadca0 True 1
Fn
Get Address Unknown module name function = CoInitializeEx, address_out = 0x76eacd50 True 1
Fn
Window (1)
»
Operation Window Name Additional Information Success Count Logfile
Create FTP class_name = fetches, wndproc_parameter = 0 False 1
Fn
System (732)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = LHNIWSJ True 1
Fn
Get Cursor x_out = 424, y_out = 212 True 718
Fn
Sleep duration = 500 milliseconds (0.500 seconds) True 10
Fn
Get Time type = System Time, time = 2018-10-25 06:44:43 (UTC) True 1
Fn
Get Time type = Ticks, time = 146703 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (249)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\ciihmn~1\appdata\roaming\adsldraw\autoclb.exe type = DEBUG_STRING True 249
Fn
Process #6: autoclb.exe
1514 0
»
Information Value
ID #6
File Name c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe
Command Line "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:06, Reason: Autostart
Unmonitor End Time: 00:02:27, Reason: Self Terminated
Monitor Duration 00:00:21
OS Process Information
»
Information Value
PID 0xb7c
Parent PID 0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8B4
0x 574
0x 920
0x 808
0x 804
0x 4D0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00031fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory rw True False False -
private_0x0000000000060000 0x00060000 0x00060fff Private Memory rw True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory rw True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x0000000000090000 0x00090000 0x00090fff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x000a0fff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x000b0fff Private Memory rw True False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory rw True False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x00110fff Private Memory rw True False False -
private_0x0000000000120000 0x00120000 0x00120fff Private Memory rw True False False -
private_0x0000000000130000 0x00130000 0x00130fff Private Memory rw True False False -
private_0x0000000000140000 0x00140000 0x00140fff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory rw True False False -
private_0x0000000000160000 0x00160000 0x00160fff Private Memory rw True False False -
private_0x0000000000170000 0x00170000 0x00170fff Private Memory rw True False False -
private_0x0000000000180000 0x00180000 0x00180fff Private Memory rw True False False -
private_0x0000000000190000 0x00190000 0x00190fff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory rw True False False -
locale.nls 0x001d0000 0x0028dfff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x002cffff Private Memory rw True False False -
private_0x00000000002d0000 0x002d0000 0x002d0fff Private Memory rw True False False -
msvfw32.dll.mui 0x002e0000 0x002e1fff Memory Mapped File r False False False -
private_0x00000000002f0000 0x002f0000 0x002fffff Private Memory rw True False False -
private_0x0000000000300000 0x00300000 0x003fffff Private Memory rw True False False -
autoclb.exe 0x00400000 0x004d0fff Memory Mapped File rwx True True False
...
private_0x00000000004e0000 0x004e0000 0x004e3fff Private Memory rw True False False -
pagefile_0x00000000004f0000 0x004f0000 0x004f1fff Pagefile Backed Memory r True False False -
private_0x0000000000500000 0x00500000 0x00500fff Private Memory rw True False False -
private_0x0000000000510000 0x00510000 0x0060ffff Private Memory rw True False False -
private_0x0000000000610000 0x00610000 0x0064ffff Private Memory rw True False False -
private_0x0000000000650000 0x00650000 0x0074ffff Private Memory rw True False False -
private_0x0000000000750000 0x00750000 0x0078ffff Private Memory rw True False False -
private_0x0000000000790000 0x00790000 0x0088ffff Private Memory rw True False False -
pagefile_0x0000000000890000 0x00890000 0x00a17fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000a20000 0x00a20000 0x00a21fff Pagefile Backed Memory r True False False -
private_0x0000000000a30000 0x00a30000 0x00aaffff Private Memory rw True False False -
private_0x0000000000a30000 0x00a30000 0x00a6ffff Private Memory rw True False False -
private_0x0000000000a70000 0x00a70000 0x00a70fff Private Memory rw True False False -
private_0x0000000000a80000 0x00a80000 0x00a80fff Private Memory rw True False False -
private_0x0000000000a90000 0x00a90000 0x00a90fff Private Memory rw True False False -
private_0x0000000000aa0000 0x00aa0000 0x00aaffff Private Memory rw True False False -
private_0x0000000000ab0000 0x00ab0000 0x00ab0fff Private Memory rw True False False -
private_0x0000000000ac0000 0x00ac0000 0x00ac0fff Private Memory rw True False False -
private_0x0000000000ad0000 0x00ad0000 0x00ad0fff Private Memory rw True False False -
private_0x0000000000ae0000 0x00ae0000 0x00ae0fff Private Memory rw True False False -
private_0x0000000000af0000 0x00af0000 0x00af0fff Private Memory rw True False False -
private_0x0000000000b00000 0x00b00000 0x00b00fff Private Memory rw True False False -
private_0x0000000000b10000 0x00b10000 0x00b10fff Private Memory rw True False False -
private_0x0000000000b20000 0x00b20000 0x00b2ffff Private Memory rw True False False -
private_0x0000000000b30000 0x00b30000 0x00b30fff Private Memory rw True False False -
private_0x0000000000b40000 0x00b40000 0x00b4ffff Private Memory rw True False False -
pagefile_0x0000000000b50000 0x00b50000 0x00cd0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000ce0000 0x00ce0000 0x020dffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x020e0000 0x02416fff Memory Mapped File r False False False -
private_0x0000000002420000 0x02420000 0x025fffff Private Memory rw True False False -
private_0x0000000002420000 0x02420000 0x0251ffff Private Memory rw True False False -
private_0x0000000002520000 0x02520000 0x02520fff Private Memory rw True False False -
private_0x0000000002530000 0x02530000 0x02530fff Private Memory rw True False False -
private_0x0000000002540000 0x02540000 0x02540fff Private Memory rw True False False -
private_0x0000000002550000 0x02550000 0x02550fff Private Memory rw True False False -
private_0x0000000002560000 0x02560000 0x02560fff Private Memory rw True False False -
private_0x0000000002570000 0x02570000 0x02570fff Private Memory rw True False False -
private_0x0000000002580000 0x02580000 0x02580fff Private Memory rw True False False -
private_0x0000000002590000 0x02590000 0x02590fff Private Memory rw True False False -
private_0x00000000025a0000 0x025a0000 0x025a0fff Private Memory rw True False False -
private_0x00000000025b0000 0x025b0000 0x025b0fff Private Memory rw True False False -
private_0x00000000025c0000 0x025c0000 0x025c0fff Private Memory rw True False False -
private_0x00000000025d0000 0x025d0000 0x025d0fff Private Memory rw True False False -
private_0x00000000025e0000 0x025e0000 0x025e0fff Private Memory rw True False False -
private_0x00000000025f0000 0x025f0000 0x025fffff Private Memory rw True False False -
private_0x0000000002600000 0x02600000 0x02600fff Private Memory rw True False False -
private_0x0000000002610000 0x02610000 0x02610fff Private Memory rw True False False -
private_0x0000000002620000 0x02620000 0x02620fff Private Memory rw True False False -
private_0x0000000002630000 0x02630000 0x02630fff Private Memory rw True False False -
private_0x0000000002640000 0x02640000 0x02640fff Private Memory rw True False False -
private_0x0000000002650000 0x02650000 0x02650fff Private Memory rw True False False -
private_0x0000000002660000 0x02660000 0x02660fff Private Memory rw True False False -
private_0x0000000002670000 0x02670000 0x02670fff Private Memory rw True False False -
wow64cpu.dll 0x58460000 0x58467fff Memory Mapped File rwx False False False -
wow64.dll 0x58470000 0x584befff Memory Mapped File rwx False False False -
wow64win.dll 0x584c0000 0x58532fff Memory Mapped File rwx False False False -
msvfw32.dll 0x739d0000 0x739f2fff Memory Mapped File rwx False False False -
comctl32.dll 0x73cf0000 0x73ef8fff Memory Mapped File rwx False False False -
glu32.dll 0x73f00000 0x73f24fff Memory Mapped File rwx False False False -
tapi32.dll 0x73f30000 0x73f63fff Memory Mapped File rwx False False False -
version.dll 0x73ff0000 0x73ff7fff Memory Mapped File rwx False False False -
iphlpapi.dll 0x74020000 0x7404ffff Memory Mapped File rwx False False False -
uxtheme.dll 0x74070000 0x740e4fff Memory Mapped File rwx False False False -
dciman32.dll 0x740f0000 0x740f6fff Memory Mapped File rwx False False False -
devobj.dll 0x74100000 0x74120fff Memory Mapped File rwx False False False -
winnsi.dll 0x74130000 0x74137fff Memory Mapped File rwx False False False -
ddraw.dll 0x74140000 0x7422afff Memory Mapped File rwx False False False -
winmmbase.dll 0x74230000 0x74252fff Memory Mapped File rwx False False False -
winmm.dll 0x74260000 0x74283fff Memory Mapped File rwx False False False -
opengl32.dll 0x74290000 0x7436ffff Memory Mapped File rwx False False False -
comctl32.dll 0x74370000 0x74401fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74410000 0x74468fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74470000 0x74479fff Memory Mapped File rwx False False False -
sspicli.dll 0x74480000 0x7449dfff Memory Mapped File rwx False False False -
comdlg32.dll 0x744a0000 0x7455dfff Memory Mapped File rwx False False False -
shcore.dll 0x74570000 0x745fcfff Memory Mapped File rwx False False False -
kernelbase.dll 0x74600000 0x74775fff Memory Mapped File rwx False False False -
shlwapi.dll 0x747e0000 0x74823fff Memory Mapped File rwx False False False -
user32.dll 0x74920000 0x74a5ffff Memory Mapped File rwx False False False -
combase.dll 0x74cf0000 0x74ea9fff Memory Mapped File rwx False False False -
powrprof.dll 0x74eb0000 0x74ef3fff Memory Mapped File rwx False False False -
nsi.dll 0x74f00000 0x74f06fff Memory Mapped File rwx False False False -
imm32.dll 0x74f10000 0x74f3afff Memory Mapped File rwx False False False -
psapi.dll 0x74fe0000 0x74fe5fff Memory Mapped File rwx False False False -
msctf.dll 0x75040000 0x7515ffff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x75160000 0x7516bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x751d0000 0x7528dfff Memory Mapped File rwx False False False -
shell32.dll 0x75290000 0x7664efff Memory Mapped File rwx False False False -
rpcrt4.dll 0x767d0000 0x7687bfff Memory Mapped File rwx False False False -
windows.storage.dll 0x76880000 0x76d5cfff Memory Mapped File rwx False False False -
gdi32.dll 0x76d60000 0x76eacfff Memory Mapped File rwx False False False -
setupapi.dll 0x76eb0000 0x77054fff Memory Mapped File rwx False False False -
advapi32.dll 0x770c0000 0x7713afff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x77140000 0x77175fff Memory Mapped File rwx False False False -
profapi.dll 0x77180000 0x7718efff Memory Mapped File rwx False False False -
sechost.dll 0x77190000 0x771d2fff Memory Mapped File rwx False False False -
kernel32.dll 0x77280000 0x7736ffff Memory Mapped File rwx False False False -
ntdll.dll 0x77370000 0x774e8fff Memory Mapped File rwx False False False -
private_0x000000007fe40000 0x7fe40000 0x7fe9ffff Private Memory rw True False False -
private_0x000000007feaa000 0x7feaa000 0x7feacfff Private Memory rw True False False -
private_0x000000007fead000 0x7fead000 0x7feaffff Private Memory rw True False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7ffb4817ffff Private Memory r True False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
private_0x00007ffb48342000 0x7ffb48342000 0x7ffffffeffff Private Memory r True False False -
For performance reasons, the remaining 36 entries are omitted.
The remaining entries can be found in flog.txt.
Host Behavior
File (261)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\98F9CE91 desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Windows\system32\c_1252.nls desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 3
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw - False 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Get Info C:\Windows\system32\c_1252.nls type = time True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Read STD_ERROR_HANDLE size = 0 False 1
Fn
Write - size = 1 False 249
Fn
Registry (12)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_USERS - True 1
Fn
Open Key HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = InstallDate, data = 65 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = cabilipc, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, type = REG_SZ True 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_USERS\S-1-5-21-1462094071-1423818996-289466292-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders value_name = AppData, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Enumerate Keys HKEY_USERS - True 1
Fn
Process (3)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\svchost.exe os_pid = 0x534, creation_flags = CREATE_SUSPENDED, CREATE_DEFAULT_ERROR_MODE, show_window = SW_HIDE True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Thread (6)
»
Operation Process Additional Information Success Count Logfile
Suspend c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe os_tid = 0x4d0 True 1
Fn
Get Context c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe os_tid = 0x4d0 True 2
Fn
Set Context c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe os_tid = 0x4d0 True 1
Fn
Resume c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe os_tid = 0x4d0 True 2
Fn
Memory (4)
»
Operation Process Additional Information Success Count Logfile
Protect C:\Windows\system32\svchost.exe address = 0x7ff7e54b3440, protection = PAGE_EXECUTE_READWRITE, size = 44692984 True 1
Fn
Protect C:\Windows\system32\svchost.exe address = 0x7ff7e54b3000, protection = PAGE_EXECUTE_READ, size = 44692984 True 1
Fn
Write C:\Windows\system32\svchost.exe address = 0x1110000, size = 792 True 1
Fn
Data
Write C:\Windows\system32\svchost.exe address = 0x7ff7e54b3440, size = 4 True 1
Fn
Data
Module (237)
»
Operation Module Additional Information Success Count Logfile
Load ntdll.dll base_address = 0x77370000 True 1
Fn
Load SHLWAPI.dll base_address = 0x747e0000 True 1
Fn
Load SETUPAPI.dll base_address = 0x76eb0000 True 1
Fn
Load KERNEL32.dll base_address = 0x77280000 True 1
Fn
Load USER32.dll base_address = 0x74920000 True 1
Fn
Load ADVAPI32.dll base_address = 0x770c0000 True 1
Fn
Load SHELL32.dll base_address = 0x75290000 True 1
Fn
Load ole32.dll base_address = 0x74a60000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x77280000 True 17
Fn
Get Handle c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe base_address = 0x400000 True 18
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77370000 True 19
Fn
Get Handle c:\windows\syswow64\advapi32.dll base_address = 0x770c0000 True 2
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x74920000 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x7729a330 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x77297580 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x77299910 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x7729f400 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EncodePointer, address_out = 0x773cf190 True 9
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DecodePointer, address_out = 0x773ca200 True 6
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x77299680 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memset, address_out = 0x773dee50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = strstr, address_out = 0x773e0010 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = mbstowcs, address_out = 0x773de610 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlNtStatusToDosError, address_out = 0x773c3010 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = memcpy, address_out = 0x773de7b0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlGetVersion, address_out = 0x773cfcd0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlUnwind, address_out = 0x773caca0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryInformationProcess, address_out = 0x773d8d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySystemInformation, address_out = 0x773d8f40 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwOpenProcessToken, address_out = 0x773d9d20 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwQueryInformationToken, address_out = 0x773d8df0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwClose, address_out = 0x773d8cb0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwOpenProcess, address_out = 0x773d8e40 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtUnmapViewOfSection, address_out = 0x773d8e80 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtMapViewOfSection, address_out = 0x773d8e60 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtCreateSection, address_out = 0x773d9080 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlFreeUnicodeString, address_out = 0x773ab940 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlUpcaseUnicodeString, address_out = 0x773be040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = _aulldiv, address_out = 0x773dc680 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQueryVirtualMemory, address_out = 0x773d8e10 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrStrIA, address_out = 0x747fcd10 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrChrW, address_out = 0x747f6a00 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindFileNameW, address_out = 0x747f80d0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathCombineW, address_out = 0x747fcd50 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionA, address_out = 0x74801db0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrChrA, address_out = 0x748026c0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrTrimW, address_out = 0x747f83a0 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = PathFindExtensionW, address_out = 0x747f7c40 True 1
Fn
Get Address c:\windows\syswow64\shlwapi.dll function = StrRChrA, address_out = 0x74802900 True 1
Fn
Get Address c:\windows\syswow64\setupapi.dll function = SetupDiGetDeviceRegistryPropertyA, address_out = 0x76f019a0 True 1
Fn
Get Address c:\windows\syswow64\setupapi.dll function = SetupDiGetClassDevsA, address_out = 0x76ed8d10 True 1
Fn
Get Address c:\windows\syswow64\setupapi.dll function = SetupDiEnumDeviceInfo, address_out = 0x76ec5620 True 1
Fn
Get Address c:\windows\syswow64\setupapi.dll function = SetupDiDestroyDeviceInfoList, address_out = 0x76ec5340 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapFree, address_out = 0x772925e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetComputerNameA, address_out = 0x7729f4b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitProcess, address_out = 0x772a74f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleHandleA, address_out = 0x77299640 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x7729a4b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExitThread, address_out = 0x773d2570 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x772a5f20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThread, address_out = 0x77299700 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapDestroy, address_out = 0x7729d940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapCreate, address_out = 0x77299950 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEvent, address_out = 0x772a60c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyW, address_out = 0x772bd410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileAttributesW, address_out = 0x772a6510 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenW, address_out = 0x77292d80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpyA, address_out = 0x7729e320 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SwitchToThread, address_out = 0x77299f30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetEndOfFile, address_out = 0x772a64f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventA, address_out = 0x772a5f70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushFileBuffers, address_out = 0x772a62a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathA, address_out = 0x772a6410 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLastError, address_out = 0x77292db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindNextFileA, address_out = 0x772a6270 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = HeapAlloc, address_out = 0x773ada90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiW, address_out = 0x77297540 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetProcAddress, address_out = 0x77297940 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetWaitableTimer, address_out = 0x772a60d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x772a57f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatW, address_out = 0x772bd320 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindClose, address_out = 0x772a61d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileA, address_out = 0x772a6170 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareFileTime, address_out = 0x772a6130 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ResetEvent, address_out = 0x772a60b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x772a6590 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileTime, address_out = 0x772a6380 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x772c0960 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryW, address_out = 0x772a6150 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = DeleteFileW, address_out = 0x772a61b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x772a6180 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateWaitableTimerA, address_out = 0x7729db30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ResumeThread, address_out = 0x7729a280 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SuspendThread, address_out = 0x7729ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpA, address_out = 0x7729c1f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcpynA, address_out = 0x7729f7b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LocalFree, address_out = 0x772987c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsA, address_out = 0x772c0da0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x772977b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrlenA, address_out = 0x772a3a30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcatA, address_out = 0x7729efc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForSingleObject, address_out = 0x772a6110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x772a64a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x7729c8c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateDirectoryA, address_out = 0x772a6140 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtectEx, address_out = 0x772c2a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FindFirstFileA, address_out = 0x772a6210 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameA, address_out = 0x7729a040 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetModuleFileNameW, address_out = 0x77299560 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x772a6360 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = OpenProcess, address_out = 0x772992b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateRemoteThread, address_out = 0x772c0a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x77298b70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = lstrcmpiA, address_out = 0x77297610 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualFree, address_out = 0x77298c70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x77292af0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessId, address_out = 0x77291d90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetVersion, address_out = 0x7729a300 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLongPathNameW, address_out = 0x772947c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFilePointer, address_out = 0x772a6530 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempFileNameA, address_out = 0x772a63f0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfA, address_out = 0x7494ea00 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CharUpperA, address_out = 0x749531c0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = FindWindowA, address_out = 0x74950980 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = wsprintfW, address_out = 0x7494ddf0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MessageBoxA, address_out = 0x7499cf50 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExW, address_out = 0x770ded60 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegEnumKeyExA, address_out = 0x770e2520 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyW, address_out = 0x770df590 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegDeleteValueW, address_out = 0x770e0ca0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7710bda0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExW, address_out = 0x770df0a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetSidSubAuthorityCount, address_out = 0x770e0f50 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetSidSubAuthority, address_out = 0x770e0ea0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = OpenProcessToken, address_out = 0x770dee90 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyA, address_out = 0x770e31a0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegSetValueExA, address_out = 0x770e0750 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCreateKeyA, address_out = 0x770e3150 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = GetTokenInformation, address_out = 0x770ded40 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegCloseKey, address_out = 0x770defa0 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegQueryValueExA, address_out = 0x770dee40 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address_out = 0x770df000 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x75424370 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteExW, address_out = 0x75424cb0 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = 92, address_out = 0x75507560 True 1
Fn
Get Address Unknown module name function = CoUninitialize, address_out = 0x74d5dca0 True 1
Fn
Get Address Unknown module name function = CoInitializeEx, address_out = 0x74d5cd50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsWow64Process, address_out = 0x772996e0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetWindowThreadProcessId, address_out = 0x7493ba70 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Wow64EnableWow64FsRedirection, address_out = 0x772bb6a0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwWow64QueryInformationProcess64, address_out = 0x773da840 True 15
Fn
Get Address c:\windows\syswow64\ntdll.dll function = ZwWow64ReadVirtualMemory64, address_out = 0x773da860 True 1
Fn
Create Mapping - protection = PAGE_EXECUTE_READWRITE, maximum_size = 44692952 True 1
Fn
Map - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2f70000 True 1
Fn
Map - process_name = C:\Windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xfd0000 True 1
Fn
Window (3)
»
Operation Window Name Additional Information Success Count Logfile
Create FTP class_name = fetches, wndproc_parameter = 0 False 1
Fn
Find - class_name = ProgMan True 2
Fn
System (732)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = LHNIWSJ True 1
Fn
Get Cursor x_out = 821, y_out = 20 True 715
Fn
Sleep duration = 500 milliseconds (0.500 seconds) True 10
Fn
Sleep duration = 100 milliseconds (0.100 seconds) True 1
Fn
Get Time type = System Time, time = 2018-10-24 19:45:56 (UTC) True 1
Fn
Get Time type = Ticks, time = 52828 True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Operating System False 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (249)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe type = DEBUG_STRING True 249
Fn
Process #7: svchost.exe
314 0
»
Information Value
ID #7
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:25, Reason: Child Process
Unmonitor End Time: 00:02:29, Reason: Self Terminated
Monitor Duration 00:00:04
OS Process Information
»
Information Value
PID 0x534
Parent PID 0xb7c (c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 554
0x 428
0x 7C4
0x 7F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000fd0000 0x00fd0000 0x01102fff Pagefile Backed Memory rwx True False False -
private_0x0000000001110000 0x01110000 0x01110fff Private Memory rwx True False False -
private_0x000000007f06c000 0x7f06c000 0x7f06cfff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000e86afd0000 0xe86afd0000 0xe86afeffff Private Memory rw True False False -
pagefile_0x000000e86afd0000 0xe86afd0000 0xe86afdffff Pagefile Backed Memory rw True False False -
svchost.exe.mui 0xe86afe0000 0xe86afe0fff Memory Mapped File r False False False -
pagefile_0x000000e86aff0000 0xe86aff0000 0xe86b003fff Pagefile Backed Memory r True False False -
private_0x000000e86b010000 0xe86b010000 0xe86b08ffff Private Memory rw True False False -
pagefile_0x000000e86b090000 0xe86b090000 0xe86b093fff Pagefile Backed Memory r True False False -
pagefile_0x000000e86b0a0000 0xe86b0a0000 0xe86b0a0fff Pagefile Backed Memory r True False False -
private_0x000000e86b0b0000 0xe86b0b0000 0xe86b0b1fff Private Memory rw True False False -
locale.nls 0xe86b0c0000 0xe86b17dfff Memory Mapped File r False False False -
private_0x000000e86b180000 0xe86b180000 0xe86b1fffff Private Memory rw True False False -
private_0x000000e86b200000 0xe86b200000 0xe86b21cfff Private Memory rw True False False -
private_0x000000e86b200000 0xe86b200000 0xe86b200fff Private Memory rw True False False -
private_0x000000e86b210000 0xe86b210000 0xe86b21cfff Private Memory rw True False False -
private_0x000000e86b220000 0xe86b220000 0xe86b220fff Private Memory rw True False False -
msvfw32.dll.mui 0xe86b230000 0xe86b231fff Memory Mapped File r False False False -
private_0x000000e86b240000 0xe86b240000 0xe86b246fff Private Memory rw True False False -
imm32.dll 0xe86b250000 0xe86b283fff Memory Mapped File r False False False -
private_0x000000e86b250000 0xe86b250000 0xe86b26cfff Private Memory rw True False False -
private_0x000000e86b300000 0xe86b300000 0xe86b3fffff Private Memory rw True False False -
private_0x000000e86b400000 0xe86b400000 0xe86b5fffff Private Memory rw True False False -
private_0x000000e86b400000 0xe86b400000 0xe86b4fffff Private Memory rw True False False -
pagefile_0x000000e86b500000 0xe86b500000 0xe86b687fff Pagefile Backed Memory r True False False -
pagefile_0x000000e86b690000 0xe86b690000 0xe86b810fff Pagefile Backed Memory r True False False -
pagefile_0x000000e86b820000 0xe86b820000 0xe86cc1ffff Pagefile Backed Memory r True False False -
private_0x000000e86cc20000 0xe86cc20000 0xe86cdfcfff Private Memory rw True False False -
oleaut32.dll 0xe86cc20000 0xe86ccdcfff Memory Mapped File r False False False -
pagefile_0x000000e86cc20000 0xe86cc20000 0xe86cd52fff Pagefile Backed Memory rwx True False False -
private_0x000000e86cdf0000 0xe86cdf0000 0xe86cdfcfff Private Memory rw True False False -
private_0x000000e86ce00000 0xe86ce00000 0xe86cffffff Private Memory rw True False False -
private_0x000000e86ce00000 0xe86ce00000 0xe86cefffff Private Memory rw True False False -
private_0x000000e86cf00000 0xe86cf00000 0xe86d0fffff Private Memory rw True False False -
private_0x000000e86cf00000 0xe86cf00000 0xe86cffffff Private Memory rw True False False -
private_0x000000e86d000000 0xe86d000000 0xe86d1fffff Private Memory rw True False False -
private_0x000000e86d000000 0xe86d000000 0xe86d0fffff Private Memory rw True False False -
private_0x000000e86d100000 0xe86d100000 0xe86d2fffff Private Memory rw True False False -
private_0x000000e86d100000 0xe86d100000 0xe86d1fffff Private Memory rw True False False -
private_0x000000e86d200000 0xe86d200000 0xe86d3fffff Private Memory rw True False False -
private_0x000000e86d200000 0xe86d200000 0xe86d2fffff Private Memory rw True False False -
sortdefault.nls 0xe86d300000 0xe86d636fff Memory Mapped File r False False False -
pagefile_0x00007df5ff9c0000 0x7df5ff9c0000 0x7ff5ff9bffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7e4a60000 0x7ff7e4a60000 0x7ff7e4b5ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7e4b60000 0x7ff7e4b60000 0x7ff7e4b82fff Pagefile Backed Memory r True False False -
private_0x00007ff7e4b89000 0x7ff7e4b89000 0x7ff7e4b89fff Private Memory rw True False False -
private_0x00007ff7e4b8c000 0x7ff7e4b8c000 0x7ff7e4b8dfff Private Memory rw True False False -
private_0x00007ff7e4b8e000 0x7ff7e4b8e000 0x7ff7e4b8ffff Private Memory rw True False False -
svchost.exe 0x7ff7e54b0000 0x7ff7e54bcfff Memory Mapped File rwx False False False -
winmmbase.dll 0x7ffb35990000 0x7ffb359bbfff Memory Mapped File rwx False False False -
winmm.dll 0x7ffb359c0000 0x7ffb359e2fff Memory Mapped File rwx False False False -
comctl32.dll 0x7ffb36120000 0x7ffb361c9fff Memory Mapped File rwx False False False -
msvfw32.dll 0x7ffb3cec0000 0x7ffb3cee8fff Memory Mapped File rwx False False False -
msacm32.dll 0x7ffb40a30000 0x7ffb40a4bfff Memory Mapped File rwx False False False -
avifil32.dll 0x7ffb40a50000 0x7ffb40a6ffff Memory Mapped File rwx False False False -
devobj.dll 0x7ffb43520000 0x7ffb43546fff Memory Mapped File rwx False False False -
sspicli.dll 0x7ffb447d0000 0x7ffb447fbfff Memory Mapped File rwx False False False -
powrprof.dll 0x7ffb44bb0000 0x7ffb44bf9fff Memory Mapped File rwx False False False -
profapi.dll 0x7ffb44c00000 0x7ffb44c12fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7ffb44c20000 0x7ffb44c2efff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x7ffb44c50000 0x7ffb44c93fff Memory Mapped File rwx False False False -
windows.storage.dll 0x7ffb44d50000 0x7ffb45377fff Memory Mapped File rwx False False False -
shcore.dll 0x7ffb455b0000 0x7ffb45662fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
ole32.dll 0x7ffb45900000 0x7ffb45a40fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffb45ac0000 0x7ffb45b1afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffb45b20000 0x7ffb45c45fff Memory Mapped File rwx False False False -
user32.dll 0x7ffb45c50000 0x7ffb45d9dfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
imm32.dll 0x7ffb46070000 0x7ffb460a5fff Memory Mapped File rwx False False False -
psapi.dll 0x7ffb460b0000 0x7ffb460b7fff Memory Mapped File rwx False False False -
gdi32.dll 0x7ffb460c0000 0x7ffb46244fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7ffb46250000 0x7ffb462a0fff Memory Mapped File rwx False False False -
msctf.dll 0x7ffb462d0000 0x7ffb4642bfff Memory Mapped File rwx False False False -
combase.dll 0x7ffb46610000 0x7ffb4688bfff Memory Mapped File rwx False False False -
shell32.dll 0x7ffb46890000 0x7ffb47db4fff Memory Mapped File rwx False False False -
advapi32.dll 0x7ffb47e30000 0x7ffb47ed5fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Hook Information
»
Type Installer Target Size Information Actions
Code pagefile_0x0000000000fd0000:+0x28dce advapi32.dll:Wow64RedirectKeyPathInternal+0x3fa 8 bytes -
...
Code pagefile_0x0000000000fd0000:+0x28dd2 advapi32.dll:Wow64RedirectKeyPathInternal+0x3f4 2 bytes -
...
Code pagefile_0x0000000000fd0000:+0x28dce kernel32.dll:AslpImageRvaToVa+0x1fe 8 bytes -
...
Code pagefile_0x0000000000fd0000:+0x28dd2 kernel32.dll:AslpImageRvaToVa+0x1f8 2 bytes -
...
Code pagefile_0x0000000000fd0000:+0x28dce kernel32.dll:AslpImageRvaToVa+0x20c 8 bytes -
...
Code pagefile_0x0000000000fd0000:+0x28dd2 kernel32.dll:AslpImageRvaToVa+0x206 2 bytes -
...
Code pagefile_0x0000000000fd0000:+0x28dce kernel32.dll:AslpImageRvaToVa+0x21a 8 bytes -
...
Code pagefile_0x0000000000fd0000:+0x28dd2 kernel32.dll:AslpImageRvaToVa+0x214 2 bytes -
...
IAT pagefile_0x0000000000fd0000:+0x289b5 261. entry of msctf.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000fd0000:+0x315b0
...
IAT pagefile_0x0000000000fd0000:+0x289b5 133. entry of msvcrt.dll 4 bytes kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x0000000000fd0000:+0x316b8
...
IAT pagefile_0x0000000000fd0000:+0x289b5 134. entry of msvcrt.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000fd0000:+0x315b0
...
IAT pagefile_0x0000000000fd0000:+0x289b5 230. entry of user32.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000fd0000:+0x315b0
...
IAT pagefile_0x0000000000fd0000:+0x289b5 517. entry of ole32.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000fd0000:+0x315b0
...
IAT pagefile_0x0000000000fd0000:+0x289b5 638. entry of shell32.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000000fd0000:+0x318ec
...
IAT pagefile_0x0000000000fd0000:+0x289b5 631. entry of shell32.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000fd0000:+0x315b0
...
IAT pagefile_0x0000000000fd0000:+0x289b5 236. entry of windows.storage.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x0000000000fd0000:+0x315b0
...
IAT pagefile_0x0000000000fd0000:+0x289b5 215. entry of windows.storage.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x0000000000fd0000:+0x318ec
...
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #6: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe 0x4d0 address = 0xfd0000, size = 1257472 True 1
Fn
Modify Memory #6: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe 0x4d0 address = 0x1110000, size = 792 True 1
Fn
Data
Modify Control Flow #6: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe 0x4d0 os_tid = 0x554, address = 0xe4b89000 True 1
Fn
Modify Memory #6: c:\users\ciihmnxmn6ps\appdata\roaming\adsldraw\autoclb.exe 0x4d0 address = 0x7ff7e54b3440, size = 4 True 1
Fn
Data
Host Behavior
File (6)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\SYSTEM32\ntdll.dll desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 3
Fn
Read C:\Windows\SYSTEM32\ntdll.dll size = 4, size_out = 4 True 3
Fn
Data
Registry (12)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Ini, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Client, data = 232, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductID, data = 48 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductName, data = 87 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = CurrentVersion, data = 54 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = InstallDate, data = 65 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Scr, type = REG_NONE False 1
Fn
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Client, size = 40, type = REG_BINARY True 1
Fn
Data
Process (35)
»
Operation Process Additional Information Success Count Logfile
Get Info c:\windows\system32\svchost.exe type = PROCESS_BASIC_INFORMATION True 34
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Thread (7)
»
Operation Process Additional Information Success Count Logfile
Create c:\windows\explorer.exe proc_address = 0x7ffb48189fa0, proc_parameter = 0, flags = THREAD_CREATE_SUSPENDED True 1
Fn
Suspend c:\windows\explorer.exe os_tid = 0x2e0 True 1
Fn
Get Context c:\windows\explorer.exe os_tid = 0x2e0 True 2
Fn
Set Context c:\windows\explorer.exe os_tid = 0x2e0 True 1
Fn
Resume c:\windows\explorer.exe os_tid = 0x2e0 True 2
Fn
Memory (9)
»
Operation Process Additional Information Success Count Logfile
Allocate c:\windows\explorer.exe address = 0xe86b08eaa0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 998228159144 True 1
Fn
Protect c:\windows\explorer.exe address = 0x7ffb48189fa0, protection = PAGE_EXECUTE_READWRITE, size = 4 True 2
Fn
Protect c:\windows\explorer.exe address = 0x7ffb48189fa0, protection = PAGE_EXECUTE_READ, size = 4 True 2
Fn
Read c:\windows\explorer.exe address = 0x7ffb48189fa0, size = 4 True 1
Fn
Data
Write c:\windows\explorer.exe address = 0x7ffb48189fa0, size = 4 True 2
Fn
Data
Write c:\windows\explorer.exe address = 0x5ad0000, size = 792 True 1
Fn
Data
Module (227)
»
Operation Module Additional Information Success Count Logfile
Load ntdll.dll base_address = 0x0 True 1
Fn
Load KERNEL32.dll base_address = 0x0 True 1
Fn
Load AVIFIL32.dll base_address = 0x0 True 1
Fn
Load ADVAPI32.dll base_address = 0x7ffb47e30000 True 1
Fn
Load SHLWAPI.dll base_address = 0x7ffb46250000 True 1
Fn
Load USER32.dll base_address = 0x7ffb45c50000 True 1
Fn
Load PSAPI.DLL base_address = 0x7ffb460b0000 True 1
Fn
Get Handle c:\windows\system32\svchost.exe base_address = 0x7ff7e54b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb45e10000 True 5
Fn
Get Handle c:\windows\system32\ntdll.dll base_address = 0x7ffb48180000 True 4
Fn
Get Handle c:\windows\system32\kernelbase.dll base_address = 0x7ffb45670000 True 1
Fn
Get Handle c:\windows\system32\advapi32.dll base_address = 0x7ffb47e30000 True 2
Fn
Get Filename AVIFIL32.dll process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260 True 2
Fn
Get Filename c:\windows\system32\ntdll.dll process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 260 True 3
Fn
Get Address - function = NtCreateSection, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = NtUnmapViewOfSection, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = NtMapViewOfSection, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = ZwOpenProcessToken, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = ZwClose, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = ZwQueryInformationToken, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = ZwOpenProcess, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = NtQuerySystemInformation, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = RtlNtStatusToDosError, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = ZwQueryInformationProcess, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = _wcsupr, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = _strupr, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = memmove, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = bsearch, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = _vsnwprintf, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = _strlwr, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = atoi, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = strstr, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = wcscpy, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = ZwQueryKey, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = RtlFreeUnicodeString, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = sprintf, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = _snprintf, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = memset, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = memcpy, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = strcpy, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = RtlAdjustPrivilege, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = mbstowcs, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = RtlImageNtHeader, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = memcmp, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = __C_specific_handler, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = __chkstk, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetLocalTime, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = OpenProcess, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = VirtualQueryEx, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = CreateRemoteThread, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetModuleFileNameW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetVersion, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = SetEndOfFile, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = RemoveDirectoryW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetTempFileNameA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = DeleteCriticalSection, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = CloseHandle, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = WriteProcessMemory, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = CreateFileA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = lstrcmpiA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetModuleFileNameA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetCurrentProcess, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = lstrcmpA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetModuleHandleA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = CreateFileMappingA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = MapViewOfFile, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = Sleep, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GlobalLock, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = lstrlenA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GlobalAlloc, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GlobalUnlock, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = HeapAlloc, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = lstrcpyA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetLastError, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = HeapFree, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = RemoveDirectoryA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = DeleteFileA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = lstrcatA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = WriteFile, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = CreateDirectoryA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = HeapDestroy, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = HeapCreate, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = SetEvent, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = HeapReAlloc, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetTickCount, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = FindNextFileW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = CopyFileW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = SetWaitableTimer, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = LocalAlloc, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetCurrentThread, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetCurrentThreadId, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = lstrlenW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = CreateEventA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetWindowsDirectoryA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = DeleteFileW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = CreateDirectoryW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = CreateWaitableTimerA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetTempPathA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = FindFirstFileW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = LocalFree, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = TerminateProcess, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = SuspendThread, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = WaitForMultipleObjects, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = ResumeThread, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = lstrcpyW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = FileTimeToSystemTime, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = CreateThread, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = CreateFileW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = ResetEvent, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = SwitchToThread, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = lstrcatW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = CreateProcessW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetFileSize, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetFileAttributesW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = WideCharToMultiByte, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = LeaveCriticalSection, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = SetLastError, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = EnterCriticalSection, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetComputerNameA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = CreateMutexA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = OpenWaitableTimerA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = OpenMutexA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetVolumeInformationA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = WaitForSingleObject, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = ReleaseMutex, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetComputerNameW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = InitializeCriticalSection, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = LoadLibraryExW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = VirtualFree, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetFileAttributesA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = OpenFileMappingA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetExitCodeProcess, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = CreateProcessA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = lstrcpynA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = LocalReAlloc, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = TlsAlloc, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = TlsGetValue, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = TlsSetValue, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = LoadLibraryW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetVersionExW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = FreeLibrary, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = ReadFile, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = SetFilePointer, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = Thread32First, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = QueueUserAPC, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = OpenThread, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = Thread32Next, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = FindFirstFileA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = FindNextFileA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = ConnectNamedPipe, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetOverlappedResult, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = CancelIo, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = DisconnectNamedPipe, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = FlushFileBuffers, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = CallNamedPipeA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = CreateNamedPipeA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetSystemTime, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = WaitNamedPipeA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetCurrentProcessId, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = SleepEx, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = OpenEventA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = lstrcmpiW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = RaiseException, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetSystemInfo, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = Process32NextW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = Process32FirstW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = QueueUserWorkItem, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = FindClose, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = GetDriveTypeW, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = VirtualProtectEx, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = AVIStreamRelease, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = AVIStreamWrite, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = AVIFileOpenA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = AVIFileCreateStreamA, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = AVIStreamSetFormat, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = AVIFileExit, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = AVIFileInit, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = AVIMakeCompressedStream, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address - function = AVIFileRelease, ordinal = 0, address_out = 0xe86b08f910 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x7ffb45e2e960 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffb47e4d610 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrRChrA, address_out = 0x7ffb46264dd0 True 1
Fn
Get Address c:\windows\system32\user32.dll function = wsprintfA, address_out = 0x7ffb45c72610 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyA, address_out = 0x7ffb47e4b9e0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x7ffb47e47dd0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7ffb47e472e0 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrToIntExA, address_out = 0x7ffb46264e70 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrChrA, address_out = 0x7ffb46264cc0 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrTrimA, address_out = 0x7ffb46264e80 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7ffb47e5ec40 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = EnumProcessModules, address_out = 0x7ffb460b1040 True 1
Fn
Get Address c:\windows\system32\shlwapi.dll function = StrStrIW, address_out = 0x7ffb4625b260 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetShellWindow, address_out = 0x7ffb45c74060 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowThreadProcessId, address_out = 0x7ffb45c64040 True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = RtlExitUserThread, address_out = 0x7ffb48189fa0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCreateKeyA, address_out = 0x7ffb47e76dc0 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameW, address_out = 0x7ffb47e4da40 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegSetValueExA, address_out = 0x7ffb47e32680 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x7ffb47e47d70 True 1
Fn
Create Mapping - protection = PAGE_EXECUTE_READWRITE, maximum_size = 998228160576 True 1
Fn
Map - process_name = c:\windows\system32\svchost.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xe86cc20000 True 1
Fn
Map - process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xcaf0000 True 1
Fn
System (6)
»
Operation Additional Information Success Count Logfile
Get Computer Name - False 1
Fn
Get Computer Name result_out = LHNIWSJ True 2
Fn
Sleep duration = 100 milliseconds (0.100 seconds) True 1
Fn
Get Time type = Ticks, time = 60437 True 1
Fn
Get Info type = Operating System True 1
Fn
Mutex (1)
»
Operation Additional Information Success Count Logfile
Create mutex_name = {0A7B8D95-E12E-CCFA-BBDE-A5C01FF2A9F4} True 1
Fn
Process #8: explorer.exe
6221 16
»
Information Value
ID #8
File Name c:\windows\explorer.exe
Command Line C:\Windows\Explorer.EXE
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:27, Reason: Injection
Unmonitor End Time: 00:04:27, Reason: Terminated by Timeout
Monitor Duration 00:02:00
OS Process Information
»
Information Value
PID 0x824
Parent PID 0x80c (c:\windows\system32\userinit.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 548
0x B34
0x A40
0x BB0
0x BA4
0x B98
0x B90
0x B84
0x B68
0x B64
0x B48
0x B3C
0x B38
0x B30
0x B2C
0x B28
0x B18
0x B0C
0x B08
0x AF0
0x 9F4
0x 974
0x 970
0x 964
0x 95C
0x 954
0x 938
0x 92C
0x 924
0x 91C
0x 918
0x 914
0x 90C
0x 908
0x 904
0x 900
0x 8FC
0x 8F8
0x 8F4
0x 8EC
0x 8E8
0x 8E4
0x 8DC
0x 8C4
0x 8A0
0x 884
0x 880
0x 87C
0x 878
0x 874
0x 870
0x 86C
0x 864
0x 860
0x 85C
0x 858
0x 854
0x 850
0x 84C
0x 840
0x 83C
0x 838
0x 834
0x 82C
0x 828
0x 2E0
0x 7FC
0x 42C
0x 7D8
0x 7C0
0x BE0
0x 558
0x A3C
0x 2DC
0x 540
0x BBC
0x 44C
0x 618
0x 4B8
0x 84
0x 7C8
0x BF0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000fa0000 0x00fa0000 0x00faffff Pagefile Backed Memory rw True False False -
private_0x0000000000fb0000 0x00fb0000 0x00fb6fff Private Memory rw True False False -
pagefile_0x0000000000fc0000 0x00fc0000 0x00fd3fff Pagefile Backed Memory r True False False -
private_0x0000000000fe0000 0x00fe0000 0x0105ffff Private Memory rw True False False -
pagefile_0x0000000001060000 0x01060000 0x01063fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001070000 0x01070000 0x01072fff Pagefile Backed Memory r True False False -
private_0x0000000001080000 0x01080000 0x01081fff Private Memory rw True False False -
private_0x0000000001090000 0x01090000 0x01096fff Private Memory rw True False False -
private_0x00000000010a0000 0x010a0000 0x0119ffff Private Memory rw True False False -
locale.nls 0x011a0000 0x0125dfff Memory Mapped File r False False False -
private_0x0000000001260000 0x01260000 0x012dffff Private Memory rw True False False -
explorer.exe.mui 0x012e0000 0x012e7fff Memory Mapped File r False False False -
private_0x00000000012f0000 0x012f0000 0x012f0fff Private Memory rw True False False -
private_0x0000000001300000 0x01300000 0x01300fff Private Memory rw True False False -
pagefile_0x0000000001310000 0x01310000 0x01310fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001320000 0x01320000 0x01320fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000001330000 0x01330000 0x01330fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001340000 0x01340000 0x01340fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001350000 0x01350000 0x01350fff Pagefile Backed Memory rw True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001d.db 0x01360000 0x01373fff Memory Mapped File r True False False -
cversions.1.db 0x01380000 0x01383fff Memory Mapped File r True False False -
{3da71d5a-20cc-432f-a115-dfe92379e91f}.1.ver0x0000000000000036.db 0x01390000 0x013abfff Memory Mapped File r True False False -
pagefile_0x00000000013b0000 0x013b0000 0x013b2fff Pagefile Backed Memory r True False False -
pagefile_0x00000000013c0000 0x013c0000 0x013c2fff Pagefile Backed Memory r True False False -
private_0x00000000013d0000 0x013d0000 0x013dffff Private Memory rw True False False -
pagefile_0x00000000013e0000 0x013e0000 0x01409fff Pagefile Backed Memory rw True False False -
private_0x0000000001410000 0x01410000 0x0141ffff Private Memory rw True False False -
pagefile_0x0000000001420000 0x01420000 0x015a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000015b0000 0x015b0000 0x01730fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001740000 0x01740000 0x02b3ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x02b40000 0x02e76fff Memory Mapped File r False False False -
private_0x0000000002e80000 0x02e80000 0x02efffff Private Memory rw True False False -
6581.bin 0x02e90000 0x02e90fff Memory Mapped File r True True False
...
private_0x0000000002f00000 0x02f00000 0x02f7ffff Private Memory rw True False False -
private_0x0000000002f80000 0x02f80000 0x02ffffff Private Memory rw True False False -
private_0x0000000003000000 0x03000000 0x0307ffff Private Memory rw True False False -
shell32.dll.mui 0x03080000 0x030e0fff Memory Mapped File r False False False -
kernelbase.dll.mui 0x030f0000 0x031cefff Memory Mapped File r False False False -
private_0x00000000031d0000 0x031d0000 0x0324ffff Private Memory rw True False False -
private_0x0000000003250000 0x03250000 0x032cffff Private Memory rw True False False -
private_0x00000000032d0000 0x032d0000 0x0334ffff Private Memory rw True False False -
pagefile_0x0000000003350000 0x03350000 0x03351fff Pagefile Backed Memory r True False False -
pagefile_0x0000000003360000 0x03360000 0x03361fff Pagefile Backed Memory r True False False -
oleaccrc.dll 0x03370000 0x03371fff Memory Mapped File r False False False -
oleaccrc.dll.mui 0x03380000 0x03384fff Memory Mapped File r False False False -
pagefile_0x0000000003390000 0x03390000 0x03447fff Pagefile Backed Memory r True False False -
pagefile_0x0000000003450000 0x03450000 0x03453fff Pagefile Backed Memory r True False False -
private_0x0000000003460000 0x03460000 0x0355ffff Private Memory rw True False False -
private_0x0000000003560000 0x03560000 0x0365ffff Private Memory rw True False False -
private_0x0000000003660000 0x03660000 0x03660fff Private Memory rw True False False -
staticcache.dat 0x03670000 0x046affff Memory Mapped File r False False False -
private_0x00000000046b0000 0x046b0000 0x046b6fff Private Memory rw True False False -
private_0x00000000046c0000 0x046c0000 0x046c0fff Private Memory rw True False False -
private_0x00000000046d0000 0x046d0000 0x046d0fff Private Memory rw True False False -
private_0x00000000046e0000 0x046e0000 0x046e0fff Private Memory rw True False False -
private_0x00000000046f0000 0x046f0000 0x0476ffff Private Memory rw True False False -
private_0x0000000004770000 0x04770000 0x04771fff Private Memory rw True False False -
private_0x0000000004780000 0x04780000 0x04780fff Private Memory rw True False False -
private_0x0000000004790000 0x04790000 0x04790fff Private Memory rw True False False -
private_0x00000000047a0000 0x047a0000 0x047a0fff Private Memory rw True False False -
pagefile_0x00000000047b0000 0x047b0000 0x047b2fff Pagefile Backed Memory r True False False -
cversions.1.db 0x047c0000 0x047c3fff Memory Mapped File r True False False -
private_0x00000000047d0000 0x047d0000 0x047d0fff Private Memory rw True False False -
pagefile_0x00000000047e0000 0x047e0000 0x047e0fff Pagefile Backed Memory rw True False False -
private_0x00000000047f0000 0x047f0000 0x047f0fff Private Memory rw True False False -
pagefile_0x0000000004800000 0x04800000 0x04802fff Pagefile Backed Memory r True False False -
pagefile_0x0000000004810000 0x04810000 0x04848fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000004850000 0x04850000 0x04852fff Pagefile Backed Memory r True False False -
private_0x0000000004860000 0x04860000 0x04860fff Private Memory rw True False False -
private_0x0000000004870000 0x04870000 0x04870fff Private Memory rw True False False -
cversions.2.db 0x04880000 0x04883fff Memory Mapped File r True False False -
stobject.dll.mui 0x04890000 0x04891fff Memory Mapped File r False False False -
pagefile_0x00000000048a0000 0x048a0000 0x048a2fff Pagefile Backed Memory r True False False -
inputswitch.dll.mui 0x048b0000 0x048b1fff Memory Mapped File r False False False -
private_0x00000000048c0000 0x048c0000 0x048c0fff Private Memory rw True False False -
pagefile_0x00000000048d0000 0x048d0000 0x048d2fff Pagefile Backed Memory r True False False -
pagefile_0x00000000048e0000 0x048e0000 0x048e1fff Pagefile Backed Memory r True False False -
sndvolsso.dll.mui 0x048f0000 0x048f1fff Memory Mapped File r False False False -
pagefile_0x0000000004900000 0x04900000 0x04902fff Pagefile Backed Memory r True False False -
cversions.2.db 0x04910000 0x04913fff Memory Mapped File r True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000f.db 0x04920000 0x04962fff Memory Mapped File r True False False -
cversions.2.db 0x04970000 0x04973fff Memory Mapped File r True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x04980000 0x04a0afff Memory Mapped File r True False False -
propsys.dll.mui 0x04a10000 0x04a20fff Memory Mapped File r False False False -
private_0x0000000004a30000 0x04a30000 0x04aaffff Private Memory rw True False False -
private_0x0000000004ab0000 0x04ab0000 0x04b2ffff Private Memory rw True False False -
private_0x0000000004b30000 0x04b30000 0x04baffff Private Memory rw True False False -
private_0x0000000004bb0000 0x04bb0000 0x04bb0fff Private Memory rw True False False -
private_0x0000000004bc0000 0x04bc0000 0x04c3ffff Private Memory rw True False False -
private_0x0000000004c40000 0x04c40000 0x04cbffff Private Memory rw True False False -
private_0x0000000004cc0000 0x04cc0000 0x04d3ffff Private Memory rw True False False -
private_0x0000000004d40000 0x04d40000 0x04dbffff Private Memory rw True False False -
private_0x0000000004dc0000 0x04dc0000 0x055bffff Private Memory - True False False -
pagefile_0x00000000055c0000 0x055c0000 0x05ab1fff Pagefile Backed Memory rw True False False -
private_0x0000000005ac0000 0x05ac0000 0x05ac0fff Private Memory rw True False False -
counters.dat 0x05b80000 0x05b80fff Memory Mapped File rw True True False
...
winnlsres.dll 0x05bd0000 0x05bd4fff Memory Mapped File r False False False -
private_0x0000000005be0000 0x05be0000 0x05c5ffff Private Memory rw True False False -
private_0x0000000005c60000 0x05c60000 0x05cdffff Private Memory rw True False False -
private_0x0000000005ce0000 0x05ce0000 0x05d5ffff Private Memory rw True False False -
private_0x0000000005d60000 0x05d60000 0x05ddffff Private Memory rw True False False -
private_0x0000000005de0000 0x05de0000 0x05e5ffff Private Memory rw True False False -
private_0x0000000005e60000 0x05e60000 0x05edffff Private Memory rw True False False -
private_0x0000000005ee0000 0x05ee0000 0x05f5ffff Private Memory rw True False False -
pagefile_0x0000000005f60000 0x05f60000 0x05f60fff Pagefile Backed Memory rw True False False -
private_0x0000000005f70000 0x05f70000 0x05f70fff Private Memory rw True False False -
private_0x0000000005f80000 0x05f80000 0x05f80fff Private Memory rw True False False -
winnlsres.dll.mui 0x05f90000 0x05f9ffff Memory Mapped File r False False False -
private_0x0000000005fa0000 0x05fa0000 0x05fadfff Private Memory rw True False False -
mswsock.dll.mui 0x05fb0000 0x05fb2fff Memory Mapped File r False False False -
pagefile_0x0000000005fc0000 0x05fc0000 0x05fc2fff Pagefile Backed Memory r True False False -
private_0x0000000005fd0000 0x05fd0000 0x060cffff Private Memory rw True False False -
pagefile_0x00000000060d0000 0x060d0000 0x060d2fff Pagefile Backed Memory r True False False -
windows.storage.dll.mui 0x060e0000 0x060e7fff Memory Mapped File r False False False -
pnidui.dll.mui 0x060f0000 0x060f1fff Memory Mapped File r False False False -
pagefile_0x0000000006100000 0x06100000 0x06102fff Pagefile Backed Memory r True False False -
private_0x0000000006110000 0x06110000 0x06118fff Private Memory rw True False False -
private_0x0000000006120000 0x06120000 0x06123fff Private Memory rw True False False -
thumbcache_idx.db 0x06130000 0x06131fff Memory Mapped File rw True False False -
netmsg.dll 0x06140000 0x06140fff Memory Mapped File r False False False -
private_0x0000000006150000 0x06150000 0x06158fff Private Memory rw True False False -
private_0x0000000006160000 0x06160000 0x06160fff Private Memory rw True False False -
private_0x0000000006170000 0x06170000 0x0626ffff Private Memory rw True False False -
pagefile_0x0000000006270000 0x06270000 0x06272fff Pagefile Backed Memory r True False False -
thumbcache_idx.db 0x06280000 0x06281fff Memory Mapped File rw True False False -
iconcache_idx.db 0x06290000 0x06291fff Memory Mapped File rw True False False -
bthprops.cpl.mui 0x062a0000 0x062a3fff Memory Mapped File r False False False -
private_0x00000000062b0000 0x062b0000 0x062b0fff Private Memory rw True False False -
pagefile_0x00000000062c0000 0x062c0000 0x062c0fff Pagefile Backed Memory rw True False False -
private_0x00000000062d0000 0x062d0000 0x06317fff Private Memory rw True False False -
thumbcache_48.db 0x06320000 0x0641ffff Memory Mapped File rw True False False -
netmsg.dll.mui 0x06420000 0x06451fff Memory Mapped File r False False False -
imageres.dll.mui 0x06460000 0x06460fff Memory Mapped File r False False False -
thumbcache_idx.db 0x06470000 0x06471fff Memory Mapped File rw True False False -
iconcache_idx.db 0x06480000 0x06481fff Memory Mapped File rw True False False -
pagefile_0x0000000006490000 0x06490000 0x06492fff Pagefile Backed Memory r True False False -
private_0x00000000064a0000 0x064a0000 0x064a0fff Private Memory rw True False False -
imageres.dll 0x064b0000 0x090c2fff Memory Mapped File r False False False -
private_0x00000000090d0000 0x090d0000 0x0914ffff Private Memory rw True False False -
iconcache_idx.db 0x09150000 0x09151fff Memory Mapped File rw True False False -
iconcache_48.db 0x09160000 0x0925ffff Memory Mapped File rw True False False -
thumbcache_48.db 0x09260000 0x0935ffff Memory Mapped File rw True False False -
iconcache_48.db 0x09360000 0x0945ffff Memory Mapped File rw True False False -
private_0x0000000009460000 0x09460000 0x094dffff Private Memory rw True False False -
private_0x00000000094e0000 0x094e0000 0x0955ffff Private Memory rw True False False -
pagefile_0x0000000009560000 0x09560000 0x09561fff Pagefile Backed Memory r True False False -
private_0x0000000009570000 0x09570000 0x09570fff Private Memory rw True False False -
private_0x0000000009580000 0x09580000 0x095ebfff Private Memory rw True False False -
thumbcache_idx.db 0x095f0000 0x095f1fff Memory Mapped File rw True False False -
private_0x0000000009600000 0x09600000 0x0967ffff Private Memory rw True False False -
private_0x0000000009680000 0x09680000 0x096c7fff Private Memory rw True False False -
thumbcache_idx.db 0x096d0000 0x096d1fff Memory Mapped File rw True False False -
For performance reasons, the remaining 376 entries are omitted.
The remaining entries can be found in flog.txt.
Hook Information
»
Type Installer Target Size Information Actions
Code pagefile_0x000000000caf0000:+0x28dce kernel32.dll:AslpImageRvaToVa+0x1fe 8 bytes -
...
Code pagefile_0x000000000caf0000:+0x28dd2 kernel32.dll:AslpImageRvaToVa+0x1f8 2 bytes -
...
Code pagefile_0x000000000caf0000:+0x28dce kernel32.dll:AslpImageRvaToVa+0x20c 8 bytes -
...
Code pagefile_0x000000000caf0000:+0x28dd2 kernel32.dll:AslpImageRvaToVa+0x206 2 bytes -
...
Code pagefile_0x000000000caf0000:+0x28dce kernel32.dll:AslpImageRvaToVa+0x21a 8 bytes -
...
Code pagefile_0x000000000caf0000:+0x28dd2 kernel32.dll:AslpImageRvaToVa+0x214 2 bytes -
...
Code pagefile_0x000000000caf0000:+0x28dce advapi32.dll:Wow64RedirectKeyPathInternal+0x3fa 8 bytes -
...
Code pagefile_0x000000000caf0000:+0x28dd2 advapi32.dll:Wow64RedirectKeyPathInternal+0x3f4 2 bytes -
...
Code pagefile_0x000000000caf0000:+0x28dce advapi32.dll:Wow64RedirectKeyPathInternal+0x408 8 bytes -
...
Code pagefile_0x000000000caf0000:+0x28dd2 advapi32.dll:Wow64RedirectKeyPathInternal+0x402 2 bytes -
...
Code pagefile_0x000000000caf0000:+0x28dce kernelbase.dll:ActivatorUpdateForIsRouterChanges+0x146 8 bytes -
...
Code pagefile_0x000000000caf0000:+0x28dd2 kernelbase.dll:ActivatorUpdateForIsRouterChanges+0x140 2 bytes -
...
IAT pagefile_0x000000000caf0000:+0x289b5 155. entry of windows.ui.shell.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 282. entry of stobject.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 268. entry of stobject.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 81. entry of winmmbase.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 110. entry of winmm.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 147. entry of wlidprov.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 112. entry of abovelockapphost.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 121. entry of windows.networking.connectivity.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 99. entry of notificationcontroller.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 116. entry of wpncore.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 68. entry of provsvc.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 9. entry of filesyncshell64.dll 4 bytes advapi32.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 101. entry of filesyncshell64.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 121. entry of thumbcache.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 283. entry of ntshrui.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 240. entry of applicationframe.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 153. entry of twinui.appcore.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 100. entry of windows.immersiveshell.serviceprovider.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 530. entry of twinui.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec
...
IAT pagefile_0x000000000caf0000:+0x289b5 570. entry of twinui.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 681. entry of explorerframe.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 112. entry of sndvolsso.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 104. entry of sndvolsso.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 116. entry of twinapi.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 68. entry of wldp.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 47. entry of settingsyncpolicy.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 79. entry of profext.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 98. entry of tokenbroker.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 85. entry of tokenbroker.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec
...
IAT pagefile_0x000000000caf0000:+0x289b5 98. entry of settingsynccore.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 110. entry of coreuicomponents.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 56. entry of wlanapi.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 69. entry of webio.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 235. entry of hgcpl.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 56. entry of shacct.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 39. entry of networkstatus.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 160. entry of inputswitch.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 154. entry of wininet.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 166. entry of wininet.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 187. entry of urlmon.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 166. entry of urlmon.dll 4 bytes kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x000000000caf0000:+0x316b8
...
IAT pagefile_0x000000000caf0000:+0x289b5 489. entry of comctl32.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 51. entry of msi.dll 4 bytes advapi32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec
...
IAT pagefile_0x000000000caf0000:+0x289b5 93. entry of winhttp.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 30. entry of samlib.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 84. entry of policymanager.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 82. entry of mfplat.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 116. entry of ucrtbase.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 117. entry of ucrtbase.dll 4 bytes kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x000000000caf0000:+0x316b8
...
IAT pagefile_0x000000000caf0000:+0x289b5 55. entry of d2d1.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 236. entry of windows.ui.immersive.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 206. entry of windows.ui.immersive.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec
...
IAT pagefile_0x000000000caf0000:+0x289b5 115. entry of iertutil.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec
...
IAT pagefile_0x000000000caf0000:+0x289b5 126. entry of iertutil.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 143. entry of iertutil.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 135. entry of mrmcorer.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 236. entry of srchadmin.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 62. entry of dhcpcsvc.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 229. entry of propsys.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 87. entry of mmdevapi.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 129. entry of es.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 154. entry of es.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 103. entry of dxgi.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 71. entry of d3d11.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 91. entry of dwmapi.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 39. entry of ninput.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 54. entry of bcp47langs.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 92. entry of settingmonitor.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 61. entry of apphelp.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 307. entry of uxtheme.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 126. entry of twinapi.appcore.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 39. entry of rmclient.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 93. entry of userenv.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 124. entry of dnsapi.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 50. entry of powrprof.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 64. entry of profapi.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 89. entry of cfgmgr32.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 236. entry of windows.storage.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 245. entry of windows.storage.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 215. entry of windows.storage.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec
...
IAT pagefile_0x000000000caf0000:+0x289b5 113. entry of shcore.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 85. entry of clbcatq.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 88. entry of clbcatq.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec
...
IAT pagefile_0x000000000caf0000:+0x289b5 517. entry of ole32.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 550. entry of ole32.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 79. entry of rpcrt4.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 230. entry of user32.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 240. entry of user32.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 177. entry of shlwapi.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 261. entry of msctf.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 185. entry of setupapi.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec
...
IAT pagefile_0x000000000caf0000:+0x289b5 174. entry of setupapi.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 220. entry of combase.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 668. entry of shell32.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 638. entry of shell32.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec
...
IAT pagefile_0x000000000caf0000:+0x289b5 631. entry of shell32.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 41. entry of wldap32.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 199. entry of advapi32.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 116. entry of oleaut32.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 133. entry of msvcrt.dll 4 bytes kernel32.dll:CreateProcessA+0x0 now points to pagefile_0x000000000caf0000:+0x316b8
...
IAT pagefile_0x000000000caf0000:+0x289b5 134. entry of msvcrt.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 789. entry of explorer.exe 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 808. entry of explorer.exe 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 134. entry of pnidui.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 142. entry of pnidui.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 277. entry of authui.dll 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 302. entry of authui.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 271. entry of authui.dll 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec
...
IAT pagefile_0x000000000caf0000:+0x289b5 154. entry of audioses.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 139. entry of actioncenter.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 2. entry of syncreg.dll 4 bytes advapi32.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 187. entry of shdocvw.dll 4 bytes kernelbase.dll:RegGetValueW+0x0 now points to pagefile_0x000000000caf0000:+0x94d0
...
IAT pagefile_0x000000000caf0000:+0x289b5 91. entry of winspool.drv 4 bytes kernel32.dll:CreateProcessW+0x0 now points to pagefile_0x000000000caf0000:+0x315b0
...
IAT pagefile_0x000000000caf0000:+0x289b5 84. entry of winspool.drv 4 bytes kernel32.dll:CreateProcessAsUserW+0x0 now points to pagefile_0x000000000caf0000:+0x318ec
...
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Create Remote Thread #7: c:\windows\system32\svchost.exe 0x554 address = 0x7ffb48189fa0 True 1
Fn
Modify Memory #7: c:\windows\system32\svchost.exe 0x554 address = 0x7ffb48189fa0, size = 4 True 2
Fn
Data
Modify Memory #7: c:\windows\system32\svchost.exe 0x554 address = 0xcaf0000, size = 1257472 True 1
Fn
Modify Memory #7: c:\windows\system32\svchost.exe 0x554 address = 0x5ad0000, size = 792 True 1
Fn
Data
Modify Control Flow #7: c:\windows\system32\svchost.exe 0x554 os_tid = 0x2e0, address = 0x0 True 1
Fn
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9XACNSYG.txt 0.65 KB MD5: d0129961ebfe50fa6ca75d21eb61e3a4
SHA1: d27b99f26b21b15b3596543c71dc9c90bcda9b19
SHA256: e806c3f694373d51d383c0c751000397134ae24b0ed1ebea86022e84acde3d90
SSDeep: 12:Sx7DM959MgXARZuYuDM862BXTOXGyPgfdYdpwmDM9koTjgwXBvDj3DM9b7wX8xvN:4c3XARZM/62BXTJsyYrD8TLXBv3xXS2e 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FOLSAQT6.txt 0.18 KB MD5: 4ca3be7b04c247e9d449a44b5a6cf858
SHA1: fd9d71ab81c71a557b7ee6aa85ac506361dfd956
SHA256: ea3f148d4ea306b09742b10db720a8168de6369b284aa84aad00e3045afd4c17
SSDeep: 3:ePRyKK0Xv7YcMccpXQNp88CvXIGIcRrSMIlQsc9FyKK0Xv7YfUHWVTdzRvXRcR8g:ePRqcWpvXIeNFI+scziUHWVTdz0vXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\2EQ4E2OJ.txt 0.17 KB MD5: 7512aa3e2c38a83f4d3d26a7d8714511
SHA1: 2d2ea08774c1ccd206f654bccd7650d431a25a55
SHA256: 865544f25418bb6b865f00677375499c3736afaf03168e1dadb8ab40dfcd7f8c
SSDeep: 3:sUcnRPRX6Fs4dRgC7xP+OlmHcH6JKvBTKfXv6NJNOUjSLG20vXn:AnpRXKsQ2C9+D8CqBTJ5OUugXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\16DOE15M.txt 0.09 KB MD5: 94aeec86e28b468192928766c6dcd061
SHA1: c84c43fcfe2081435e76289ab216a118c4c3ff9e
SHA256: 6312190e1bafb72552b848c7aee99f0af8efc58ee9312a99d612b112f506d4b7
SSDeep: 3:8VZJVWRdiFSiRYVMXUR+YcUNZ78X7oVRCvXn:8bJAviuVdtbqowXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5NWXN3UI.txt 0.10 KB MD5: 63652588e7b2644c7c3e06cefcdc6ec9
SHA1: 8f3b736d7810b688cda2fdb4eaeff62001bf6fb7
SHA256: 3e7424ea43c00b67dfdd810ff3e38fe341cc1f5d7789a8598fa59729a17204d4
SSDeep: 3:rdiUALD36fh68VXJUafNc2HkCd/OQvXn:rkj3qfbVXXqikeW6Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RQK5QF4L.txt 0.38 KB MD5: ff1bdcd2fb639a27a68b241eabc26573
SHA1: 08d9f85bce5887c701fa17429c926465f07e6ae6
SHA256: 7d17362d4a8e0f61c2190281258dc6d6ec48f730af23a20c21c0cff2f7f67add
SSDeep: 6:BqVsFaI0rIE/ZyoK6XnTE9ZOdNsB6XYHheZb56X7/ZyoR86Xn:BdNE/9K6XnTE9h6XEw6Xr9RxXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UBUPNOZC.txt 0.08 KB MD5: f68a5a9f24cd597cd017d6b110f1a58a
SHA1: cc344df28581989de9849bee9d006ae66e9b696c
SHA256: 8de29fee8c9f103ebf86fd687c9d459359e7cdcd6fcc444012ac034fcaa18080
SSDeep: 3:/1I4JlrMyfUVXJUEumXxfcTj7DvPv:9nloRVX1dRcv/ 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FLTMVY1F.txt 0.53 KB MD5: d317e0d803462b36d582dbbf05599ce8
SHA1: 4e82e1c8cdaadb1d0232b3beda72fa1a6ac76f99
SHA256: ed3d512e3716077a56a3643c836cdfe7ec90b1f4c9d7fe3dfedc4eea22bbac8b
SSDeep: 12:fH4Q2iMdWTITwXUT4iMdWzXtQvyG7b+KI7Mh0fT4iMdWxXhwiiMdWxXn:v4lVEawXUT4VEzXtBKI7MsT4VExXhwiW 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LY1NFEKN.txt 0.39 KB MD5: ba6d817ec272e0cba47c5d3945339cf5
SHA1: 4666d6cf0335925921526d35ff659e5fca9780fe
SHA256: 44d3b0c7312933d93c5936f4ffcd21c99ad4d7fdd58db88e07e7904f8047b63c
SSDeep: 6:A9SyjIwvV+2XCBYdohGMGsMat5KGjxbQCiFGdh4Jci17uIopvV+2Xn:AYaI0+2XCGdMG2ClC4Kauf+2Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\0Z1JIEVI.txt 0.22 KB MD5: 646f6f66ee081cce757e52ea4d808b12
SHA1: d6e593830037973275e78dc09e49cd8c038d53cc
SHA256: 0f3c844901ec5fc3628fc6feb57d0aca9185bf82bf7aabf3263d366dd306df62
SSDeep: 6:zCAA7xOe6FQRxc7XMDKoSHXoPNsnbXydLoSHXn:zYxOXFQRxc7XMeoSHXYNsnbXydoSHXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\M19117WZ.txt 0.28 KB MD5: 5af345c73008bfd2c26007c01d223878
SHA1: b02288508e971719897395d0743c7bfe317c164e
SHA256: 886e2f0d2a72ccdee3fa169a40e3ef53ad5e96872c2ea2be2d2ad270cb6b413d
SSDeep: 6:T3TMqFLqz1jaU/CTDOz6W6XQ4ntxsUUuSjYjRUrMQEFFaU/CTDYRegwXn:LTMSLqRjaUYK+W6XJtfCrEaUYECXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\CC7DS78R.txt 0.08 KB MD5: 7d9c78cacb5a9cb94eb5aa8a2c742041
SHA1: ede585bae4c1e97119da972a37087b36838f6b02
SHA256: 9b3205b34c79623b10c63068cf77aea314094fede20a4d791e1b0ed61f040c52
SSDeep: 3:Kfx9L14XL00Xv7YceQ5vUVYrlTsLZ0vXn:cxv405VKrlTCkXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\J4JSQG9R.txt 0.70 KB MD5: ec0e2a4bb106d6fefc2a641a611b17e7
SHA1: bb2a769409d68e5e217acc5b010a53186354819c
SHA256: 9156016b2fafec5d8f2613e93aae9168651696bd24170bfcf3c9375045bcca67
SSDeep: 12:BcTUEk098kjXmv098DwkXmN098D/XmrPq/009pIwXmtCAb/XmcKSJstVYZnokNW7:BSdkDCXaLD1X2LD/Xz/0OfXkf/X4Sm/N 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9M7ZHW1Q.txt 0.49 KB MD5: c5b160a6bdddeae0b05016d73c9d3e15
SHA1: 48ef4584afc0a4f99690fad0622fc7b5b1ac360d
SHA256: 6485f3db1ac00f87b4cb91f1caeb1e1a70af5c224e012598470fe847b2ce9e4e
SSDeep: 12:fKQ5lxWmBEL0NKtoZXWDoYXqNKtoknXktelMwt0ny4NKtoknXn:fKcloWut8XYztbnXktMv19tbnXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\TFCJHLEI.txt 0.21 KB MD5: cf2137c36db861ac3451b0e44da7d996
SHA1: c56e668e1a8c9d2cc41344c2d848f881b6f04732
SHA256: 4dbd03091b1d18a4f91015af52467c40904ffe5da0d53302ff8b831786c5aef6
SSDeep: 3:8MrvwWWQDjSxQ7XFIyTKPv7Ycyl1XPJL9vWLRCvXRFA6riZ6cvUA/0dSIyTKPv7I:jqWjS2ph5ld7W6XuELA/kSh5ldZc5wXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\HTVL5WIW.txt 0.11 KB MD5: d228b825d1ae810ff83a16fb6a27d410
SHA1: 18f59e4e7353676e7088cbcae5f4c68e380595f7
SHA256: 5b95c77b52409ac5e99e3da6a5f9d1a333257b9e0241b3ed6e80f9ebf58b3a1a
SSDeep: 3:WXIQ8TRay7mbvj2WLv7YceQ5vUVYrldScUWOVavXn:Wd8wyq6zVKrldvUhkXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\ILF13HLB.txt 0.27 KB MD5: ec239f6ffeb2202bb92f8c9d760a41f0
SHA1: c4d0d9637718bcd0889b2ada1f09aa0c40327808
SHA256: 80af63bb11ee86997800b9b952f7b279becdcd1728fd3592975ac1feb31d50f0
SSDeep: 6:AWI1dfZTkOUugXS5rrqtaNIj1XoxKZTJyIYCXn:IZTkOUugXStr4a8w6TJvrXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\80J4IH0Y.txt 0.09 KB MD5: cc85eeb9c325d0d9f2c8863db4b981f5
SHA1: bbdc8bcaf9f8841c234df6e03c7cc40dd2973275
SHA256: f08b945f6b90082d1dca17d29a0596c9b3489fc6d139c41e003c24335cc6f91e
SSDeep: 3:e9npZtPfAIioKKPv7YeuXJST/dGWVvCvXn:QZBVAIJBVkXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5AV8L20N.txt 0.33 KB MD5: 296d887b58e5ef72cba662dc9e71e600
SHA1: 04695b299c9b54ab8c694bf9fd986b20b9e09931
SHA256: 6909734c0f752dc11a7972fd04c7f7e59076a84fd9df44dffaa084483ee64631
SSDeep: 6:37IpLkTNyTlQgwXeKwYOUQe/XnJeMehd/qCYVTJh0z4xswT4lVRXn:3E9kTNyRdwXV2s/oX/3kTJh0z4KwT+TX 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MBJX4MYA.txt 0.20 KB MD5: e939180a8bff9e08419c60841301c2ae
SHA1: 96d0d00bafdcae91c8e4603d0b1e5465be4a7e71
SHA256: 68491399f80f0d0481a90cd3e42834262b21465a7784a98760d8293ff83b4206
SSDeep: 6:KRX8WWXiM2scKvYXyISWRX8WWXiL3ogXn:qX0XiMyKvYXbSWX0XiL3ogXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\L78EW25D.txt 0.11 KB MD5: c2b3517e60b42eb30826372db0ca3139
SHA1: 7409416323c74bd2940aa427bc175ae18b3348e9
SHA256: a3f4b18cbc8682d64e3be168817108b8eb094e169f5ec909ea633fbdb076c922
SSDeep: 3:+SQIQ8TRay7mbv2I2FLv7YceQ5vUVYrldNWVTevXn:08wyq+oVKrld8TwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\JWFWLAYR.txt 0.17 KB MD5: d3464229c025862a45b24654941a9dea
SHA1: c01459638e242ec6de1ca43e3dbca8584e225c1f
SHA256: 90f209194b4e0c46f7d1fd37ecdbccb217498cd6296685c0c821b216296aa549
SSDeep: 3:xRXE1oQITviMzoRvgKwSZdOVTV0vXGTSSmVTSkoNvkoQITviMqDMRvgKyEVkLlC/:kuQlMzoRjZaVZWXGeSmhSk4QlMkMRjHr 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\DRDF2EZX.txt 0.09 KB MD5: e478700e454e0bb1742a70f00207df1d
SHA1: 33af30eadb826320c12c054ebd13a61edf44e8f5
SHA256: 7a8db261e58781982babaa6c592a34d5c1c78445b540e3928ffa85b528cdb813
SSDeep: 3:5AHKWqkUVZsHdyKvXv7Yew7Sd3vWJBSlYyZ0vXn:NWqdDsHc8NaBSlTkXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\66I0OJL8.txt 0.09 KB MD5: aee1a01083ef6a58ea22dc1b7235b67a
SHA1: c7b76283f65ac1b6fba6c4696dea692fd7f5a819
SHA256: 6b6b7e5274e117ae63485b7ccf0887d5f75dbd19eba3f84e61a93c4d61f57d9a
SSDeep: 3:ZDaNAtqLSxovXv7YfXveKd0Dl7O5evXn:ZOetZWKdOvXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\0GHTMU6X.txt 0.10 KB MD5: 27ba80dd246a1b4c7dca6d48a42cf9dd
SHA1: 20e67d18a7dda80804ca18d076197515832cf465
SHA256: 987e808573adb84b0148517081d6d3bf12256973fc558293629936bf00dc74b8
SSDeep: 3:AGunUcVhEp6DqBc/A4v7YelXuAZST/e3dXX5evXn:AGunUc4dgAUeAIOn6Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\DN8YUCVA.txt 1.34 KB MD5: 439e180784d9ee72582c7403a9a43832
SHA1: 49c18f3e224df6b26526c747337ce25cd60e3704
SHA256: a1cca4a3435c45936cb9061096683e48bb52ee30646ba633448edbecbfd81fca
SSDeep: 24:idTEwXUIx+vnXAizQ7vnXX5xJRsJIwTNYisGENLjmQHhhi8GClSeX53WfU3smzfc:idYwXUIwvnXPzCvnXXLA6MpsGEtLHhQf 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\DQI7WAG8.txt 0.09 KB MD5: a222123fe4776ac2b250bfbc74759290
SHA1: d494721e269d8df189f847f3c63e95977bc5a064
SHA256: 1ac7fb7394be8409fa0b4bd48ecf6bb8aad299cf0fb8cb812a649cd119995d1d
SSDeep: 3:tqlsIvgXLMKY7YfUf1/WJcWAvyaOlCvXn:UuIIXLMKVUfScWKyavXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\3RW4K76X.txt 0.08 KB MD5: 9542135739d1d79e8800a0cb72b64dd4
SHA1: 78ad4f96af7f63c24002d53393995731a2b54ec2
SHA256: 3f556a72c2576c094f63593d87bb9ab0b3f71e1e7221509406a036364d9b37ad
SSDeep: 3:rLVMlYJiGTuv75vPrL6HgevXn:fVgYJwvPnagwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\8FFCGS26.txt 0.81 KB MD5: 4e39ff879c13325ac133cbcccc16f96e
SHA1: 18527b12ab6f5411be70b2bbd2da02b6bb3665c7
SHA256: 3d81c7c7e7cd4890d73bb3d596df78064ebe186cae7ec33811e54ad7d7e7b90d
SSDeep: 24:uYaQddetkE3JGjnXeGjnX6k4SvnXHbXYkftpmXBOXUrj8s/3X6m1QoXn:uwex3JOnXeOnX6k4WnXHbXfFYXgXUcst 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FCGXHIFT.txt 0.30 KB MD5: 4609eab2d4eec4fece79e9db504a0d9f
SHA1: 7018259a7fdd640ba5c298ea13c181d933500d57
SHA256: 4d8c0deb3306a3fdc1d57aa11905c176173cd05dcd7f7fb66e9a84f5f80f99db
SSDeep: 6:3SFW87rYgE6wXUuZaIhqv6XnE6wXWsHI1hq4u6VkXn:Cd7rXExXUuZph88nExXWFLu6VkXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\PF9HBAFQ.txt 0.17 KB MD5: cb328f47b7e47d1b54f67ed63f9e3a0b
SHA1: f1d8f17b35e4ed673b94842d64c0032489099024
SHA256: 3fe1e920f4f285b764364522495178595edd3e69291d2557a0715a7e5ee8d323
SSDeep: 3:uWviTSsR3ur9cWTiILEVtyn8UoYtu0dXv6NuRVmERvUVYrEavXn:uWa2sQrlTatynfKERYVKrEkXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\NEHE4KDB.txt 0.11 KB MD5: f94377fbbb674a5f88931341223281e1
SHA1: 33cd3fc3430328fd94a9f899a8fd899e53440278
SHA256: ec81b248326cd4fe781ed014427e2266227d7ea4f731e079d332067fc6a8eb25
SSDeep: 3:tyEZRwVV+fQVMLv7YZUTlJST/9cTVZ0vXn:olVtUKhcTVkXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\AA2IJ7JU.txt 0.28 KB MD5: 76948d013eadec4f86c2ede10cd27b30
SHA1: 97b96710ba837491097e1934a8b07b29f402371b
SHA256: ba95a96baa9ede7e8212151401548c46b883c8d271523c73d0a2e541d93cb8a6
SSDeep: 6:6AUFHWROjIkBJzSQkhGvkbbUXqA/W9khGvkbbUXGRrkRvTXDWXn:r622Iy+QBvkbbUX6BvkbbUXGVsvTiXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\U2OYIS47.txt 0.11 KB MD5: ed62b64b5e3541d37410394c1d7664eb
SHA1: 3f8f0e7c5a1275b89041ab9c05f36c3dffc06059
SHA256: 94f223a880d761107a38fc85303a26a2b70395b74051ff91f59e324e924e1c06
SSDeep: 3:2T/TXpdUWjyqMATeLXPv7Ye5ST/t18CvXn:2T/TXbOqBTUXU7vXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\Y3XU5OKR.txt 0.09 KB MD5: aa3652cf271fc1af8e50d76b58e011b5
SHA1: ad8f6876047409eff1cba8bcbdb39f65e3cc4ae0
SHA256: af49a40bb3be28e62378ec73d8eedf16fe8465b7b8f068219b037e5ede047760
SSDeep: 3:IJavZLGGPv7Yc/RIXQNoUdTW6T7CvXn:IqMGBRInUdTW6TwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\BK4HNAZ1.txt 0.20 KB MD5: 1c0555248cc28dc289a1de0494ca6701
SHA1: c9f1a1b2cfc200b2117acf5dceeac5aa9375aed1
SHA256: 96d94af32904aa45a01c4388e448055e694c9ce53a1c359aa623ae95a69babe2
SSDeep: 6:HEjiV7qRDS466RfW6XwAjV7qRDS466RfW6Xn:k+qRDlD+6XNqRDlD+6Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\GXB342YS.txt 0.31 KB MD5: 097034e89b2bea9d50e5a8bae3d418a2
SHA1: 959c39c666e125550bc5f6d1d88320cdc23dd8ac
SHA256: 1065fdbd673eb769b0e01647cfc9dd899a2104dce0ba667c61adff4fab470223
SSDeep: 6:nc7RlRImxCmrn4wX4+teRj4lRIVQZBBi2MgX4F3SRIVquTavXn:c7RlBH4wXhAoMQZBBi2pX5MquuvXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\8489XH4E.txt 0.10 KB MD5: a4cf7ef2e79ed6992a42566582ea4d84
SHA1: 07adcb8e50b4be19a86a20b26c06c8d6d348a87a
SHA256: 81cffb731f3cb0a5de3d8d3ff1ca8e60ccde03b9f18fc5e293e3607e7ce51612
SSDeep: 3:e7TpXljS0USzM4XWHccJP0VRNyVBvn:W2czMPHccyV3yLn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5TAY54V0.txt 0.17 KB MD5: 17d3a6201294f05e6c9c8119014a6531
SHA1: f020f1df542729b8d5edea3bea1e77f37c372fc2
SHA256: 09ed4d5e6c5ca4e8d2a4f234cf41b067f402ad2b8c242715abbb34a0d82103c0
SSDeep: 3:9WXAPEBYRPv7YZV3od6r8S47CvX6v6bWQlKHELRPv7YZV3od6rBQ0vXn:mAPEZtoq8SvX6qQHEStoqBnXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1UYN2RFY.txt 0.27 KB MD5: 239b092bd838a2d2f1852b9a380793c0
SHA1: 1e5f869c84c922150d17126b8c9cc55175aefd65
SHA256: a2d94374e0a07bc6af6178e95c624b7de86aab9df31f6a24871849261fe6ba55
SSDeep: 6:AWDtJuDK7SWZKSYvdTUQp6Xs2jogLPOfUdtvzN46Ec6jYGMRW2dTSOXn:AcuDK7SW0BFwNXF3PO8dtrN46p6MXWYB 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\HBPP9XXY.txt 0.57 KB MD5: 8e50a0c7b176b80665d7bb5c3c940ea7
SHA1: 38c99bc2db09f3bf288435da964a27efc8821344
SHA256: 20df70d6f877a564ce953114fe2932410f76df6dfa153750eb0eac82490cc301
SSDeep: 12:oERULP3zV1st9IiTuP97Uzj1ifA5cdW8l4Y3uhY3M:jsP5Cm6+97UgfA5DyVc 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3:: 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LVARU12Y.txt 0.25 KB MD5: d05f62dab8d29457779fc5d57d1edf0f
SHA1: ab72c8d6b102efe18770d738b7555bf0ca8120e2
SHA256: 041d385e4c8aecc7b599d43b246a8be1a0c9b8d1c4e0bb516734cda94f71a012
SSDeep: 3:e1aNxXyrXv7YaBOYXdTUo7SZ0vX2kqYGhKXv7YcNc+XPhMkCvX2CfhpdVnRfK0XK:WabXydOYNYcX2FXoSHX2mpXJgopgvXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\HF8F6LU0.txt 0.28 KB MD5: b06bc86eed572b87c6652e8516558501
SHA1: a7b5dbbe8b64096ee17eb1908bdf3c782ee024dd
SHA256: 21278b763254b99be86ccd77ec0935f8fd0604c917ccceef80791861c047c6c0
SSDeep: 6:64X1WIK6hZ1G9wXwqYV94P2kQ1vthZEKrCxWXn:TRjI9wXwq4mRQ11O8Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\XRS5D0N2.txt 0.27 KB MD5: bc9c1d0adf0756ef930ad50eea728429
SHA1: 5f01fc4b43bebada9498cbe89c02eb52f2b65795
SHA256: 32cf69501b10721bda7fbf439edbf05f3f8a3c4f37188714d55322560318f49f
SSDeep: 6:fRshdSvQbTwXQSXTONZNAZAHIfUShdSbX3xZcopJ5wXn:fR2dSvQ3wXtK3NQAH1sdSbX3DzaXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5WQEGNKI.txt 0.19 KB MD5: 906b379bfefa7c26a7532875354e89d6
SHA1: 92d50078852e71d3a20b68c8380dc697564f3fb7
SHA256: be71cc93fedcb5e6b95b71b0937cbf7bebd74ad2f4e9f649626441dd6f5ec230
SSDeep: 3:oI/dyn9eoMzIkGXFiLIoCYK/v7Yc4WhaXeBcj/Q6TVRCvXEBoLm5oIoCYK/v7Yc3:oICjAIkGXefCYK2OaXscbUXEB8fCYK2k 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\Y1I415YS.txt 0.09 KB MD5: e0c59cd5f2fb90c52d0a6a60c2e4a7a0
SHA1: 4775537bccdcbf860f12af918265eff3a80d8e9f
SHA256: b100f38940c418321279f53b8515aa065dcef0892a7f0b39cd8af184e30fab93
SSDeep: 3:Z9VTSkLBDKYvKvXv7Yc+VRvgKxU8HgV0vXn:nhSkLAJAVRjxUcgwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols\macromedia.com\support\flashplayer\sys\settings.sol 0.49 KB MD5: c80c85f625b6831740d090127fa1ebd9
SHA1: e36fb4cb9355d044cf0cf12706bd8ff1d21b8e86
SHA256: e185feb8815d64fc0b0b791581e1c7d181bbf5991f81962e7444c9b6e2b639b5
SSDeep: 12:xvHnxJO3/PwbN4XoHiDXEE008AQsn4ljqB7W7i:5nxJo3wbNQCiQE3RdRB7Wm 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\O8FFFI2K.txt 0.11 KB MD5: 8abfc793b40ca3461ce3fb9079a8fe67
SHA1: 41841bb3ed2c57566243095c06b113971f819408
SHA256: d54f0fcbdf15e23948f9e12428c77e6bddd68a9c0e9a7502124fcca0d8e40c63
SSDeep: 3:KIAMBTTjEIBHxdQBaHoQM7YeKXUUCV6NeoCSPqVvCvXn:KelTjXvQYIQTNCVOCSDXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9IJPMFHZ.txt 0.35 KB MD5: 2e3b88ce851efdb6297837c7c79f1761
SHA1: aa54915991b7439743fe633b3b7bf9e791341e8a
SHA256: c67e8fd7072a1bda8a6eab7cffe4de2efb8b97e59be3500b5fd9b5ea8e361ebf
SSDeep: 6:aRd3XJys8NaBSlTkXmT3HcoBAaBSGkX44oBAaBSGkXQXhCqDIfdicHRyPs8NaBS6:g3Zt8Nakl4XmTsoyakjXFoyakjXndZyM 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4YWCPPXN.txt 0.49 KB MD5: 83edbf270ddbc68c482d1724e8ad3abd
SHA1: d44cfb79fb96bab89291e4daa3a5a0f6444970c2
SHA256: 6ec15d81d07f49b7d7ef5aac56d12184c71baf09af06e6085488184ef0113f7f
SSDeep: 12:GVwZA2PEtCGT4abM/LQpXl9pXe0M/LQpX43R7N+M/LQpXn:GQhPX/ag/8pXhOT/8pX4V/8pXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UBXQG39X.txt 0.10 KB MD5: f99798ef43aaa89a31d3531f2a381706
SHA1: 49b7cfcb09913e46ebfbf31ffdb88483006c18fc
SHA256: 1322157dea51edfb030e63b60b00f4d4fa9c4270eb8f6704e8b6b0227764afc1
SSDeep: 3:Ft4QA7j9lUROOMjLRPv7YemVHSrXRdTjTVvgevXn:XNjMj1rtvnXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\E2KPI4ZI.txt 0.10 KB MD5: 57203257388830d03797fb899b9a2144
SHA1: 6b6f3dc6d8b7b0aad5e78dc3578a6d44230923cb
SHA256: 0dcb61604990096a0a8382cf1fb89c68bb2d3198671570518d16de5294e64b64
SSDeep: 3:hTEfQX2EWI0s9LZv7YchSKXQNkUlE6VRCvXn:aa2/I0s9LrrUlE6wXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{25E2F79F-402D-9FBF-7229-7443C66DE827}\01D46BD24DAB98E809 0.09 KB MD5: 1c6b74959af3dfa3eb5647ac066b069d
SHA1: 18faf4dc3d546cb4001ce3714bf8a3f6c1ee83de
SHA256: 86e04f17d07122a0e7a7a37f0d4ad18e4f2c4cd19429bb48c45fad8757f2097f
SSDeep: 3:Lnkrv2UMADMfcMNPmrjAOGJvjKWEI0jAOGJvvn:LW2gDMUMNP3OGhjKGOGhvn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\0MDKR34W.txt 0.16 KB MD5: 7c8e4b563cb7d7e947c00d5a86c69cb0
SHA1: 83c779ad19d5d4ee035495b4ce3ec4663aeb3f9d
SHA256: 7941fee1d98b4fa10810ddd1872afcc1d8b6e0b9f60115ac2de8e74f6c7b5661
SSDeep: 3:NYUQP/Lv7YfUHWVTdzRvXRGRUp7CvXIERSrLv7Yc9dbbZ78X7Ibjg7CvXn:geUHWVTdz1pwXI4S1bRkOLXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FGTTES1V.txt 0.09 KB MD5: 3ba4706f61984e8efe6e242f92d129cf
SHA1: e63b9ae24353c6e44b0798388f731140d79df79a
SHA256: ad383d02cad8578d897104a34574b72e10861989c3fd69deabba66b7a3f5f56a
SSDeep: 3:W0C7D4WDfsJLGGPv7Yc+sFXPXTXTW6T7CvXn:I7HDfsJyDYbXTW6TwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MA5WDFBR.txt 0.09 KB MD5: b60e6c5e83996e1fff82c83f41d4adf5
SHA1: b6f889e00213beafdae3a0e3f9f8cb93416ad81f
SHA256: d2d24eee2053c61563573e7314253e481916dedebe686375fb2ff134e65b1315
SSDeep: 3:psNGTWeM9uMQDbAYZUTlJST/xXWgevXn:psN/bwMsbXUKFYXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\B427TFXJ.txt 0.50 KB MD5: e02400d092e6cdacb5ac6fd6be20ce48
SHA1: a7f6e16476cff97689fce9af6dcb103fc6f2c63e
SHA256: 64846d29e69fc2ecf47457e5b2ff2dfa45b312b2c77b2fb14ce85d886af61c06
SSDeep: 12:mbdSkXO9WaibdUX5NQAHnN23TuQYXEm9N23TuQYXkf8KrSRN23TuUKNXn:+dnXOSdUX5NQAHg3T8X83T8Xks23TwNX 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\KNJ4AJDH.txt 0.50 KB MD5: e0f4170082366cfaf37f050580d3044d
SHA1: 61e9f235887ebc6804ecd002e9c58d12abe43f63
SHA256: 83bd2d32da76ba4b3fb27c9a9b11d9d359355b5cbdade0f4986625287382d110
SSDeep: 12:m2K9t1qXp7I5vXP4iH5vX62IAc7XBIHcsqXn:Ct1qXpCXP4iFX62IAgXYqXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\V7NNCJHO.txt 0.14 KB MD5: 6ffbc08da17638b6dfb10b9195cd8a24
SHA1: 2d865d1d504bbc4fd9a8ecfce252b2ded1108c90
SHA256: 428971e3763e7a1d64a9d9c0b1c266234726dfbdcc98b10015c8aa5e41a71894
SSDeep: 3:FbOBv31WATEGkndvO8GbW3QuHgoTEGBhvgv7Yc+RXRdZ78XuNVTevXn:FSBvsATv58G+9HgOvTjRXRZVTwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9ABR37NL.txt 0.23 KB MD5: 0b15f5d10ca33f9d647463a315f69773
SHA1: 95dd0dbf3944e8456dfbcadba3315c48e8055215
SHA256: 1ba872404f6a836bc7afa16e7bbd42f1b0a5e8231ea3bf645985537f10f56cbe
SSDeep: 6:oPcCWm3Qc6XaVZWXQKnhSkLAdMRjHaL6Xtw/LMj6Xn:ojcZXbXnnEGSMRjrXtWXXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\B4K109K7.txt 0.35 KB MD5: a73ba9945a7e8017ac0cf57e170813fd
SHA1: 47eb925d53522e428e93e612607a5f0c5ae08b95
SHA256: 87998def0768c5e83b92d5ff02dc228da09d2fc048d019d9e8ec25a6bd5cea04
SSDeep: 6:sEki6ujJTS+PiRdMQXlQvYRqtVbF/peOQ3k/KOTkCWCd3yv:sEkvuZS+U1QvYEtVRUFRCWCd38 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\K8249Y1G.txt 0.23 KB MD5: 0918fa451cf958d2b7359441381271ad
SHA1: b3ac89f7450ffd73d9acb46ecf3fc5cbe6379ff6
SHA256: e49ea66c24aea3a7c174ffbcd60fcd5fda6d6a2c26057434c3c4cc65c7b7d1b7
SSDeep: 6:Yw2sWI466TGinXCc0S+7XJCsWI466Tp5wXWoRx2sWI466T9WXn:REQcXC1S+TxEhwXWqx3E6Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MIL4MU1S.txt 0.16 KB MD5: 2df0ee3f94a49e7a1a8914f558cf0432
SHA1: 7597be3852704c4730c816f26703e847836922e4
SHA256: 833d06d473bb644765fc3ad437edcbcda662379edf5b6976cd95de0ddf04102c
SSDeep: 3:k6XpA7sAdVUQNc6wWdTEtRXBSDWBTRyXAXUuXvAbQIOcX0i1XPTSWAevXn:JxAEQOjaIjRwWXEAXUuX2ZzXndbJXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LC10XEWL.txt 0.32 KB MD5: 7bc7e24194664bd57552ae27e3fba393
SHA1: 48c0367392eb54198a29e857dda1bd9f620da632
SHA256: 4abcddc3fe92a83634b48ad95ba078bbc21f3861f1aa82c4f8206ddea953294a
SSDeep: 6:TQGP2KrF6ZWX2ijYBr9ktC9ZKGB2Krl8XfJjZPUAGNVKrl8Xn:TreZWX2iaLOXfVSPXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\TCXQPY9L.txt 0.11 KB MD5: 952fa7ed34793e872db6271b840b6528
SHA1: aa24d10bdc16027e8862cd3ff92a1f343db4c340
SHA256: 8673236e9e92b92cb0ab25895603d08c9300b4e8eef834360881e17c00f8182a
SSDeep: 3:lHSmVTSkojrQIvKvXviMtIVRvgKxU9NR3O5VRCvXn:lHSmhSkcQZiMtIVRjxU9NR+LWXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5STJ6NZL.txt 0.71 KB MD5: 07e1f9989649112256706501b51a0dc0
SHA1: c819e061208903029c5fe3aa97a48ef2731eb477
SHA256: 26e54015bda2a06be503deb5cf5d1b8744c985ce4479b50b50e780e833d55ab5
SSDeep: 12:FpX6XxvXjOqnuNQAHcIE78zivIaamH1cO2I7/HZXDFzfRpIN656KVzn:FpKXpTLnuNQAHdHiXamH1cO2IrJX2N6T 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\TIGZFGLM.txt 0.12 KB MD5: 08d540a410aeec5afda6a829023f5d62
SHA1: fdd2929cf14b43dd8670897ff23e2ad2375e8739
SHA256: 08b7b4ffb721a0c79a0b97a429b171e050e1caac6de6830332054565635f0697
SSDeep: 3:zCshvjwrtaDVMURRCU20dZtRMSL3U3m1XPSiLcSZRCvXn:zCAW0DRr2yDMv2dvYSkXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\F68MFAMN.txt 0.10 KB MD5: eac5d68b5f73531860c66fd02835e6c7
SHA1: cfc0a4c3d920cf7d8092c0cbe75563236643f994
SHA256: 698832eabd4a7b7c57a02697aec6eb40a320fc08512faaacfde45f98c00a45a3
SSDeep: 3:0Q7I+WHcDTMcAwMfjdfXv7YcTRBdZ78XBAgnvXn:VcdHVcAwehxLMvXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\PK3I34UV.txt 0.22 KB MD5: fa464e981ce1d1d351998269931ffd2c
SHA1: b9ce7e6bcbb56f43fa85297671a7d07389cd532b
SHA256: e189fbe9b477f07c3de8b7abe06542171de1792a240c1bc03f953e186c595142
SSDeep: 6:zCAEjrc5jWojhv/MDKopgvXoPNsnbXyh8oYXn:zvjW+lMeopkXYNsnbXyCoYXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\H5LCJX1B.txt 0.58 KB MD5: b69bc12496d5523acfa3d6f77d503d6b
SHA1: 70f957bfd1421c0208344735420e1ab5149c92cf
SHA256: 4dc79fdc62ad1e6630a50d8dd3d11b4bad2935b4a5be492bb8ef753491d75359
SSDeep: 12:sE820oMGGVbkXUfEX34f8J8/DdMSkd8GGVbkXX9A1gH6NcgHhGGVbkXn:J8NxZtkXU3e8bw8ZtkXXOWa1hZtkXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\QUMCK8L4.txt 0.08 KB MD5: ba27405cebed532e86e6fcfcc8ede849
SHA1: cf921eb790eab9f69ec1acc3817c197b270071cd
SHA256: 046c98fd7aecebeb00adfc0f90c4b3655ba07b5d53664370f9c5162664e36c68
SSDeep: 3:FJXDQ/+T1hGgKvXI+YUSfYMJjXQWj7CvXn:7XDQU1QguwfjQWjwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ff\\8i341t8m.default\cookies.sqlite 512.00 KB MD5: c086878e29f58295040165b8d529978f
SHA1: f82adf6832b0170d777e8414c905da9ae7615814
SHA256: 33399fef9e8e65a148887fb112a866d47b92dd08d861cd510f4e1f2fe8b6a41d
SSDeep: 384:NDf+J1VSvfVRvtIdaYK/gVzV7drvVmDIlGRYJf2:NDf+L6CdbV5t9LGR 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\23JC2UTD.txt 0.09 KB MD5: cbe543a3f03bc4dd20755e106fe04df9
SHA1: 0a98fc7c187e9332b09716c4b424994152886f64
SHA256: 8dfa991db0c865c06197b7d3e1e0201acfecbca35cd9913940355f30e23040e3
SSDeep: 3:Z7k0AXWUEXWivf7YcMYlzTvDcBiFSTV0vXn:Zg0AGdGivSzBISTVWXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LY3FDU65.txt 0.30 KB MD5: 4034174265387ef7a1deea810c7feb8e
SHA1: ee24ffe264b8ea2d1a503799473fdc89fd0d6b38
SHA256: 5a82c391df9d91405266896d5ab44d2cac52d671df44b1b35f53c60f76d21213
SSDeep: 6:GON+24dbBWg9+VW7BaGYIu8+VeEUOtmWqQWXMH/waU+VeEUOtSBXn:ZNx4+g9q0BaGo8qeERtmOWXEUqeERtSx 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin 0.16 KB MD5: a7aa1f78f72aac124a1537b448cc0214
SHA1: 56f84d8ec9cc925e5a55b50ae8098742bd928603
SHA256: 193a5c4ce851441a18eeae2c3447adf272c4f09bd213f73235c941b82eb4b727
SSDeep: 3:tFoYXBsJaQGQbQoPgcVSRE2J5xAIkLW0HbRQ9Wf1QoPgcVSRE2J5xAIUSqHov:tFdXBWQ8gZi23fCvVQ9W9Q8gZi23fUSx 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4MN240WN.txt 0.16 KB MD5: 3542c27584ae79503ebc82a304201a01
SHA1: 4e049f8599200e0c7f12f086957645a682d6dc84
SHA256: 54d355a67a4220c2d2171c27b17768c67f7b69336204bf5caa78d2a19d0fe5ee
SSDeep: 3:pNN1gyTuv7YcyfRvUVYrSRJ8vXH/UOvjSXVYyTuv7YceQ5vUVYrlSXcX/vXn:payTgKrSRJ+XvvuXVYyT5VKrl9nXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\U8FCPAKJ.txt 0.11 KB MD5: aa4cb4acfc891c1d86bd79af06632a27
SHA1: c81ca1f450d50b906e0a2489a85ac737f22da2c6
SHA256: d4d5795e4f6954a94bbc0a2032e0d2f674ca5697ce83711b86060c3dd9e1ee88
SSDeep: 3:JhWDhWdVmuPO3LyT0Xv7YcAMvWEHXhZ6Z0vXn:JJdVkLrOEHykXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MMPF10F4.txt 0.25 KB MD5: a1640d6fc4841bce5a607576e359ee86
SHA1: a290ba0b1ddb7c70002be319033caeab3ee47e53
SHA256: 03eab9ebdf12271a78951c77be387b6b522fbed8af8d084a05e33222d47a24ee
SSDeep: 6:cR6vD1XDRA6Jz48bgaXWAaoWy/V8IYUKhvnXn:lXDWwfXWtpyd8IghvXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\A0RK8A2H.txt 0.12 KB MD5: a588597215b073e4419ba2dd98a41412
SHA1: 0758752783cb22108e88d40c4f3cd2313edccb32
SHA256: 38073e4d52dc6b4b6adfda77bd16731a9790e0638dc106e3b2229c933b3859bc
SSDeep: 3:IWAThQgW+FSiRYWyb26BBgKEg40E07YchbRdZ78XCWdQI0vXn:IWAugWviubiqBgfp0EG3x/Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\P778SMC9.txt 0.08 KB MD5: a79195c5c524375b067abba0d0533deb
SHA1: 9d3ba9ac8a17afb371739f76bac374566581b1a7
SHA256: e13809fe52d1a486c350d8528a53b10adeb46b56cf208ee18c59268391a6dd5d
SSDeep: 3:oWVrYyqyyXPv7Yc1n5vUVYrgtnoQ0vXn:oWVrszrn2KrC+Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4O6583I0.txt 0.55 KB MD5: cbe2e6163070d0dd3727ba3ae1b54c3d
SHA1: cf0e8a0eaeb26002a620e73b291ba47d163e529a
SHA256: 9a910cc79a7ff4f95f5d917ab7aee3a266e94eb80af1beacff423bd7d8ff1093
SSDeep: 12:9PTDjN1clAB51lHPz9dN+zECykX6cFQUhzECirwX6cLZ7Br+zECBynX6cOzEC6Xn:9rDjN1Z5tOxX6YQqPX62rmPynX63YXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\TEW946CI.txt 0.14 KB MD5: 905660c54f67bfc4ff4f105bf912fa6a
SHA1: e1197b654214ca9acded872fd87bbfb5fbc2e1c5
SHA256: ddd120efff365d5b38c67edf515d36217fa9ebb9469b675b03e9947128d31d4b
SSDeep: 3:U8ULA+tRMVXJULvUVYr2mQtWVavXk/tuvFQ+tRMVXJWuQa6ZlSvXTQtWVavXn:AA+DMVXNKr2maW6Xk/tuv6+DMVXHQaY9 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\WX75TEOR.txt 0.28 KB MD5: 326b7abab45ab5d7a295ac7f7906d2de
SHA1: ec26372aa173331cf4b6806e6cd806b3a58ada86
SHA256: 3cbeabe1b3581ca4206845cb528045d9fdc38df6a1e2dbd800bb78e656de696f
SSDeep: 6:Wk8+dKXcj9UDvnXWAl8UmXcj9UDvnXTkW2xcj9UDvnXn:WkDdKXcj2DvXWcmXcj2DvXqcj2DvXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\2HYILE1O.txt 0.74 KB MD5: 05aac76b6e5e572582e6bd568789d6f3
SHA1: 13dd429f97cc2e6441a60d7a2301cac348c73957
SHA256: 3aceb7fcdafc2fbca160384722ceb4b09d5daf98f910fbdb7a0ca3a371549527
SSDeep: 12:IEj/XomgZcnX8mgZuTcXGKxiE4gZuTcXeIumgZO6XWZKBnmRWu/DJuVIS6XWhsBz:UZ6X8PZuTcXdxiEVZuTcXeFZvXrBm3jd 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9Z1Y5ICI.txt 0.11 KB MD5: 9825210d2d9321a0e9a8ea9f10d87245
SHA1: 0b910792e75c625be2ff256eded3251c5e615a2d
SHA256: 077410e4a46c2597c8a4e855016af21f1a6f9940649d7fe4374fbc829ae52c1e
SSDeep: 3:3ykZhTy/F1CRI0XviOG2yRLSrjyyS9VTVRCvXn:isWF1CRIFOG2CmrjuTwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\16Y0X4V7.txt 0.40 KB MD5: 83644b16875ad59b518a166d5bed5b59
SHA1: 176405896e3158bd9bd3de552966bdb43384a65a
SHA256: e103787ab2e8ed7de8d2224acb22bfbc4681994db83382b73e2b22d690324359
SSDeep: 12:GOCl3ZK8X176GiIEZsBXONo5H3ZJe9qkX/i73ZsQXn:MlE8X1RiAXKsXuX/i7LXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4Z6UDYLY.txt 0.09 KB MD5: 9a525b9701df706423183c5f00d4f28f
SHA1: fd1d0e39dd90826b4b4743b1b732c8889838c1ce
SHA256: 5fb85f1094ba640e67056c0da963f1c9f74ca7e3de59e30fc097a27fa9afa4df
SSDeep: 3:ZRRGlQGLLzPv6NmXTV4vUVYrgaqr7CvXn:EQcKMXTVVKr8rwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RTEPN67M.txt 0.23 KB MD5: 6d142a6f5e44fc7ce7863836f46cdb59
SHA1: f3051c35b234cf3b8ddce4d148de524c6a4edf25
SHA256: 683de10c0ed7a13c4435580b662312be1cd34987de0408c3aaa6143aa4fdd317
SSDeep: 6:qWbEBnQjRWXEVWSlL4fYQnvvX9YIVvzlJHkXn:qWbonQgX8bqAQXXiINZaXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RAYRHE6Z.txt 0.49 KB MD5: ab8d9047a136b8ef0e61b12bd7009d6d
SHA1: d55a384d22818d914ef80ddf500dbedcfbc359db
SHA256: 672462423886461f5a46f3774d3c2a948d6d10dac3f7d1d58f6adfdff654edca
SSDeep: 12:I50mX3oZCWXFdaR0a4H1XJP2l5Isfd3G2Q76zqfZkXn:w0PCWX+Rt4H1XI5PN5E6WfWXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\ITD4OUAR.txt 0.18 KB MD5: 77e6230430d7e414dd05526fdcb160a0
SHA1: d16d3249558d650a76e374ff72b38c9ca5ea7420
SHA256: 208c87affcf51a0cc1fbd81e753a9f9af748456008bd84d815fe074a75b09135
SSDeep: 3:UhZKIdQhREcQQHqcAWGl2uv7YejeQVZST/YSeWVavX62Szs8Gl2uv7YcTRBdZ78u:dqQHEcQAqcAWGl2keAI8SeWVkX62S7Gb 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\SEVCUJM3.txt 0.09 KB MD5: e12ee25dc159278b387468be4240ea17
SHA1: bd8053caa423bf3812c6c77b03f8e939fdc6dfcd
SHA256: 42446a69188bd5c18ebeb93bb0ac7d32267ccbef5fdfa66c38286019af826a46
SSDeep: 3:tM71+lRI0XviOSiRLSrwjvXn:ti4lRIFOSymr4Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\STGOZ493.txt 0.10 KB MD5: 88aa642b64e60a35a0eb0fc41ff77484
SHA1: 318c7687fdd0a21c8d661c356ce04e118b2f8604
SHA256: 8a8c19eb6ba82a9dc432164aaded48f31f52e821b6b171c41811fcd6dc0065c6
SSDeep: 3:8Zh7CsRe2ldf2o7Ld3vXv7YcMVoXPKQR56WVavXn:6wePRiYzR56W6Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\ISTFXHHR.txt 0.32 KB MD5: 5167dd813fd6448a9c120a383ee4d4e0
SHA1: 906d81e4d3497dd2286dc3ab80c8e4387c168e93
SHA256: 59963576ba60900e26c05c1999932a1141dcbf7c67f259e9e0f1d4661227fd3d
SSDeep: 6:6BnqzmMvet/UXqA/9heMvet/UXWJHWROjIkBZheMvet/UXn:orMvK/UXgMvK/UXWJ22IiheMvK/UXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1LLUY7B7.txt 0.12 KB MD5: 28aed6b5d232c8d69bdd5c2d0fb72fe0
SHA1: c8986a9f12be24704fea6c072600af8d5ef2a3ed
SHA256: 1883294be4a02f252d15f1603f35ae515f0f6acf100e456b20404bd01df2932d
SSDeep: 3:4i30B8S01RLZGSOS0dEGRuGvXviOBLST/ievXn:4iE+/LZL/kEGuxO8lXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\VD3GM2DA.txt 0.17 KB MD5: 9dee7b57dcabaa678e34aa6a14c881e0
SHA1: 5e98c1e1bc764d66e61599b2547fd7dc18885f0f
SHA256: 32a428fd82ed595868c88557aede73237053a4af89fee0da76b1cd56d5f7f123
SSDeep: 3:MvKGX3WIdzmmgNAZAWAIfFmNuyMLGTuv7YcPXPIdP7CvXn:AnWgy3NAZAHIfgN0yigdIXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1L3KU69N.txt 0.11 KB MD5: 54f508f03342add430e180d6dbcb3d3d
SHA1: b6cbe338c7e6e6f25bdb955d8c434e9a0cca65e5
SHA256: b5af007818eb027a9106fa34f0c17b373f4b76c8723eab7dbc1dbc3f9d0d46db
SSDeep: 3:Hw7I+WHcDTMcAHcEgR5viMjxRdZ78XBatvCvXn:HwcdHVcAVgRwMjb6Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UGL14QS0.txt 0.13 KB MD5: f748c4a8663741332d2d3f371696e50b
SHA1: 39e9629d86ed99fc4ccb6f0bfa76843dc813d50b
SHA256: 9390fa24b3f6a4789dfa7a8645f4b3f79654cb1db3347963ae91c689f74e07f0
SSDeep: 3:U8LfyKfUVXJc/n5vUVYrxReTvECvXk/tuvF2yKfUVXJWvXcN6ZlSvXXeTvECvXn:FfZ8VXpKrXMvXk/tuvQZ8VXcXcNYIvHk 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\OOUVZSZN.txt 0.16 KB MD5: b76f6a7898e30e10f2573da67930e365
SHA1: 6ed68335f5314ed6cc5c071f523719f4182f6fdf
SHA256: b1bf16fe6e97ff019a2e66a585bb246a7357db9b766e2dfe02370735b5227a72
SSDeep: 3:zTvqGqW3oZGaRtRMVXJXmm1XPSipSXY0vX2CfhpdVnRQ3KRtRMVXJXmm1XPSiLcX:zOW3o7DMVXZDdvpTWX2mpXVDMVXZDdvq 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\NYCCG1AV.txt 1.56 KB MD5: 701e185a66b6205df319a7031083916c
SHA1: d5b5e9779d95238a140de5ea88039113fd3be9f7
SHA256: 7530a36faa9961a59ef9c22fac64baea4b94947af1eaffec0e5958141fb65874
SSDeep: 24:diB7XDA7X+cNh7XUIGu+ckRR2Jqqnc8iWi24Ew9jflFxfxaS1gjQGQi6VjRVXn:d6XsX9HXUIGUGZjWitEGj93fxWjteHXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MCAKE788.txt 0.10 KB MD5: bcb18b0e67cb42cdc710ec9374de78e1
SHA1: 5c20b0edfa4ca01023c5f13ae937e3bce3f6451d
SHA256: 9a39cc3f626e7c2e1ac7272992fd3ec758a7fb935ec14fce90fa463cc25301c4
SSDeep: 3:KAXIzEnVXqP8DoRxLBI+Yc4XPlNVC+gevXn:KHCVi8DMNBUdHdXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\CDGOWO27.txt 0.14 KB MD5: 7ef6c6ce7f843ad5e5dbe4c23476d57b
SHA1: 9a4ab75b9ba10681a6790f54a3ba1d59277ffada
SHA256: e0fd90163beef3e778f1e0f7ec42839655979fd20a97252a11e7b62e70ff9652
SSDeep: 3:nviXxWhTT52V/nm0dFmx2V/nmNMKsQ94RyK/v7Yc9dbbZ78X/fQTV0vXn:FhTIm0dFmUmNMTQqRZ1bRgfGVWXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\S0EK69P5.txt 0.12 KB MD5: 43d34b584a1f58538d5bafd3afc46c13
SHA1: 570a16fd3636d58181154d81eb871056ae02e706
SHA256: 101b0a83ecb877aa1df5e25876baa8d08d05e8114f26d292194abb2e809e86dc
SSDeep: 3:eXcLIdvKoAqm6z/zv0NMsQLXQJe6ELGav7YfQFDg6dIvXSAktgV0vXn:esLgv+6z/zv0NMsQLAJhJQm6/2WXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\3VVSZ2CO.txt 0.13 KB MD5: 7f7b455594ec6c1845467547b86196cd
SHA1: d36163af4aa6a94ecb949795941fce93f9185c2a
SHA256: 7e06985f409edbaf7c50b665707659371e068f82308e81370611172081d385f5
SSDeep: 3:NAvhl79wPFdZAZXkFPaUMnKfUVXJRzAXJST/edvVjYRCvXn:NAZd6PZyUBunK8VXfzlIvXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\XUAUK5R0.txt 0.09 KB MD5: cf94bc0a85e8ec31b31ba1f6df852a3a
SHA1: c4e638ac6d92b4862b30e5382b4ae7aa2332e269
SHA256: 8498eb9eb0e1807995581cdb236fe898ea81d1b64ff97d7705c2a0c5c481654e
SSDeep: 3:33oVIT0xLJCuGGvXv7Yc8MeFXPNXcSo0vXn:B0xLMuzetlXctWXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\WUT8M1Q8.txt 0.35 KB MD5: 141ea27d246089f61d2c626824c89ab2
SHA1: 2cdd702daf06e67c4af5035566783cbf162d0004
SHA256: c46c320d59ddebfddd5470a36cb3c020cba0e254c7e793a2d2e7221022367877
SSDeep: 6:AVRkBSC26xSRW10XIBJvANSBWWjN26xSRW10XqJZZVMNVBPtSRW1TXWYSCSSZbWX:A7kBSCIX8aNSBnxIXqJZZCV9XWYSCSRX 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\NOCAHPZ6.txt 0.13 KB MD5: 0275efa4f33da5f0978e5570fbe1a384
SHA1: 018422667b4795a10b5ea7589d8427aecb96ef73
SHA256: 00513cd9b54981cbec62f815a17b94a0cee0d9e3c80a600b29aa8afb1ac71806
SSDeep: 3:FCXNUM2HAnxQXsA8RRJDgRsTTH3KyJXv6NmTIMeFXPNQaTgQ0vXn:FUP2HAWR8DJsRkT3nZSMT7etlQFQWXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\CYHYO8JD.txt 0.11 KB MD5: 6b5ebf13aea6c467dd22dc47141419b8
SHA1: e3906219113c9f7dff3c25f1a87372536bf106a5
SHA256: 66e28e5d2177e9b6ea27ab60c5d2bfab2fc144b1a19f7e735e8f21decc79476d
SSDeep: 3:CQ7TAAJOVjuvbMyKfXv7YegtXJST/2LL0vXn:ZfAfSjdCaLLWXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\B67M68H4.txt 0.10 KB MD5: 4318c9793f2b6a347dec8834d135ca6c
SHA1: 191409ec70269a97d74553605fe4f188d4ce79a0
SHA256: b42fe0fb5430206830f63a114e6a8e975e310c5c73b40c3c1467000893c43ff7
SSDeep: 3:mCVNUvRRRB2WaYePkdUOORUJ3WM7VSv:mCgvjxykjVD7cv 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UUEVXDWP.txt 0.54 KB MD5: 5c8ae4959a0d7602619a3c66988154b6
SHA1: 220cff54515520d13f6822205893651f2c548d2a
SHA256: 02214826575ef29b128c1a57e4e90516d113a6f333a7554ebe6cf8e47cd97493
SSDeep: 12:FYTNwX2XxEbXyf9t2X2X9bXyfFtHXYNsnbXyflMW6X8tuvNvvImX2X6QbXyf9t2X:FYhwXY2bXw9t2XY9bXwFtHXZnbXwlKXw 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\T1LCPPSA.txt 0.08 KB MD5: b2899520b074966f8c8702ae7c4d5a50
SHA1: 0aac474abe1290e92a6f7542a088a921abce85a8
SHA256: 54c32dc0359a44f3120ab4de1785006aefa4c41770237de106ceb67c76bdb6ba
SSDeep: 3:zws66RjcBvX0bfUVXJXnRXbZ78WUX7v/vXn:zw/QK7VXZbHUrvnXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MOE7DCQU.txt 0.12 KB MD5: 1fd4e359831f8693be70203e8961781e
SHA1: 84bbd3624f6f0574361b21cc7af2a1a735bc81de
SHA256: 76850c1318b057dacf5670a830f1ddc150c3c4080122ec034f23ee1c58f561e1
SSDeep: 3:SNoHNxnFEBVUEXGEqQgBLQ/v7YcOcpXQNqTJr7CvXn:/HNxnoXGzQZMcpltrwXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\WPEXKTDV.txt 0.37 KB MD5: 929a203e2d9f0e28ea39b88f5cb2bba7
SHA1: 5f9296dc59e420d0e5e16cbac196f57959cf1b74
SHA256: e64462d7465fc07c5bf16ada6b394cee95b9526516338e4342c32b773afa21a7
SSDeep: 6:MFOKZSgnlhWgW5GLsCkyRiENBH0fQ5kQbJRtAt/HP8y1AUaUKm5wXn:0lraFlyRiENBUoFbJIBv8ySm6Xn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\JQOCYKOH.txt 0.99 KB MD5: 72ea382b36198a27148aab5f1d348dcf
SHA1: a54832a578317e2d3faee12ca664fd9e8ea355ed
SHA256: 0e3df950902b1ab87598b3ce3d757c02cc2b0a315185c3349afc7553bf917cb8
SSDeep: 24:YTfyr8b1S4XaWX6j05X6tX0/eX6OkMX0bX637Xxb3Q1XRd50KHVKkXRWHVKkX6Oz:Qr1/XzX6jIX6tX/X6OrX+X637X5g1XRC 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MM8KB9U2.txt 0.42 KB MD5: 5cc2e105ff2d69d964117649bd67160d
SHA1: b087f166166accb1cbbb309c1050d3a7aa8467c8
SHA256: 1cad1bbc79f2dc24c368b0bc1080a4253f11682b458d6b103d060e16966db4ba
SSDeep: 12:9/NQAHX+JQo3Tu9UI30fOO7iIlEd3lmotBN+sADvG4QO8XEp0O3Tu8kXn:9/NQAHdo3T6r2C1vBN+sSv1QO8XrO3Tc 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin 0.15 KB MD5: a02d2224008599066a39c76eb90de6c0
SHA1: 36fa956d9848c14afea1812b6ba735fde55021fe
SHA256: 99c10eeaba1c8ea511fb0db85be00aac6751e2f4e991380aebf07241a3476f1b
SSDeep: 3:tFoYXBsJaQGQbQoPgcVSRE2J5xAIkLW0HbRQ96MHZaACLkhlTlidgov:tFdXBWQ8gZi23fCvVQ96qNidgy 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\D9QO3KHK.txt 0.26 KB MD5: dd992b32063ca9d838df6c853fc671db
SHA1: 421ee2107e0372866ef3c3970ced55a546bf6101
SHA256: 437027be071e1dc7e108adf484bee7e1df18497ba2cb1d3844588761093c0b75
SSDeep: 6:LnLF/XCoVTyeAIrMz/XIJ/FloVTX9BEbZXn:Lp/bV9AIAz/X0/4V79AXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\E978TFRK.txt 0.15 KB MD5: 6be44de3554a12014e26570be04bdf1a
SHA1: 44fabc96184d0d045b87d05d50efe49b21b626dc
SHA256: 5f704f35e7f3fd56e614b8d32993735b5108eea115810deaa3592ce837c1648d
SSDeep: 3:y8v0GGLd/v7YcJsFXPq4cavXLTMb8TEd/v7YcYTlRZ78X3JcavXn:30RLdPstGkXkOEdSThoukXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RYK7X1K4.txt 0.11 KB MD5: 940ca1bd61c2553cd9f95a93edc5997e
SHA1: 739c28b26f326039315b87eb7d0932bd85d59d88
SHA256: bd86c349ecf385b282c4b93d35ecef3e06e1c0ecc6ba9d51221942d4c108ccc9
SSDeep: 3:1GfFlDZkSDsdmAzu5XuTYelbST/6rUdTOLRCvXn:1GbZOiQGnROLWXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5AFMRGRY.txt 0.20 KB MD5: e763ee15bebb2fc6de2a805d11c0ad7f
SHA1: 8d98b94aeb2f51e4410aebc229b7329d207a20cc
SHA256: 452f9dba8ffafb071850743f0b0b9f708c7799ab8f9b8f89df55adca18d86f46
SSDeep: 3:oiRSHddSVIq9DeFWVNDh0Xv7YZVH2ST/J+RaR47CvXWW5+djSoIDh0Xv7YZVH2S+:DS9dYIogSpdFTf4wXWW5ijSdFTR7gXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5ARQYMIV.txt 0.79 KB MD5: bf408165c746b6f91c2e94516428ce3f
SHA1: f4eba85e0ef065c8c27aa4abcd3cceb797ffc8ca
SHA256: 4e574e952604e1447aa6ab19b59b412e8515a01892f23a01cfb0c418f73a451b
SSDeep: 24:8pKi5UWXHbXuR8jXKWIyMwX6gxWxmwX6fHa0xbnX6kbabYnXQfbL9zfinXn:WBdXHbXuIXKWIHwX6wRwX6f6wnX6kb1R 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\2XBM2EDN.txt 0.20 KB MD5: 8b51a9ad393e18f9c0bce2e94aafa770
SHA1: 9027543e02b28a0fffaba18cb64848f69fa0622d
SHA256: df7ff86575bd65cd23454aa9eaab24755016d5d30c7141ae12b8da3634a6f3d1
SSDeep: 6:s8nqs2S8jaKTyn/LVUSO96N/DArqp38rkUOTWHbpcv:s8z2S8BynzV26N7+qNdRTW74 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1LFQZEOH.txt 0.11 KB MD5: 695b6df8ace37000ebcdd4a5ccc58f60
SHA1: c05ce4eac17bf4fe26ed646fcdb44a6fc0572b7b
SHA256: 673dc8663a4527c3941c4b83ab3902ca79cb9a606635c82fbfed5eaa54ae04e3
SSDeep: 3:CqEXjFDJT6pch/0E4XvilbGTKPv7YeGSUts9P8dTUCvXn:iXjFdTh/OXvzKaE8RXXn 		False
...
C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\XNW1G0SM.txt 0.11 KB MD5: 0584bb7512a9cfa5ceae7af231835286
SHA1: d2503f883f6ff49ccabb5100ea965c79a5dd48ff
SHA256: f1fa017a59ba4d40e1f63c55343cadf1ea6414c932aabe1c4a86adc5813038f6
SSDeep: 3:KOXPGo3jX6uYOH3XiO4I8VXJRQVvWx5XZ6QcRUVBvn:vXPG2jnlniFPVXfoaXZ6QcRULn 		False
...
Modified Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmnxmn6ps\appdata\local\microsoft\windows\inetcache\counters.dat 0.12 KB MD5: cfd804a9114ed191f2082dc36e51763b
SHA1: adc53ea8c3ad7254631fa3df2d5489b9a6862316
SHA256: 90102a533761215cb024dd1003b594eff2e05f63c99f63538519d135d0f47337
SSDeep: 3:/l4l3l:e 		False
...
Host Behavior
COM (1)
»
Operation Class Interface Additional Information Success Count Logfile
Create 3C374A40-BAE4-11CF-BF7D-00AA006946EE AFA0DC11-C313-11D0-831A-00C04FD5AE38 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
File (900)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\adsldraw\autoclb.exe desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create \\.\pipe\{072BB6F5-BAEC-D114-FC2B-8E95F08FA299} desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_OVERLAPPED True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{5A76122F-F1D1-9CA2-4B2E-B590AF42B9C4} desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{25E2F79F-402D-9FBF-7229-7443C66DE827}\01D46BD24DAB98E809 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\6581.bin desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\6581.bin desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\D969.bin desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E} - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ff - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ff\ - False 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ff\\8i341t8m.default - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols\macromedia.com - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols\macromedia.com\support - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols\macromedia.com\support\flashplayer - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols\macromedia.com\support\flashplayer\sys - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie - False 117
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low - False 110
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{25E2F79F-402D-9FBF-7229-7443C66DE827} - True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\6581.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\D969.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Temp File C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.tmp path = C:\Users\CIIHMN~1\AppData\Local\Temp\ True 1
Fn
Create Pipe pipe\{072bb6f5-baec-d114-fc2b-8e95f08fa299} open_mode = PIPE_ACCESS_INBOUND, PIPE_ACCESS_OUTBOUND, FILE_FLAG_OVERLAPPED, pipe_mode = PIPE_TYPE_MESSAGE, max_instances = 255 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\ type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\ type = file_attributes True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\{25E2F~1 type = file_attributes True 3
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\Cache\ type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\ type = file_attributes True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\{25E2F~1\01D46BD24DAB98E809 type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies type = file_attributes True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\6581.bin type = size True 2
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin type = size True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin type = file_attributes True 3
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\D969.bin type = size True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ff\\8i341t8m.default\cookies.sqlite source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\sols\macromedia.com\support\flashplayer\sys\settings.sol source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\2XBM2EDN.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\2XBM2EDN.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\8489XH4E.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\8489XH4E.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\B4K109K7.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\B4K109K7.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\B67M68H4.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\B67M68H4.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\OOUVZSZN.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\OOUVZSZN.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\TIGZFGLM.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\TIGZFGLM.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\XNW1G0SM.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\XNW1G0SM.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\0GHTMU6X.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0GHTMU6X.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\0MDKR34W.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0MDKR34W.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\0Z1JIEVI.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0Z1JIEVI.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\16DOE15M.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\16DOE15M.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\16Y0X4V7.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\16Y0X4V7.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1L3KU69N.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1L3KU69N.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1LFQZEOH.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1LFQZEOH.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1LLUY7B7.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1LLUY7B7.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\1UYN2RFY.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1UYN2RFY.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\23JC2UTD.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\23JC2UTD.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\2EQ4E2OJ.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\2EQ4E2OJ.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\2HYILE1O.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\2HYILE1O.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\3RW4K76X.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\3RW4K76X.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\3VVSZ2CO.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\3VVSZ2CO.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4MN240WN.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4MN240WN.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4O6583I0.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4O6583I0.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4YWCPPXN.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4YWCPPXN.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\4Z6UDYLY.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4Z6UDYLY.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5AFMRGRY.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5AFMRGRY.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5ARQYMIV.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5ARQYMIV.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5AV8L20N.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5AV8L20N.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5NWXN3UI.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5NWXN3UI.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5STJ6NZL.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5STJ6NZL.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5TAY54V0.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5TAY54V0.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\5WQEGNKI.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5WQEGNKI.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\66I0OJL8.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\66I0OJL8.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\80J4IH0Y.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\80J4IH0Y.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\8FFCGS26.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\8FFCGS26.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9ABR37NL.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9ABR37NL.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9IJPMFHZ.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9IJPMFHZ.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9M7ZHW1Q.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9M7ZHW1Q.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9XACNSYG.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9XACNSYG.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\9Z1Y5ICI.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9Z1Y5ICI.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\A0RK8A2H.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\A0RK8A2H.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\AA2IJ7JU.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\AA2IJ7JU.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\B427TFXJ.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\B427TFXJ.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\BK4HNAZ1.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\BK4HNAZ1.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\CC7DS78R.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CC7DS78R.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\CDGOWO27.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CDGOWO27.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\CYHYO8JD.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CYHYO8JD.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\D9QO3KHK.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\D9QO3KHK.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\DN8YUCVA.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DN8YUCVA.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\DQI7WAG8.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DQI7WAG8.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\DRDF2EZX.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DRDF2EZX.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\E2KPI4ZI.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\E2KPI4ZI.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\E978TFRK.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\E978TFRK.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\F68MFAMN.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\F68MFAMN.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FCGXHIFT.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FCGXHIFT.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FGTTES1V.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FGTTES1V.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FLTMVY1F.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FLTMVY1F.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\FOLSAQT6.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FOLSAQT6.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\GXB342YS.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\GXB342YS.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\H5LCJX1B.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\H5LCJX1B.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\HBPP9XXY.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HBPP9XXY.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\HF8F6LU0.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HF8F6LU0.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\HTVL5WIW.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HTVL5WIW.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\ILF13HLB.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ILF13HLB.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\ISTFXHHR.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ISTFXHHR.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\ITD4OUAR.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ITD4OUAR.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\J4JSQG9R.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\J4JSQG9R.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\JQOCYKOH.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\JQOCYKOH.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\JWFWLAYR.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\JWFWLAYR.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\K8249Y1G.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\K8249Y1G.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\KNJ4AJDH.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\KNJ4AJDH.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\L78EW25D.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\L78EW25D.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LC10XEWL.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LC10XEWL.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LVARU12Y.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LVARU12Y.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LY1NFEKN.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LY1NFEKN.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\LY3FDU65.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LY3FDU65.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\M19117WZ.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\M19117WZ.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MA5WDFBR.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MA5WDFBR.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MBJX4MYA.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MBJX4MYA.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MCAKE788.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MCAKE788.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MIL4MU1S.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MIL4MU1S.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MM8KB9U2.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MM8KB9U2.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MMPF10F4.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MMPF10F4.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\MOE7DCQU.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MOE7DCQU.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\NEHE4KDB.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NEHE4KDB.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\NOCAHPZ6.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NOCAHPZ6.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\NYCCG1AV.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NYCCG1AV.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\O8FFFI2K.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\O8FFFI2K.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\P778SMC9.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\P778SMC9.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\PF9HBAFQ.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\PF9HBAFQ.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\PK3I34UV.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\PK3I34UV.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\QUMCK8L4.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\QUMCK8L4.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RAYRHE6Z.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RAYRHE6Z.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RQK5QF4L.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RQK5QF4L.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RTEPN67M.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RTEPN67M.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\RYK7X1K4.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RYK7X1K4.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\S0EK69P5.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\S0EK69P5.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\SEVCUJM3.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\SEVCUJM3.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\STGOZ493.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\STGOZ493.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\T1LCPPSA.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\T1LCPPSA.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\TCXQPY9L.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TCXQPY9L.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\TEW946CI.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TEW946CI.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\TFCJHLEI.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TFCJHLEI.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\U2OYIS47.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\U2OYIS47.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\U8FCPAKJ.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\U8FCPAKJ.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UBUPNOZC.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UBUPNOZC.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UBXQG39X.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UBXQG39X.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UGL14QS0.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UGL14QS0.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\UUEVXDWP.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UUEVXDWP.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\V7NNCJHO.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\V7NNCJHO.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\VD3GM2DA.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\VD3GM2DA.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\WPEXKTDV.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WPEXKTDV.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\WUT8M1Q8.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WUT8M1Q8.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\WX75TEOR.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WX75TEOR.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\XRS5D0N2.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\XRS5D0N2.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\XUAUK5R0.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\XUAUK5R0.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\Y1I415YS.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\Y1I415YS.txt True 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{24A75F92-33C8-F66F-DD98-178A614C3B5E}\cookie.ie\Low\Y3XU5OKR.txt source_filename = C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\Y3XU5OKR.txt True 1
Fn
Read - size = 12, size_out = 0 False 7
Fn
Read \\.\pipe\{072BB6F5-BAEC-D114-FC2B-8E95F08FA299} size = 12, size_out = 12 True 1
Fn
Data
Read \\.\pipe\{072BB6F5-BAEC-D114-FC2B-8E95F08FA299} size = 0, size_out = 0 False 1
Fn
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 4, size_out = 4 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 1, size_out = 1 True 2
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 8, size_out = 8 True 5
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 512, size_out = 512 True 16
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 3156, size_out = 3156 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 448, size_out = 448 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 140, size_out = 140 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 566, size_out = 566 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 450, size_out = 450 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 562, size_out = 562 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 458, size_out = 458 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 594, size_out = 594 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 112, size_out = 112 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 128, size_out = 128 True 2
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 846, size_out = 846 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 724, size_out = 724 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 902, size_out = 902 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 120, size_out = 120 True 2
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 118, size_out = 118 True 2
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 108, size_out = 108 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 110, size_out = 110 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 148, size_out = 148 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 180, size_out = 180 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\Documents\Outlook Files\lcfkj@kiekc.df.pst size = 162, size_out = 162 True 1
Fn
Data
Read - size = 96, size_out = 96 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin size = 98824, size_out = 98824 True 1
Fn
Data
Write - size = 12 True 7
Fn
Data
Write \\.\pipe\{072BB6F5-BAEC-D114-FC2B-8E95F08FA299} size = 12 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{25E2F79F-402D-9FBF-7229-7443C66DE827}\01D46BD24DAB98E809 size = 96 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin size = 80 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin size = 30 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin size = 24 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin size = 22 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin size = 49412 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin size = 80 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin size = 30 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin size = 49 True 1
Fn
Data
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018102520181026 - True 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\History.IE5 - True 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\Low\History.IE5 - True 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\Low - True 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.files - True 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb - True 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome - False 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\journals - True 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files - True 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb - True 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home - False 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent - False 1
Fn
Delete Directory C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\doomed - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\desktop.ini - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\History.IE5\container.dat - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018102520181026\container.dat - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\History\Low\History.IE5\container.dat - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\cookies.sqlite - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\2XBM2EDN.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\8489XH4E.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\B4K109K7.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\B67M68H4.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\OOUVZSZN.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\TIGZFGLM.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\XNW1G0SM.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0GHTMU6X.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0MDKR34W.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\0Z1JIEVI.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\16DOE15M.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\16Y0X4V7.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1L3KU69N.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1LFQZEOH.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1LLUY7B7.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\1UYN2RFY.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\23JC2UTD.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\2EQ4E2OJ.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\2HYILE1O.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\3RW4K76X.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\3VVSZ2CO.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4MN240WN.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4O6583I0.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4YWCPPXN.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\4Z6UDYLY.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5AFMRGRY.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5ARQYMIV.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5AV8L20N.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5NWXN3UI.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5STJ6NZL.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5TAY54V0.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\5WQEGNKI.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\66I0OJL8.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\80J4IH0Y.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\8FFCGS26.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9ABR37NL.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9IJPMFHZ.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9M7ZHW1Q.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9XACNSYG.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\9Z1Y5ICI.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\A0RK8A2H.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\AA2IJ7JU.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\B427TFXJ.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\BK4HNAZ1.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CC7DS78R.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CDGOWO27.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\CYHYO8JD.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\D9QO3KHK.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DN8YUCVA.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DQI7WAG8.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\DRDF2EZX.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\E2KPI4ZI.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\E978TFRK.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\F68MFAMN.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FCGXHIFT.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FGTTES1V.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FLTMVY1F.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\FOLSAQT6.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\GXB342YS.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\H5LCJX1B.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HBPP9XXY.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HF8F6LU0.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\HTVL5WIW.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ILF13HLB.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ISTFXHHR.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\ITD4OUAR.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\J4JSQG9R.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\JQOCYKOH.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\JWFWLAYR.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\K8249Y1G.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\KNJ4AJDH.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\L78EW25D.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LC10XEWL.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LVARU12Y.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LY1NFEKN.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\LY3FDU65.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\M19117WZ.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MA5WDFBR.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MBJX4MYA.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MCAKE788.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MIL4MU1S.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MM8KB9U2.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MMPF10F4.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\MOE7DCQU.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NEHE4KDB.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NOCAHPZ6.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\NYCCG1AV.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\O8FFFI2K.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\P778SMC9.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\PF9HBAFQ.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\PK3I34UV.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\QUMCK8L4.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RAYRHE6Z.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RQK5QF4L.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RTEPN67M.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\RYK7X1K4.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\S0EK69P5.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\SEVCUJM3.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\STGOZ493.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\T1LCPPSA.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TCXQPY9L.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TEW946CI.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\TFCJHLEI.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\U2OYIS47.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\U8FCPAKJ.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UBUPNOZC.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UBXQG39X.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UGL14QS0.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\UUEVXDWP.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\V7NNCJHO.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\VD3GM2DA.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WPEXKTDV.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WUT8M1Q8.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\WX75TEOR.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\XRS5D0N2.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\XUAUK5R0.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\Y1I415YS.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\INetCookies\Low\Y3XU5OKR.txt - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\1 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\00230E843D3A08B230E933E226DB601D643BC852 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\00396519A728CAF55BA5985F2822E3CD29D0B17E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0070686314FCF810B3CEE062939E2805C4894837 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\01936D44B3D7F728EFEB4C28574EF44AB7260A17 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\01CC9F4D43A947CA6202BA62A7FFF28C6881C1BF - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\01D69525274B61DE5FF860EF9BDF5BEDBB7E52C6 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\023DB71E21A04D5A6CE60A1EC2C15A40BE00DD08 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\02556929CF2E7913AF6E896368676F9BEC324DF4 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\025E6C3190211A09D15D92E5656FB71220B7737E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0396D4FE028249B03B952ECAC5BDC2698D7AC41D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\04407A80544B9CDDB0BF74A9C5090D338DED55E6 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\04825B72BD3FF3B25000EE8B3660F3E1748CF56D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\04DDA15772BB1EBE40F174D3D0AD961AB0D85881 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\04E42D40E9FF818034B152EBBD5D2648E474B06E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\053023C6ABE9799C7CBA3D16BB67C1B7F7B0D8A0 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\062AD3657B516BAF21B6D366104D405078541BA6 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\073B56D883E94B03370493A96DF99C2B51FB3E9D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0782E7F698BE212FDCB80D8DE2C97C611AE50DFF - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\085CFB45496B3087ABCB8ABD8529B3EB41D17C27 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0A1144B8734850F5325AA6C259041EA8A201062C - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0A774848D5BE9E32A6789642784FD4DAFCD580F5 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0A9B36C9F5BCA2621C56BD4B714A9141238CF27D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0ADCF0E2A022CEDF8D199ED2889DB295128C4E25 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0B55D23F82EE119DC0472267436CD5F2868E3B14 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0BCD5C644E4A81783F24DB39416D1CE0CA0C3015 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0CFEB549E537F8B2151A62BA069AE7A6D363BB90 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0D1B36E62742C7776D68B1240296D02DFD6478FF - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0D83D658A0C069047F6B9FD30BFDEDD80863B5F0 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0E030AE41B2AB97664B455929A8A0721BA5D1F69 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0E331C2EF53B5C952B79B038C00588087D45A128 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0EC55DA246CC743C7EEA604EB85A206384B78D8F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0EDDF8C091E2FED62E44BEDDDC1723F5BF38FE4F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0EFA10E4516ACC80858411CA65A3CFF2B1AB347D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0FCD257674B1DEC53E0617114C11061F0395BE84 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\0FEE7E531224DDC68090378EA0DD267E4A43A052 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\10242BACB3A923DC9924A5B41FC879A31AF03963 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\102DC0B203B92AE5ADA25E34CEB5788226CA2769 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\102E001FB34D784FBF727701C7932E3FC58AF45D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\108573E2B07FF25FFCAFE37F58D375561A47424D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\116D5E76041E1DFC3004D30FEEB76351BB9D361F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1355867C7C8ACB52152CDC249B64D742CC40340D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1367E452AEFAA74CB544B69373FCCBB6C0E95AEB - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1380A3F977C9CB8D60BD5A90243F6A04E42FAD04 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\13871F2088220BCD932D60C30C272709DEAABB04 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1456D316BEE665C776E86DC63D0F546BA069BFBE - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\14786BE4B1040FAE49EABD0E2222B7EDCC6DF321 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\14926D90946B0F4BA2FCA38D75A5FBA83EF29AD0 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\14BF1B21A28D68D02D3CF7A0CA4D66159596ECD1 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1531FBE50CE357526C558EE71AA60FC4D2E29E0C - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\15704E847DCFEC6E9A511A8897461209C820C052 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\15E4224DA48B83948028AEBE08751418DBDE4688 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\16103553C2544720A8768AAA60212BE5916A4CE9 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\16114BA75206B6FA4C51ADC8A73DB4C6635F6AF9 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\165A82B735DDDE6F05E29A770A52297EAE982902 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\16656B13E13FB159C452E606297943961E41BD83 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\167109A0C523F60F2197836B0BCDA9B52A4D16AE - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\170F54EDBE19BE8676CC69B53BAC08C8932D118A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1722A63DF48E38B5DC308AE741FBFA24F762D8AC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\17FDE78A9ACA4445D5D13C94208BC4B0E4BA046A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1801CFE5BC39C5B24721E8CB2F32854EF5C5F96A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1833D74FE9FD5E002D12AD1D5CE9845C539E6D49 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\19B6A58F54F979D1CF008970B9B0D36B11B7944D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1A7C641FFE043BB811768257AF97546A0C7F3B55 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1AA5AFB1639FED28192BC2781A550C89494CDF9A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1ADEB94741EA84BB04219DA402BBC420B5512A2A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1C7A6CE17940A6C75210FA60C52339417DEDEEFA - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1C849477DE15B1F8F2245945F3F44468F58146DF - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1D719B3EE2A34A4E2DC9D0A4EAE1DF7948EA5A46 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1D8C7F5B73A4CD02E54F20A75B1FC29BE8E2EE8B - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1D94118C6FBA173AC2CE7C335C3CB9B7365F1E90 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1DBC56BBF48819D9CC9E96F72309A2D366DD1B72 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1DCB6E830B5F6182674047BC07BE94E869A82DC1 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1E4C1DE6D9BC3C738CB37D3D4E0CCCDBDD4EC3E7 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1E654765DD4C0B7A97A94BA7430FF4F02539B4D4 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1EB2E405E2B5AFF18DBD87BBFB385EED242A1AB5 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1F03C5BEB6690C5E65013ADC12747A8FB0266E74 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1F101A980B722E67F1FB3F0366EA9E520FB47D1B - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\1F58B2F46F6C2DE8FF822405AC18A18128D0BBBC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\20343A86FB834223CC13D33560122837208F7563 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\209D12DF1554481FBDC90931601991A892F798E7 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2118755562A693569EE2423CB1A2136CB8F1D9CC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\212CB67D7B36A171AAF7F0B1E24E5ADC687ACDCF - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2144C082C2AC8FA4FB4863D9D3BE7E335DD2C91D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\21870284BD46D6F21E756FF12837E26AC55D301D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\21B0E0F8C11507CB07A1BB82407F5AD646D80836 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\224A275AD09BE370F96D409F6AFE2904589080EC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\225640F98EF31B52AB76CF756A5C3512E0BDE89B - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\22777C6913A6B4768EE40D5F0103A93D8B477C3C - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\22B072DE2E829A9BBDD29C6C1005CBE946651C89 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\22CA1C7BCD8AA6B0D991889ABE75C06CA1EBACD1 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\24073350A672357B47B2D1A937642146E80AA938 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2445FA966A09E6B22679F2707AA980BBEBBC3BA8 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\245CEDA973B44C04325E8F3063F7596F9C88F120 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2465113476A71563C2561E1A45DF343E04BFF787 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\24BE475A5C9CE3DA33684DFDEE6AC47BC9BA6DE6 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\24C5A11C7C55D609ED86B6E31E2C94301D075CB3 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\24F9514653FD834D9D33E21B4C0AECB308550A9A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2530EF3224B6681D2B34ED5DB0B170C716EB1E39 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2587F851FECE6E69F3B26E54EDE4E02BD3C1D496 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2598A1CBB2EA6DB15DFF6382E5B17F41B01B4F0E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\25AFA0D28E7333EEE9F600A4A4F5B1C37A33789F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\26686166E96A3EBDAC2ED90D8F9B4ECD22BBB577 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\26926D1CDB0298F2781D6FAD532518F7C8B787DA - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\26C8D0872DE7292BC9C7F54426A5E887557300EA - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\26D5902E65F2EC88B7E5ED33E815A3FDBE18E10F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\270900E85767111BD4C54667E304A0B6656EA0A0 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\273736E26CFF7795BE550BE3B37B1D4598946999 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\28380882022BE365EDE32586CD158C635B9BE8D1 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\28D18C8667B2E4C79E3CE2766CF075BBFA55C129 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\28DAEEA417486B2D8FF609CC22C0244D45F802F7 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\291F29EF92755427DA03AB115BD92B68F34AB659 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\297135C089B3661F5AABB8E90985C6930164B685 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2A650CB5032027B0EF79F4B9916C5D43EEFEDB3A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2A705BA174D08F119A903AD6AE391B16AE92D9FC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2AEEA30E1ABF20CE6EDCD6534789A8A96595E87A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2B662789DFDD9C1308FF8ECD48E05F393053163C - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2C18FE48FBDBA136A5EC51C8B9D4382D2452C359 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2C40C733B84018F500F4F551FC53305A5971F05F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2C5330B3725C70F20F4BC8A5385F696CC68B83C6 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2C706476EF0944CD159653F65034A1071345205C - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2CCFCBE257B8F5BE4FEAF68C08171DAF22AEED89 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2D062CF6D6777E6BD7D9D53DBAB84CA6329C9727 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2D693D07DD992FA2955C9EDE27FDA78487556E32 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2D7DB1F2A5BBDE7DB3035CEA82134D2CF20D58AE - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2E08CDAEE955A40889AC5877BE194C7EF12394A5 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2E2D3BD78AAC7DD8EC8B5CA26C36A64A912EA68B - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2E78209F2BD7068695BB80AAE0D3E5F19A372BCA - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2EAFF2699FCEE0EDFEF4FF824C07727F657B0D45 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2F0A7F5A4CF50FBAA8EC8FB9F3EBEF7461E5FA83 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2FD2E2A71F89E3A92F68CB796207228217259289 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\2FEB6245AA212EA51F79468084964097925BD6D6 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\311C19847187CC20C5A8A21FA39C6639F5BBCF67 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\31220725946AC054F523C4029C40CA22A7A42621 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\31592C8B017CA0508B5F0339E7E1EA46376F2D31 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\317E80FB14217F5F6E8EAB3C4982A166EBEDBC9C - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3194BBD824DE5F4E0F44B99C71BB6C700199B487 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\31F8F1DF56894B1D3F2180DB7128624160D6FD5E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3221C03D33E21E6F8B41DB86EB7B6527177AD6F9 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\32AFE38EED991EA004851E7C968397C7D9EA501C - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\32B6927A1EB46E83B230070265358A1C5B788D11 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3313B622F3B9896C056CB0A1A534E4C91732E665 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\338233A5FF4B5082E562A4B5BFBCDB2581DE81E6 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\339A4E96E26DFFA4704F0AF081D2B85B12D03939 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\33A34037B96BD19CC90C0A382CEDF384EE052FCC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\33B10E2C53E1205B7527185F086F1BD9A39B07CD - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\33E49DB212B852799023F439D16990005F93C4F7 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\33E659B30B4E594B210633855AC841A47BB4BBB9 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\346330431993BC995E9F9C114FE39FD5B54EB7DF - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\34CEF73D25CB0DE8A1CD86FB09EF24D17790BCA7 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3502F57243FBD8F9D25E093A72D603074783A304 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\356FCE9F932692DC643481DBA1ABEA937B629F58 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\35933C361338037A97583E92DA61C299851A9B4E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\36A422C04312727A6116F45E357EDA80B3B4A6FD - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\36C5C19636CA8995D6ADCD176668444451854326 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\36DBE72541419953BE4A8BD61964782F4DBEDECF - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\376ED25A1DE94F0D96E985E5D5CACFCFE3812131 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\37B0298825F693E093744779A7278E41F1419493 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\37B4BC98C8FDD6283BE80C5CC385582FEF5D6747 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\37BC32B4B7033C1AB388018EC734B639086C814E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\383704E4BB07D527519A7352BA38B681C661FD8F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\38819CF0EDDF28F6C7AE4A62EA2DC0E07EA71115 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\39CC8AA9054EC6244CA281EEA4BD937517E2861D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\39D606C35C00ADA6E9320E1F6431E5A33EB42182 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3A554E4EFCC1FAD19E963D27B9A2BF73C9664268 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3A6C331288F156E9A07E3EA398F3A8FAF0530D8F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3B3EDC129FE6ED020C044AC637791DEC8B6B7603 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3D896079491CA68DD9BB6DB7E612C8DC74463279 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3DE1033D1165F9D849E6DFD8566ABB9179DB1D0F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3E42820479FADF666581B0704FA4AF901AE0E045 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3EA580E2FD537915B7084615630F0189274B1F60 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3FAECD8F44CECB41F5586C0DC333275FC173593A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\3FB6DE7747DC1B658385638D277CF2D620D232E4 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\400E86363026A9AC2DCD2221C145C6370E3E8EDA - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4030DFFE47D5B75257AA7A8C0A26B737E2F00FF3 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\40645D76E586E360D63982B2D4525920F0CF3060 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\406839CA18775158E58D75B2837624917D7E685C - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\407EB4DE353DE3AD4E1A29F0E0E84F65C2CE6E3A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\41367369B0154D1D2566CC216318C71115E089A2 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4238786CB87B503754EE13346F30AE3FCE28174F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\425AB3A135AC92C5F7A29092F686A777B30A8C0A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\42C23BB7242DFE074931A302B5BEB9B1D73B0BA5 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\431BDCA04B51BE586DFCF48431166463879B3DBF - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\434A5C8B5D0BEF67CEEB6076803A286CAE99C8C9 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\43686105AC844B29A19E4AD788A5ABBD2714FC75 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\438AB448ED7FB7D99CB7CFAB433F9E19A475D0EF - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\43A641B524487AFDAC7A8AF548EE196228BF6EAE - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\44437BAE601C72F5ED96953EAE92C527D4C2D46F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4453CB40F54977CDF96034A3A658080FDA7E43FA - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\445E695F447CA967C4DAE00C80034130290F80EA - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\45A759AC8024EF1FCC5ECA005CEB9C4A4F78984E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\45C64E5C2E9809667C5FC9F06FC42641326DF768 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4613B437E86D18E98F830433A5E6F7F9ABAF3693 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\467A961D019F23E5AF0F0266CD78A5F3D3290E5B - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\489059ED134C75D04357FD895C6280E1F7978C59 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\48D18A403364708B74676D0C5068809EE47BCF43 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\491836973BD7F16266314A8709EF00934A1BFCA0 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\491FFC0D1E910DC1DB3107E7DA730B43A97010A0 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4A46AC76F0CCC4293CC380999116F3B7911F85BE - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4B18B5ADA8BF2E475961694931BE215AED8ECBD5 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4B2A0DFA12FEADFF375261309F704B43534BEE37 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4BB6AC032612F432B6B5DA43EE2DAA6A8A03B6F4 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4C7EAEF07520B2C9900CFE06971368FF939AA197 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4CAD791F9C35BB747A46BAC7BE30A1E3BC028262 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4CF1AED5BBD3500653D8E2D1ACE09C58CF2D6182 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4DCE88D30F65C9460CC26665BC0A65F3234FA3D4 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4DEBFBF420A31CFDD61418B1BE3ADB580389730E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4EFB15999EE57EDBFAADF69D6A31D8C6F90FE8DC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4F0C54EEF677196E2899E5E79B4F3A906E46F926 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4F21DDD23480F1D4FBA13115BADB18B9AD18D8B1 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4F372C9418B79051ABED288900CDF3D20C12F38C - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4F680E68B8C682B5D2540FA7BE7B7F0D7521D9C9 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4F78D1F2D9B48D34C6259CF59FD5E171B97EFB3A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\4FC872C4A3A8739207D005A676C19DAB518FA53B - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\514D7C625328106E43CEC7FD7CF71AEDA0A3101F - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\522FF036651FEA29F227BFB14BD934175DDBA62A - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5289F8C4AB5388DE2FCD562674EDF6674FB6DD30 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\529CD0D4C166C4989BAABA7E5FF50F75FB1D22D3 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\52ECE00B624C0C246123D20C46C3EE4F390A42FE - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\539C21F72CC831D883A265394E7125EFC208B096 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\53DAE4B1D7BFF6744CCAF7207DE631267F9883DC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\53E9CAA90A10C82CF9C2D5393B332D17B263105E - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\54BF6D9D46D035228AC887ABC41B451F2BA38C02 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5588A68FFECF7B388E18C33727BF06B30B837DF1 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\559737B84286037BF56FE9E46C53581FB6FF6751 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\56945BFE2B00EED1BE4F7B1F389030A0AF203742 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\56B48B214C8C7AC2CE81EFC4F92C4550FB675AE9 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\56C1D667A6AFD5406F830882D54923461E079C1B - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5740B2DD533A74C3D20DD1D045CF7090D3BFB1AC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\577655B6F15A0EEA0864C0703652DE24C091B634 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5781F439935B6472D7D312E75A3B766C3E30CF60 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\579EC9227C4A988DCC4894D82AA161957107515D - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\57E662573FD9E42D3972BE92D3DF0557C7B2E836 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\57FB9388D9B054D289CC913E797B5C5217B6A217 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\58A845FD76589B14EF62BB6CFEA62DB0C7CCFBBE - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\58BFE77FA719F36CE48D4A317C753C845C38FE29 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\59248032DB55D8A9E0296A51BC66F3DEA6028EA5 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\592BC6129BB410343931D35AFB0FE270C66E58F0 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\59BB52B352DE6D0ED5D0376B33855D43CA80B3F7 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\59D05F1B38666C8EF68BDEE20A28647F754464F6 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5A39FCB4CCAE4A6C76307026D7C882B4AE85B1F9 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5A6EEC1674DA4669A4FF612E7924A91FBF501426 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5AF1F43361120818C2E543605F5DF938574B1EDC - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5B1B55B57E2440A52DE3FED7E02C83E04A78B0FD - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5B928BD544BA66929A709C6AEC9D5968DCB905A1 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5BDDE6C7804D11CE399AF314C3D33E47FBAE7C88 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5C30F12D68A505E4AE0A6A3D896A1EC9C549AE96 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Mozilla\Firefox\Profiles\8i341t8m.default\cache2\entries\5D3D330EFBD2B9CD6EB45919D9403F605414EFA5 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_0 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_1 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_2 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\data_3 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000001 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000002 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000003 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000004 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000005 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000006 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000007 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000008 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000009 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000a - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000b - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000c - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000d - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000e - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00000f - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000010 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000011 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000012 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000013 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000014 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000015 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000016 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000017 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_000018 - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001a - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001b - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001c - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001d - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001e - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\f_00001f - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cache\index - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Cookies - True 1
Fn
Delete C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\{25E2F~1\setup.inf - True 1
Fn
Delete C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\{25E2F~1\setup.rpt - True 1
Fn
Delete C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin - True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\{25E2F79F-402D-9FBF-7229-7443C66DE827}\01D46BD24DAB98E809 - True 1
Fn
Delete C:\Users\CIIHMN~1\AppData\Local\Temp\setup.inf - True 1
Fn
Delete C:\Users\CIIHMN~1\AppData\Local\Temp\setup.rpt - True 1
Fn
Delete C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin - True 1
Fn
Delete C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin - True 1
Fn
Registry (3331)
»
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 2
Fn
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files - True 1
Fn
Create Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\SecureBrain\PhishWall - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Run - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager - True 2
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts - False 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings - False 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - False 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook - False 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook - False 24
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 - True 32
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 3
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 60
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 - True 63
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 - False 429
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\TaskBarIDs - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Main - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Uninstall - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\bin - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\extensions - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 4
Fn
Open Key HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 - True 2
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Ini, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Install, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Client, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductID, data = 48 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductName, data = 87 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = CurrentVersion, data = 54 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = InstallDate, data = 65 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = {111F6A44-3C4D-6BC7-CED5-30CFE2D96473}, type = REG_NONE False 1
Fn
Read Value TreatAs type = REG_NONE False 29
Fn
Read Value - data = 0 True 50
Fn
Read Value - data = ShellItem Shell Namespace helper True 1
Fn
Read Value - value_name = InprocServer32 False 25
Fn
Read Value - data = C:\Windows\system32\windows.storage.dll True 4
Fn
Read Value - value_name = ThreadingModel, data = Both True 14
Fn
Read Value InprocHandler32 - False 29
Fn
Read Value InprocHandler - False 29
Fn
Read Value - data = Immersive Shell True 2
Fn
Read Value - data = PSFactoryBuffer True 3
Fn
Read Value - data = C:\Windows\System32\ActXPrxy.dll True 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = {36CFCEF2-1DFD-D85B-57CA-A18C7B9E6580}, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager value_name = Outlook, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP Email Address False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP Server True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP Server, data = 114 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Server True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Server, data = 102 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 User Name False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP User Name False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = NNTP Email Address False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = NNTP User Name False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = NNTP Server False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = IMAP Server False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = IMAP User Name False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = Email True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = Email, data = 108 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = HTTP User False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = HTTP Server URL False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 User True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 User, data = 108 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = IMAP User False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = HTTPMail User Name False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = HTTPMail Server False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP User False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Password2 False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = IMAP Password2 False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = NNTP Password2 False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = HTTPMail Password2 False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP Password2 False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Password False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = IMAP Password False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = NNTP Password False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = HTTP Password False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP Password False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = IMAP Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Email Address False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Server False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Server False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Email Address False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Server False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Server False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = SMTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = SMTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = POP3 Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = POP3 User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = SMTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = NNTP Email Address False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = NNTP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = NNTP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = IMAP Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = IMAP User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = Email False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = HTTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = HTTP Server URL False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = POP3 User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = IMAP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = HTTPMail User Name False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = HTTPMail Server False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = SMTP User False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = POP3 Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = IMAP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = NNTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = HTTPMail Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = SMTP Password2 False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = POP3 Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = IMAP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = NNTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = HTTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = SMTP Password False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = POP3 Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = SMTP Port, data = 0, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = IMAP Port, data = 0, type = REG_NONE False 2
Fn
Read Value - data = Microsoft Url History Service True 1
Fn
Read Value - data = C:\Windows\System32\ieframe.dll True 1
Fn
Read Value - value_name = ThreadingModel, data = Apartment True 8
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = LastTask, type = REG_NONE False 1
Fn
Read Value - value_name = CacheLimit, type = REG_NONE True 3
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = explorer.exe, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 value_name = *, type = REG_NONE False 1
Fn
Read Value - value_name = explorer.exe, type = REG_NONE True 1
Fn
Read Value - value_name = explorer.exe, type = REG_NONE False 1
Fn
Read Value - value_name = *, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings value_name = ProxySettingsPerUser, type = REG_NONE False 1
Fn
Read Value - value_name = Enable False 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Client, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Ini, type = REG_NONE False 2
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Exec, type = REG_NONE False 2
Fn
Read Value - - False 4
Fn
Read Value - data = C:\Windows\system32\windowscodecs.dll True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows value_name = DisplayVersion, type = REG_NONE False 59
Fn
Read Value HKEY_CURRENT_USER\Control Panel\Desktop value_name = PaintDesktopVersion, type = REG_NONE True 59
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace value_name = ValidateRegItems False 9
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace value_name = MonitorRegistry, data = 1 True 9
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace value_name = ValidateRegItems False 16
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace value_name = MonitorRegistry False 16
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached value_name = {9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF} {000214E6-0000-0000-C000-000000000046} 0xFFFF, type = REG_NONE True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions value_name = HasFlushedShellExtCache, type = REG_NONE True 1
Fn
Read Value - data = Sync Center Folder True 1
Fn
Read Value - data = C:\Windows\System32\SyncCenter.dll True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace value_name = ValidateRegItems False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace value_name = MonitorRegistry False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders value_name = StorageDelegateSuppressionPolicy, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders value_name = StorageDelegate, type = REG_NONE True 1
Fn
Read Value - data = Shell File System Folder True 1
Fn
Read Value - data = C:\Windows\system32\Windows.Storage.dll True 1
Fn
Read Value - value_name = UIStatus, type = REG_NONE True 1
Fn
Read Value - value_name = OnlyMember, type = REG_NONE True 1
Fn
Read Value - data = This PC True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace value_name = ValidateRegItems False 5
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace value_name = MonitorRegistry False 5
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\RemovableDrives value_name = ValidateRegItems False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\RemovableDrives value_name = MonitorRegistry False 1
Fn
Read Value Storage value_name = FilterMask, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced value_name = NeverShowDrivesMask, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced value_name = HideDrivesWithNoMedia, type = REG_NONE False 1
Fn
Read Value - data = Property System Both Class Factory True 1
Fn
Read Value - data = C:\Windows\system32\propsys.dll True 2
Fn
Read Value - type = REG_NONE False 2
Fn
Read Value - data = Local Thumbnail Cache True 1
Fn
Read Value - data = C:\Windows\System32\thumbcache.dll True 2
Fn
Read Value - data = Home Group Member Status True 1
Fn
Read Value - data = C:\Windows\System32\provsvc.dll True 1
Fn
Read Value - data = Windows Search Platform True 1
Fn
Read Value - data = Thumbnail Cache Class Factory for Out of Proc Server True 1
Fn
Read Value - data = Shell Oplock Provider True 1
Fn
Read Value - data = C:\Windows\system32\shcore.dll True 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Client, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Ini, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Exec, type = REG_NONE False 1
Fn
Read Value - value_name = ActivationType, type = REG_NONE True 3
Fn
Read Value - value_name = Threading, type = REG_NONE True 3
Fn
Read Value - value_name = TrustLevel, type = REG_NONE True 3
Fn
Read Value - value_name = ActivateAsUser, type = REG_NONE False 3
Fn
Read Value - data = Network List Manager True 1
Fn
Read Value - data = Windows.Networking.Connectivity.ProxyStubFactory True 1
Fn
Read Value - data = C:\Windows\System32\Windows.Networking.Connectivity.dll True 1
Fn
Read Value - data = Sync root manager True 1
Fn
Read Value - data = C:\Windows\System32\shell32.dll True 1
Fn
Read Value - data = C:\Windows\System32\npmproxy.dll True 1
Fn
Read Value - data = Shared Task Scheduler True 2
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{9DAC2C1E-7C5C-40EB-833B-323E85A1CE84} value_name = Disabled False 1
Fn
Read Value - data = C:\Windows\System32\wscinterop.dll True 1
Fn
Read Value - value_name = CheckSetting, type = REG_NONE True 38
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{CA236752-2E77-4386-B63B-0E34774A413D} value_name = Disabled False 1
Fn
Read Value - data = C:\Windows\System32\werconcpl.dll True 1
Fn
Read Value - value_name = Disabled, type = REG_NONE True 3
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4} value_name = Disabled False 1
Fn
Read Value - data = User Account Control Check Provider True 1
Fn
Read Value - data = C:\Windows\System32\hcproviders.dll True 4
Fn
Read Value - value_name = ThreadingModel, data = Free True 3
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = EnableLUA, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = ConsentPromptBehaviorAdmin, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value_name = PromptOnSecureDesktop, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{088E8DFB-2464-4C21-BAD2-F0AA6DB5D4BC} value_name = Disabled False 1
Fn
Read Value - data = SmartScreen Settings Check Provider True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System value_name = EnableSmartScreen, type = REG_NONE False 2
Fn
Read Value - value_name = SmartScreenEnabled, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{D26DE5C1-C061-43F7-9C40-7517526CF1C1} value_name = Disabled False 1
Fn
Read Value - data = Startup App Check Provider True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\StartupNotify value_name = EnableStartupAppNotification, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\COM\{6AE07DC1-0244-4C6F-9AB0-5017A56357C3} value_name = Disabled False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{01979c6a-42fa-414c-b8aa-eee2c8202018} value_name = Disabled False 1
Fn
Read Value - value_name = LastKnownState, type = REG_NONE False 5
Fn
Read Value - data = User Account Control Check Service True 1
Fn
Read Value - value_name = CheckSetting, type = REG_NONE False 6
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78} value_name = Disabled False 1
Fn
Read Value - value_name = LastKnownState, type = REG_NONE True 4
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{A5268B8E-7DB5-465b-BAB7-BDCDA39A394A} value_name = Disabled False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{DE7B24EA-73C8-4A09-985D-5BDADCFA9017} value_name = Disabled False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{134EA407-755D-4A93-B8A6-F290CD155023} value_name = Disabled False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{B447B4DB-7780-11E0-ADA3-18A90531A85A} value_name = Disabled False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{3FF37A1C-A68D-4D6E-8C9B-F79E8B16C482} value_name = Disabled False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{2374911B-B114-42FE-900D-54F95FEE92E5} value_name = Disabled False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{96F4A050-7E31-453C-88BE-9634F4E02139} value_name = Disabled False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{AA4C798D-D91B-4B07-A013-787F5803D6FC} value_name = Disabled False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Security and Maintenance\Providers\EventLog\{34A3697E-0F10-4E48-AF3C-F869B5BABEBB} value_name = Disabled False 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings value_name = EnableSPDY3_0, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = {111F6A44-3C4D-6BC7-CED5-30CFE2D96473}, size = 8, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = {36CFCEF2-1DFD-D85B-57CA-A18C7B9E6580}, size = 8, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Client, size = 40, type = REG_BINARY True 2
Fn
Data
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530 value_name = Client, size = 40, type = REG_BINARY True 2
Fn
Data
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files value_name = 2B1905BE3AD836430F, size = 92, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files value_name = 8583E37508A8504006, size = 92, type = REG_BINARY True 1
Fn
Data
Delete Value HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files value_name = 2B1905BE3AD836430F True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\TaskBarIDs - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Main - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB)\Uninstall - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\53.0.3 (x86 en-GB) - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\bin - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3\extensions - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox 53.0.3 - False 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Mozilla - False 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs - False 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files - True 1
Fn
Enumerate Values HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\667F6611-8D0F-88EB-47FA-113C6BCED530\Files - False 1
Fn
Process (598)
»
Operation Process Additional Information Success Count Logfile
Create cmd /C "systeminfo.exe > C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" os_pid = 0x560, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create makecab.exe /F "C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin" os_pid = 0x848, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" os_pid = 0x8f4, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create cmd /C "net view >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" os_pid = 0x428, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" os_pid = 0x200, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create cmd /C "nslookup 127.0.0.1 >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" os_pid = 0x8cc, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" os_pid = 0x274, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create cmd /C "tasklist.exe /SVC >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" os_pid = 0xb18, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" os_pid = 0xbbc, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create cmd /C "driverquery.exe >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" os_pid = 0xb00, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" os_pid = 0x8c0, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" os_pid = 0xb6c, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" os_pid = 0x8ec, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create cmd /U /C "type C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 > C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin & del C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1" os_pid = 0x3ac, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create makecab.exe /F "C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin" os_pid = 0xa4c, creation_flags = CREATE_DEFAULT_ERROR_MODE, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Get Info c:\windows\explorer.exe type = PROCESS_BASIC_INFORMATION True 583
Fn
Module (290)
»
Operation Module Additional Information Success Count Logfile
Load ntdll.dll base_address = 0x0 True 1
Fn
Load KERNEL32.dll base_address = 0x0 True 1
Fn
Load AVIFIL32.dll base_address = 0x0 True 1
Fn
Load ADVAPI32.dll base_address = 0x7ffb47e30000 True 1
Fn
Load SHLWAPI.dll base_address = 0x7ffb46250000 True 1
Fn
Load USER32.dll base_address = 0x7ffb45c50000 True 1
Fn
Load PSAPI.DLL base_address = 0x7ffb460b0000 True 1
Fn
Load ole32.dll base_address = 0x7ffb45900000 True 1
Fn
Load ADVAPI32.DLL base_address = 0x7ffb47e30000 True 1
Fn
Load SHELL32.dll base_address = 0x7ffb46890000 True 1
Fn
Load WININET.dll base_address = 0x7ffb3cf60000 True 1
Fn
Load vaultcli.dll base_address = 0x7ffb38cf0000 True 1
Fn
Get Handle Unknown module name base_address = 0x7ff6fa0a0000 True 1
Fn
Get Handle KERNEL32.DLL base_address = 0x7ffb45e10000 True 5
Fn
Get Handle NTDLL.DLL base_address = 0x7ffb48180000 True 2
Fn
Get Handle kernelbase base_address = 0x7ffb45670000 True 2
Fn
Get Handle ADVAPI32.DLL base_address = 0x7ffb47e30000 True 3
Fn
Get Filename AVIFIL32.dll process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260 True 2
Fn
Get Address - function = NtCreateSection, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = NtUnmapViewOfSection, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = NtMapViewOfSection, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = ZwOpenProcessToken, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = ZwClose, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = ZwQueryInformationToken, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = ZwOpenProcess, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = NtQuerySystemInformation, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = RtlNtStatusToDosError, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = ZwQueryInformationProcess, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = RtlImageDirectoryEntryToData, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = _wcsupr, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = _strupr, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = memmove, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = bsearch, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = _vsnwprintf, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = _strlwr, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = atoi, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = strstr, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = wcscpy, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = ZwQueryKey, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = RtlUpcaseUnicodeString, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = RtlFreeUnicodeString, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = sprintf, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = _snprintf, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = memset, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = memcpy, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = strcpy, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = RtlAdjustPrivilege, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = mbstowcs, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = RtlImageNtHeader, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = memcmp, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = __C_specific_handler, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = __chkstk, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetLocalTime, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = OpenProcess, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = VirtualQueryEx, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = CreateRemoteThread, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetModuleFileNameW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetVersion, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = SetEndOfFile, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = RemoveDirectoryW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetTempFileNameA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = DeleteCriticalSection, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = VirtualAlloc, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = VirtualProtect, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = CloseHandle, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = WriteProcessMemory, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = CreateFileA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = lstrcmpiA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetModuleFileNameA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = LoadLibraryA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetCurrentProcess, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = lstrcmpA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetModuleHandleA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = CreateFileMappingA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = MapViewOfFile, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = Sleep, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = UnmapViewOfFile, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GlobalLock, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = lstrlenA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GlobalAlloc, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GlobalUnlock, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = HeapAlloc, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = lstrcpyA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetLastError, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = HeapFree, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = RemoveDirectoryA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = DeleteFileA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = lstrcatA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = WriteFile, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = CreateDirectoryA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = HeapDestroy, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = HeapCreate, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = SetEvent, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = HeapReAlloc, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetTickCount, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = FindNextFileW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = CopyFileW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = SetWaitableTimer, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = LocalAlloc, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetCurrentThread, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetCurrentThreadId, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = lstrlenW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetSystemTimeAsFileTime, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = CreateEventA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetWindowsDirectoryA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = DeleteFileW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = CreateDirectoryW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = CreateWaitableTimerA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetTempPathA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = FindFirstFileW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = LocalFree, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = TerminateProcess, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = SuspendThread, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = WaitForMultipleObjects, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = ResumeThread, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = lstrcpyW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = FileTimeToSystemTime, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = CreateThread, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = CreateFileW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = ResetEvent, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = SwitchToThread, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = lstrcatW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = CreateProcessW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetFileSize, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetFileAttributesW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = ExpandEnvironmentStringsW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = WideCharToMultiByte, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = LeaveCriticalSection, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = SetLastError, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = EnterCriticalSection, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetComputerNameA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = CreateMutexA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = OpenWaitableTimerA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = OpenMutexA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetVolumeInformationA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = WaitForSingleObject, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = ReleaseMutex, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetComputerNameW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = InitializeCriticalSection, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = LoadLibraryExW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetProcAddress, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = VirtualFree, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetLogicalDriveStringsW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetFileAttributesA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = OpenFileMappingA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetExitCodeProcess, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = CreateProcessA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = lstrcpynA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = LocalReAlloc, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = TlsAlloc, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = TlsGetValue, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = TlsSetValue, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = LoadLibraryW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetVersionExW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = FreeLibrary, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = ReadFile, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = SetFilePointer, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = Thread32First, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = QueueUserAPC, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = CreateToolhelp32Snapshot, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = OpenThread, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = Thread32Next, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = FindFirstFileA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = FindNextFileA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = ConnectNamedPipe, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetOverlappedResult, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = CancelIo, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = DisconnectNamedPipe, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = FlushFileBuffers, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = CallNamedPipeA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = CreateNamedPipeA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetSystemTime, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = WaitNamedPipeA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetCurrentProcessId, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = SleepEx, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = RemoveVectoredExceptionHandler, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = AddVectoredExceptionHandler, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = OpenEventA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = lstrcmpiW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = RaiseException, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetSystemInfo, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = Process32NextW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = Process32FirstW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = QueueUserWorkItem, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = FileTimeToLocalFileTime, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = FindClose, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = GetDriveTypeW, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = VirtualProtectEx, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = AVIStreamRelease, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = AVIStreamWrite, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = AVIFileOpenA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = AVIFileCreateStreamA, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = AVIStreamSetFormat, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = AVIFileExit, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = AVIFileInit, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = AVIMakeCompressedStream, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address - function = AVIFileRelease, ordinal = 0, address_out = 0x324fb60 True 1
Fn
Get Address Unknown module name function = IsWow64Process, address_out = 0x7ffb45e2e960 True 1
Fn
Get Address Unknown module name function = ConvertStringSecurityDescriptorToSecurityDescriptorA, address_out = 0x7ffb47e4d610 True 1
Fn
Get Address Unknown module name function = StrRChrA, address_out = 0x7ffb46264dd0 True 1
Fn
Get Address Unknown module name function = wsprintfA, address_out = 0x7ffb45c72610 True 1
Fn
Get Address Unknown module name function = RegOpenKeyA, address_out = 0x7ffb47e4b9e0 True 1
Fn
Get Address Unknown module name function = RegQueryValueExA, address_out = 0x7ffb47e47dd0 True 1
Fn
Get Address Unknown module name function = RegCloseKey, address_out = 0x7ffb47e472e0 True 1
Fn
Get Address Unknown module name function = StrToIntExA, address_out = 0x7ffb46264e70 True 1
Fn
Get Address Unknown module name function = StrChrA, address_out = 0x7ffb46264cc0 True 1
Fn
Get Address Unknown module name function = StrTrimA, address_out = 0x7ffb46264e80 True 1
Fn
Get Address Unknown module name function = GetUserNameA, address_out = 0x7ffb47e5ec40 True 1
Fn
Get Address Unknown module name function = EnumProcessModules, address_out = 0x7ffb460b1040 True 1
Fn
Get Address Unknown module name function = StrStrIW, address_out = 0x7ffb4625b260 True 1
Fn
Get Address Unknown module name function = RegEnumValueW, address_out = 0x7ffb47e47220 True 1
Fn
Get Address Unknown module name function = RegSetValueExA, address_out = 0x7ffb47e32680 True 1
Fn
Get Address Unknown module name function = RegCreateKeyA, address_out = 0x7ffb47e76dc0 True 1
Fn
Get Address Unknown module name function = RegOpenKeyExA, address_out = 0x7ffb47e47d70 True 1
Fn
Get Address Unknown module name function = CreateStreamOnHGlobal, address_out = 0x7ffb466370a0 True 1
Fn
Get Address Unknown module name function = PathFindFileNameA, address_out = 0x7ffb4625cf30 True 1
Fn
Get Address Unknown module name function = SetWindowsHookExA, address_out = 0x7ffb45c527a0 True 1
Fn
Get Address Unknown module name function = RegisterClassA, address_out = 0x7ffb45c71310 True 1
Fn
Get Address Unknown module name function = CreateWindowExA, address_out = 0x7ffb45c74df0 True 1
Fn
Get Address Unknown module name function = GetWindowLongPtrA, address_out = 0x7ffb45c5cae0 True 1
Fn
Get Address Unknown module name function = DefWindowProcA, address_out = 0x7ffb48213230 True 1
Fn
Get Address Unknown module name function = SetWindowLongPtrA, address_out = 0x7ffb45c661f0 True 1
Fn
Get Address Unknown module name function = GetMessageA, address_out = 0x7ffb45c6aa50 True 1
Fn
Get Address Unknown module name function = TranslateMessage, address_out = 0x7ffb45c636a0 True 1
Fn
Get Address Unknown module name function = DispatchMessageA, address_out = 0x7ffb45c761e0 True 1
Fn
Get Address Unknown module name function = SetClipboardViewer, address_out = 0x7ffb45c80de0 True 1
Fn
Get Address Unknown module name function = PostMessageA, address_out = 0x7ffb45c74900 True 1
Fn
Get Address Unknown module name function = OpenClipboard, address_out = 0x7ffb45c7b6c0 True 1
Fn
Get Address Unknown module name function = GetClipboardData, address_out = 0x7ffb45c7aba0 True 1
Fn
Get Address Unknown module name function = CloseClipboard, address_out = 0x7ffb45c80920 True 1
Fn
Get Address Unknown module name function = StrCmpIW, address_out = 0x7ffb4625be50 True 1
Fn
Get Address Unknown module name function = RegNotifyChangeKeyValue, address_out = 0x7ffb47e48fd0 True 1
Fn
Get Address Unknown module name function = CoInitializeEx, address_out = 0x7ffb46683170 True 1
Fn
Get Address Unknown module name function = RegEnumKeyExA, address_out = 0x7ffb47e325d0 True 1
Fn
Get Address Unknown module name function = IsTextUnicode, address_out = 0x7ffb47e46c80 True 1
Fn
Get Address Unknown module name function = SHGetFolderPathW, address_out = 0x7ffb46970080 True 1
Fn
Get Address Unknown module name function = PathCombineW, address_out = 0x7ffb4625d130 True 1
Fn
Get Address Unknown module name function = PathMatchSpecW, address_out = 0x7ffb46264990 True 1
Fn
Get Address Unknown module name function = RegOpenKeyExW, address_out = 0x7ffb47e46cb0 True 1
Fn
Get Address Unknown module name function = CryptAcquireContextW, address_out = 0x7ffb47e489e0 True 1
Fn
Get Address Unknown module name function = CryptCreateHash, address_out = 0x7ffb47e47bf0 True 1
Fn
Get Address Unknown module name function = CryptHashData, address_out = 0x7ffb47e47d80 True 1
Fn
Get Address Unknown module name function = CryptGetHashParam, address_out = 0x7ffb47e47970 True 1
Fn
Get Address Unknown module name function = CryptDestroyHash, address_out = 0x7ffb47e486a0 True 1
Fn
Get Address Unknown module name function = CryptReleaseContext, address_out = 0x7ffb47e48ee0 True 1
Fn
Get Address Unknown module name function = CoCreateInstance, address_out = 0x7ffb46697000 True 1
Fn
Get Address Unknown module name function = FindFirstUrlCacheEntryA, address_out = 0x7ffb3d012120 True 1
Fn
Get Address Unknown module name function = StrStrIA, address_out = 0x7ffb4625e1c0 True 1
Fn
Get Address Unknown module name function = FindNextUrlCacheEntryA, address_out = 0x7ffb3cfe7bf0 True 1
Fn
Get Address Unknown module name function = PathFindExtensionA, address_out = 0x7ffb46264800 True 1
Fn
Get Address Unknown module name function = StrRChrW, address_out = 0x7ffb4625dd80 True 1
Fn
Get Address Unknown module name function = StrChrW, address_out = 0x7ffb4625a2a0 True 1
Fn
Get Address Unknown module name function = CoUninitialize, address_out = 0x7ffb46682380 True 1
Fn
Get Address Unknown module name function = CoTaskMemFree, address_out = 0x7ffb466c1110 True 1
Fn
Get Address Unknown module name function = FindCloseUrlCache, address_out = 0x7ffb3cfb2470 True 1
Fn
Get Address Unknown module name function = InternetCanonicalizeUrlA, address_out = 0x7ffb3d0871b0 True 1
Fn
Get Address Unknown module name function = InternetOpenA, address_out = 0x7ffb3cf81400 True 1
Fn
Get Address Unknown module name function = InternetSetStatusCallback, address_out = 0x7ffb3d0156e0 True 1
Fn
Get Address Unknown module name function = InternetConnectA, address_out = 0x7ffb3d0878f0 True 1
Fn
Get Address Unknown module name function = HttpOpenRequestA, address_out = 0x7ffb3d0b30a0 True 1
Fn
Get Address Unknown module name function = InternetQueryOptionA, address_out = 0x7ffb3cf83cc0 True 1
Fn
Get Address Unknown module name function = InternetSetOptionA, address_out = 0x7ffb3cf97f00 True 1
Fn
Get Address Unknown module name function = HttpSendRequestA, address_out = 0x7ffb3cf63330 True 1
Fn
Get Address Unknown module name function = VaultOpenVault, address_out = 0x7ffb38cf2310 True 1
Fn
Get Address Unknown module name function = VaultCloseVault, address_out = 0x7ffb38cf23a0 True 1
Fn
Get Address Unknown module name function = VaultEnumerateItems, address_out = 0x7ffb38cf21c0 True 1
Fn
Get Address Unknown module name function = VaultGetItem, address_out = 0x7ffb38cf1ff0 True 2
Fn
Get Address Unknown module name function = VaultFree, address_out = 0x7ffb38cfe340 True 1
Fn
Get Address Unknown module name function = RegEnumKeyExW, address_out = 0x7ffb47e47180 True 1
Fn
Get Address Unknown module name function = InternetReadFile, address_out = 0x7ffb3cf83350 True 1
Fn
Get Address Unknown module name function = HttpQueryInfoA, address_out = 0x7ffb3cf97140 True 1
Fn
Get Address Unknown module name function = InternetCloseHandle, address_out = 0x7ffb3cfbe110 True 1
Fn
Get Address Unknown module name function = 92, address_out = 0x7ffb46ab1c90 True 1
Fn
Get Address Unknown module name function = PathIsDirectoryEmptyA, address_out = 0x7ffb46266840 True 1
Fn
Get Address Unknown module name function = CoCreateGuid, address_out = 0x7ffb46682340 True 1
Fn
Get Address Unknown module name function = RegEnumValueA, address_out = 0x7ffb47e60f00 True 1
Fn
Get Address Unknown module name function = HttpAddRequestHeadersA, address_out = 0x7ffb3cfcf3e0 True 1
Fn
Get Address Unknown module name function = RegDeleteValueA, address_out = 0x7ffb47e32960 True 1
Fn
Create Mapping C:\Users\CIIHMN~1\AppData\Local\Temp\6581.bin filename = C:\Users\CIIHMN~1\AppData\Local\Temp\6581.bin, protection = PAGE_READONLY, maximum_size = 161 True 1
Fn
Map C:\Users\CIIHMN~1\AppData\Local\Temp\6581.bin process_name = c:\windows\explorer.exe, desired_access = FILE_MAP_READ True 1
Fn
Window (2)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = {8F4BB7B2-3369-65B4-0683-9A6728ADDC31}, wndproc_parameter = 213219456 True 1
Fn
Create - class_name = {41A6C2A8-C5E7-0A1A-5CB1-5075EE0B026F}, wndproc_parameter = 213219088 True 1
Fn
System (63)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = LHNIWSJ True 1
Fn
Get Clipboard format = 1 False 1
Fn
Sleep duration = -1 (infinite) False 3
Fn
Sleep duration = -1 (infinite) True 28
Fn
Sleep duration = 10000 milliseconds (10.000 seconds) True 7
Fn
Sleep duration = 60000 milliseconds (60.000 seconds) True 4
Fn
Get Time type = Ticks, time = 61687 True 1
Fn
Get Time type = System Time, time = 2018-10-24 19:46:06 (UTC) True 1
Fn
Get Time type = Ticks, time = 62109 True 1
Fn
Get Time type = Ticks, time = 62125 True 1
Fn
Get Time type = System Time, time = 2018-10-24 19:46:46 (UTC) True 1
Fn
Get Time type = Ticks, time = 102343 True 2
Fn
Get Time type = Ticks, time = 103421 True 1
Fn
Get Time type = System Time, time = 2018-10-24 19:46:49 (UTC) True 1
Fn
Get Time type = Ticks, time = 106031 True 2
Fn
Get Time type = Ticks, time = 115953 True 2
Fn
Get Time type = System Time, time = 2018-10-24 19:47:00 (UTC) True 1
Fn
Get Time type = Ticks, time = 135703 True 2
Fn
Register Hook type = WH_KEYBOARD_LL, hookproc_address = 0xcb2045c True 1
Fn
Get Info type = Operating System True 1
Fn
Get Info type = Operating System True 1
Fn
Mutex (11)
»
Operation Additional Information Success Count Logfile
Create mutex_name = {3A4129E0-515F-7C10-AB0E-15700F2219A4} True 1
Fn
Create mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6} True 1
Fn
Create mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D} True 1
Fn
Create mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45} True 1
Fn
Open mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE False 1
Fn
Open mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE False 1
Fn
Open mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE False 1
Fn
Open mutex_name = Local\{6C433A47-DB67-7E7B-C560-3F92C994E3E6}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Open mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Open mutex_name = Local\{53667D0F-9637-FD89-3837-2A81EC5BFE45}, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Release mutex_name = Local\{FB999B87-1EC7-E503-005F-32E93403862D} True 1
Fn
Network Behavior
HTTP Sessions (2)
»
Information Value
Total Data Sent 912 bytes
Total Data Received 8 bytes
Contacted Host Count 1
Contacted Hosts purbs.com
HTTP Session #1
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
Server Name purbs.com
Server Port 443
Data Sent 442
Data Received 4
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64), access_type = INTERNET_OPEN_TYPE_PRECONFIG, flags = INTERNET_FLAG_ASYNC True 1
Fn
Open Connection protocol = HTTP, server_name = purbs.com, server_port = 443 True 1
Fn
Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /images/0RcBpczPE/RnhzOHSVr1TpkbdctKZT/tTrk4jpxXKbv4CH_2FI/eIKRtAHsz9aO225_2Fj6qM/0l2NhR4hPnXQU/C4DFMHnY/jvQJc5X0nMDMkjvqSXmHQya/KjFeI9lcAI/Ga_2Bm0j4eSP3wN17/ZET_2B0KJsbG/8ojG32FFsWP/OSJ2lf7AtmHU2V/YE32C2I3o/A0lbECMv/wP58m.gif, accept_types = 0, flags = INTERNET_FLAG_CACHE_ASYNC, INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = purbs.com/images/0RcBpczPE/RnhzOHSVr1TpkbdctKZT/tTrk4jpxXKbv4CH_2FI/eIKRtAHsz9aO225_2Fj6qM/0l2NhR4hPnXQU/C4DFMHnY/jvQJc5X0nMDMkjvqSXmHQya/KjFeI9lcAI/Ga_2Bm0j4eSP3wN17/ZET_2B0KJsbG/8ojG32FFsWP/OSJ2lf7AtmHU2V/YE32C2I3o/A0lbECMv/wP58m.gif False 1
Fn
Read Response size = 4096, size_out = 0 True 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Close Session - True 2
Fn
HTTP Session #2
»
Information Value
User Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)
Server Name purbs.com
Server Port 443
Data Sent 470
Data Received 4
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64), access_type = INTERNET_OPEN_TYPE_PRECONFIG, flags = INTERNET_FLAG_ASYNC True 1
Fn
Open Connection protocol = HTTP, server_name = purbs.com, server_port = 443 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = /images/1Q3QMp_2FQ9TaHUd55/2fUhLiOJz/UZpd10_2F4v11yd6tdEO/MohIps62L2eIP1oRxg5/no0UUUC1aLYuV6OL9h7PIj/LPrgPDCAp9Zn9/n6_2FgkT/sLE4yJyGujc1o7gvbb6R6Zu/On3_2BTEFj/Y5QMrTbqya4730lFX/p6nGWi7rnU2D/tQdxI_2FwJd/eLntUhSEHNXLXk/RBBBMhlmkhAuDQ7oluvfk/UoN_2FsN/9.bmp, accept_types = 0, flags = INTERNET_FLAG_CACHE_ASYNC, INTERNET_FLAG_PRAGMA_NOCACHE, INTERNET_FLAG_IGNORE_CERT_CN_INVALID, INTERNET_FLAG_IGNORE_CERT_DATE_INVALID, INTERNET_FLAG_KEEP_CONNECTION, INTERNET_FLAG_SECURE, INTERNET_FLAG_NO_CACHE_WRITE, INTERNET_FLAG_RELOAD True 1
Fn
Add HTTP Request Headers headers = Content-Type: multipart/form-data; boundary=--------------------------1146d711146d711146d71 True 1
Fn
Send HTTP Request headers = WINHTTP_NO_ADDITIONAL_HEADERS, url = purbs.com/images/1Q3QMp_2FQ9TaHUd55/2fUhLiOJz/UZpd10_2F4v11yd6tdEO/MohIps62L2eIP1oRxg5/no0UUUC1aLYuV6OL9h7PIj/LPrgPDCAp9Zn9/n6_2FgkT/sLE4yJyGujc1o7gvbb6R6Zu/On3_2BTEFj/Y5QMrTbqya4730lFX/p6nGWi7rnU2D/tQdxI_2FwJd/eLntUhSEHNXLXk/RBBBMhlmkhAuDQ7oluvfk/UoN_2FsN/9.bmp False 1
Fn
Query HTTP Info flags = HTTP_QUERY_FLAG_NUMBER, HTTP_QUERY_STATUS_CODE, size_out = 4 True 1
Fn
Data
Close Session - True 2
Fn
Process #9: cmd.exe
64 0
»
Information Value
ID #9
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "systeminfo.exe > C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:10, Reason: Child Process
Unmonitor End Time: 00:03:20, Reason: Self Terminated
Monitor Duration 00:00:10
OS Process Information
»
Information Value
PID 0x560
Parent PID 0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 4D4
0x BE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000ee54970000 0xee54970000 0xee5498ffff Private Memory rw True False False -
pagefile_0x000000ee54970000 0xee54970000 0xee5497ffff Pagefile Backed Memory rw True False False -
private_0x000000ee54980000 0xee54980000 0xee54986fff Private Memory rw True False False -
pagefile_0x000000ee54990000 0xee54990000 0xee549a3fff Pagefile Backed Memory r True False False -
private_0x000000ee549b0000 0xee549b0000 0xee54aaffff Private Memory rw True False False -
pagefile_0x000000ee54ab0000 0xee54ab0000 0xee54ab3fff Pagefile Backed Memory r True False False -
pagefile_0x000000ee54ac0000 0xee54ac0000 0xee54ac0fff Pagefile Backed Memory r True False False -
private_0x000000ee54ad0000 0xee54ad0000 0xee54ad1fff Private Memory rw True False False -
locale.nls 0xee54ae0000 0xee54b9dfff Memory Mapped File r False False False -
private_0x000000ee54ba0000 0xee54ba0000 0xee54ba6fff Private Memory rw True False False -
private_0x000000ee54bf0000 0xee54bf0000 0xee54ceffff Private Memory rw True False False -
private_0x000000ee54cf0000 0xee54cf0000 0xee54deffff Private Memory rw True False False -
private_0x000000ee54fc0000 0xee54fc0000 0xee54fcffff Private Memory rw True False False -
sortdefault.nls 0xee54fd0000 0xee55306fff Memory Mapped File r False False False -
pagefile_0x00007df5ff400000 0x7df5ff400000 0x7ff5ff3fffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7b4520000 0x7ff7b4520000 0x7ff7b461ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7b4620000 0x7ff7b4620000 0x7ff7b4642fff Pagefile Backed Memory r True False False -
private_0x00007ff7b4648000 0x7ff7b4648000 0x7ff7b4648fff Private Memory rw True False False -
private_0x00007ff7b464c000 0x7ff7b464c000 0x7ff7b464dfff Private Memory rw True False False -
private_0x00007ff7b464e000 0x7ff7b464e000 0x7ff7b464ffff Private Memory rw True False False -
cmd.exe 0x7ff7b50b0000 0x7ff7b5108fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 2.19 KB MD5: 95164cb94e0099ebaf8204d2fac24e03
SHA1: 4e3c1c9677fd5b27558a8676d7ee5714f67b6b66
SHA256: 387d3395acc1e9a09aa9bf916027c2f958e179eb7fa2b1f3c782f8d96c95b254
SSDeep: 48:wtjQxD3CK4PCX1iUkPGK/JIj3fG7XhygKYhkONYGqEMcCGEi6ZBM8wp:wtjQxDyVCX18Q3EKYeOmOEi6ZW8wp 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 2.07 KB MD5: f243c5ee67a72535da0288e1ad957037
SHA1: bd57e1c69509bf3b6efb5526eb106862afacbbcd
SHA256: 8ceb32a2d8f944f186ac649d757aed050da2f185d711a8ef72824e235a7ad8ed
SSDeep: 48:wtjQxD3CK4PCX1iUkPGK/JIj3fG7XhygKYhkONYGqEMcCGEi6ZBM2:wtjQxDyVCX18Q3EKYeOmOEi6ZW2 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 2.18 KB MD5: 4a14ffd074969f6ac4124cf8012d959e
SHA1: cab42d68631919a0416fcd8db74294f40fd7f8f6
SHA256: ab0bc9d85b3ffd22b4f6edb5c00d74e7010c2ab1b4ddc620682ee247c4770912
SSDeep: 48:wtjQxD3CK4PCX1iUkPGK/JIj3fG7XhygKYhkONYGqEMcCGEi6ZBM8w0:wtjQxDyVCX18Q3EKYeOmOEi6ZW8w0 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 2.10 KB MD5: 3feb4607b93a9597595957709d6b150d
SHA1: ea963b0034aebc8d702b2d2ab33285b5001d703a
SHA256: 34073063c4a2d54f0eeaccf8439788ed0cc203e197a90ceca77e4142619d2964
SSDeep: 48:wtjQxD3CK4PCX1iUkPGK/JIj3fG7XhygKYhkONYGqEMcCGEi6ZBMw:wtjQxDyVCX18Q3EKYeOmOEi6ZWw 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 5.76 KB MD5: 5fcaaaa8ff4fa27e6980e193e143d7bd
SHA1: 1230e8c8ae3eeb2fc25b495bf3557e7e3063e752
SHA256: e17cdba6561014e0a01d756d69c881ccbc9d7d67471eee08413185e04d2dfa89
SSDeep: 96:wtjQxDyVCX18Q3EKYeOmOEi6ZW8wxqoEd+kcUOKbbipRYmMkTQ28j1g3paigcv70:weEVy8IYeOmOL8yEd+kcUOKbbipRYmMn 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 2.08 KB MD5: a233dd20e25ecb6c8aa47139078f4ec9
SHA1: 1988e5f2607a9842ffe55f40c20be19a65422fec
SHA256: e2cc6a6c62d5d18487b3047a5ed8eb4725ea9dc94b29f3d566cc0959ce0f4784
SSDeep: 48:wtjQxD3CK4PCX1iUkPGK/JIj3fG7XhygKYhkONYGqEMcCGEi6ZBMT:wtjQxDyVCX18Q3EKYeOmOEi6ZWT 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 26.95 KB MD5: c899c3bc51beac3ebb514e233930e5fa
SHA1: a57182040b53432dd887d76bc73cced20e48f717
SHA256: b2852659a9d2fad2507c8dc7a9eba38c7ad04a9e1806f546242dbfb8e1c73935
SSDeep: 768:BaIDOhL5Ed+kcUOKbbi7Ym12MaiPz9jAnr/ESZtlA8YkF7vpGCKoWfvozY9Z86IX:Q1hlEd+kcUOYbi7x12MaiPz9jAr/ESZ1 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 48.25 KB MD5: c892049fc102a30285e8b98aa4c6b1e5
SHA1: 6c619c97f5ef82c3d2f5623534fadded48a4648c
SHA256: 90eb06e686edc493e6c9ca57b9b71897d27e904a8efafb6046154fff2c84f4c1
SSDeep: 1536:Q1hlEd+kcUOYbi7x12MaiPz9jAr/ESZtlA8YkFNfBYk2:QPqYk2 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 48.24 KB MD5: 7b98a5c728f70583b66487c611d2b340
SHA1: 0fc33f6da9f866468fd2990ae0482a7c777c5462
SHA256: e293e56d0aef3aa369d6a89e0af90f6eb2cc89ca8a399a0e7252d08935b33d5e
SSDeep: 1536:Q1hlEd+kcUOYbi7x12MaiPz9jAr/ESZtlA8YkFNfBYkJ:QPqYkJ 		False
...
Host Behavior
File (17)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info systeminfo.exe type = file_attributes True 1
Fn
Open STD_OUTPUT_HANDLE - True 9
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\systeminfo.exe os_pid = 0xa90, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff7b50b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb45e10000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffb45e2d550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffb45e325e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffb45e31f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #11: makecab.exe
70 0
»
Information Value
ID #11
File Name c:\windows\system32\makecab.exe
Command Line makecab.exe /F "C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin"
Initial Working Directory C:\Users\CIIHMN~1\AppData\Roaming\MICROS~1\{25E2F~1\
Monitor Start Time: 00:03:12, Reason: Child Process
Unmonitor End Time: 00:03:16, Reason: Self Terminated
Monitor Duration 00:00:04
OS Process Information
»
Information Value
PID 0x848
Parent PID 0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 6E4
0x BFC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000f244970000 0xf244970000 0xf24498ffff Private Memory rw True False False -
pagefile_0x000000f244970000 0xf244970000 0xf24497ffff Pagefile Backed Memory rw True False False -
private_0x000000f244980000 0xf244980000 0xf244986fff Private Memory rw True False False -
pagefile_0x000000f244990000 0xf244990000 0xf2449a3fff Pagefile Backed Memory r True False False -
private_0x000000f2449b0000 0xf2449b0000 0xf244a2ffff Private Memory rw True False False -
pagefile_0x000000f244a30000 0xf244a30000 0xf244a33fff Pagefile Backed Memory r True False False -
pagefile_0x000000f244a40000 0xf244a40000 0xf244a41fff Pagefile Backed Memory r True False False -
private_0x000000f244a50000 0xf244a50000 0xf244a51fff Private Memory rw True False False -
private_0x000000f244a60000 0xf244a60000 0xf244a66fff Private Memory rw True False False -
private_0x000000f244a70000 0xf244a70000 0xf244a70fff Private Memory rw True False False -
private_0x000000f244a80000 0xf244a80000 0xf244a80fff Private Memory rw True False False -
tzres.dll 0xf244a90000 0xf244a92fff Memory Mapped File r False False False -
tzres.dll.mui 0xf244aa0000 0xf244aa8fff Memory Mapped File r False False False -
private_0x000000f244ab0000 0xf244ab0000 0xf244baffff Private Memory rw True False False -
locale.nls 0xf244bb0000 0xf244c6dfff Memory Mapped File r False False False -
private_0x000000f244c70000 0xf244c70000 0xf244ceffff Private Memory rw True False False -
private_0x000000f244d50000 0xf244d50000 0xf244d5ffff Private Memory rw True False False -
pagefile_0x000000f244d60000 0xf244d60000 0xf244ee7fff Pagefile Backed Memory r True False False -
pagefile_0x000000f244ef0000 0xf244ef0000 0xf245070fff Pagefile Backed Memory r True False False -
pagefile_0x000000f245080000 0xf245080000 0xf24647ffff Pagefile Backed Memory r True False False -
private_0x000000f246480000 0xf246480000 0xf24657ffff Private Memory rw True False False -
pagefile_0x00007df5ffc30000 0x7df5ffc30000 0x7ff5ffc2ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff780d40000 0x7ff780d40000 0x7ff780e3ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff780e40000 0x7ff780e40000 0x7ff780e62fff Pagefile Backed Memory r True False False -
private_0x00007ff780e68000 0x7ff780e68000 0x7ff780e68fff Private Memory rw True False False -
private_0x00007ff780e6c000 0x7ff780e6c000 0x7ff780e6dfff Private Memory rw True False False -
private_0x00007ff780e6e000 0x7ff780e6e000 0x7ff780e6ffff Private Memory rw True False False -
makecab.exe 0x7ff781df0000 0x7ff781e09fff Memory Mapped File rwx True False False -
version.dll 0x7ffb3d3b0000 0x7ffb3d3b9fff Memory Mapped File rwx False False False -
cabinet.dll 0x7ffb3e540000 0x7ffb3e566fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
user32.dll 0x7ffb45c50000 0x7ffb45d9dfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
imm32.dll 0x7ffb46070000 0x7ffb460a5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7ffb460c0000 0x7ffb46244fff Memory Mapped File rwx False False False -
msctf.dll 0x7ffb462d0000 0x7ffb4642bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
setup.inf 0.93 KB MD5: 52b50016ed572ded1de3687896aa83ad
SHA1: 8ffcf485171d7e77b3156171e82cb7293dcd8db3
SHA256: bc55d8609514521f4433feaf43a2159c34bb6537907af11e9ef0c2aec3e0a8e8
SSDeep: 12:QxncDimwRL+unsP2neJhecfy+FkIncDimwRL+unhIv:QF8vwIun02nKheAyct8vwIunw 		False
...
setup.rpt 0.28 KB MD5: 64a168c47cde012b32be601327ec526a
SHA1: ba1287be83d885b83d92c819e02f4d39b4d43b84
SHA256: 5071a9809d9f61844fd29e6ead9856fa2cd3d716d5529bb18a74429e40aed501
SSDeep: 6:vgqG0l/ukwT2SVKQv7D0iws/bWiQTIKWd:vO0XwbBv7AiwsCWd 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_3 0.03 KB MD5: 31b8a869a5f32847349c4679b7640251
SHA1: 6329ef473a0a031d927b659d200559f05a4229e0
SHA256: ae494fd3f7e864fda30d394332d762197dcd306db8361b675b35c25c61ab743e
SSDeep: 3:NLBocGDn:Zeca 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3:: 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_4 0.04 KB MD5: fad5dc3d88f14b506a1cd1451f409122
SHA1: bacf424a3951506352c7640ed3c817551947eeb1
SHA256: ccdd94d2ac07b075d2ccc012ad5d1e2158a42d09d76b66d4caa1f378f5716fa8
SSDeep: 3:dJgVRl+znliduckvn:dq5+zliduLvn 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_9 0.01 KB MD5: 7b5b6c7bf41e6055abd4e74476e08575
SHA1: 5c05d3a68f69258d236f6d9677cc0a42e399e7cc
SHA256: 2392619f397925a165cf31634781d68b006c396611c425f6c67f338356e47f8f
SSDeep: 3:P:P 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\6581.bin 0.16 KB MD5: ecfac958e0043e93e2160bcd67689223
SHA1: 6c8a5d9683ee5fa40f64a5c595dd0a0e465ad2a5
SHA256: 5bcc28bbfe71eafc16513edc82137fb3628ee14472511aaca33bc9e436679bdd
SSDeep: 3:wkltLl5/mh/LlElJ4RTlidNlQyiv2PuIX3Nv3BBNDKcwASzGEsKn:wsFmJLaGidNlQyivzIX9v33AczAGEn 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_6 0.03 KB MD5: f5229ed6188535f29d4909c9f66a1f5f
SHA1: d06d9efab1170c6725dfdb57dca82ddd06deca40
SHA256: 6f7b57d84c1b52470cfea1bfdad7c331a6030e1cc18a49e5f1b62878492bf2d7
SSDeep: 3:54RTlidC:2idC 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_2 0.02 KB MD5: 4230347e5849e9c7230227a287ae4a41
SHA1: a3fa042694dc86f05973ac07231c95cf590d606a
SHA256: 2484fa669042204d83d907de45012a2aef7f6687613ce76169097240415b0abd
SSDeep: 3:R0qxv:Rf 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_5 0.08 KB MD5: 9b7c67062c98970fbeee70e704792806
SHA1: b3cc082505413056d39b66e9ac049956e8fe8f63
SHA256: 6b656634aeac7fd407ef0ef095563851a41af0b0ed7d74250eafb29c04f8205b
SSDeep: 3:3lZjQyiv2PuIX3Nv3BBNDKcwASzGEsKn:rQyivzIX9v33AczAGEn 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_7 0.08 KB MD5: d1590e9fff9f288b89f78982a6ec02f1
SHA1: 4d8eb883e0994623bfb4d7eaf2b5717e92efb7db
SHA256: d1b27b955b4ee705abdd8135d563f940f39766ff12237b08fde323a8c75a10eb
SSDeep: 3:0lQyiv2PuIX3Nv3BBNDKcwASzGEsKn:0lQyivzIX9v33AczAGEn 		False
...
Host Behavior
File (66)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin file_attributes = _O_EXCL True 1
Fn
Create CAB02120.TMP file_attributes = _O_RDWR, _O_CREAT, _O_EXCL True 2
Fn
Create setup.inf file_attributes = _O_RDWR, _O_CREAT True 1
Fn
Create setup.rpt file_attributes = _O_RDWR, _O_CREAT True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_2 file_attributes = _O_WRONLY True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_3 file_attributes = _O_WRONLY True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_4 file_attributes = _O_WRONLY True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin file_attributes = _O_EXCL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP file_attributes = _O_RDWR, _O_CREAT, _O_EXCL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_5 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_6 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_7 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_8 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_9 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create 01D46BD24DAB98E809 desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_10 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_11 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\6581.bin desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_12 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_13 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2120_14 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create setup.inf file_attributes = _O_WRONLY | _O_BINARY True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_2 file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_3 file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_4 file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
Create setup.rpt file_attributes = _O_WRONLY True 1
Fn
Get Info 01D46BD24DAB98E809 type = file_attributes True 1
Fn
Read C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin size = 3 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin size = 4096 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin size = 3 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\5CDD.bin size = 4096 True 1
Fn
Data
Read - size = 32768 True 3
Fn
Data
Read - size = 32672 False 1
Fn
Read C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP size = 8 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP size = 74 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP size = 8 False 1
Fn
Read - size = 16 True 1
Fn
Data
Read - size = 256 True 1
Fn
Data
Read - size = 16 False 1
Fn
Read - size = 8 True 1
Fn
Data
Read - size = 8 False 1
Fn
Read - size = 32768 False 2
Fn
Read C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_2 size = 2048, size_out = 23 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_3 size = 2048, size_out = 30 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_4 size = 2048, size_out = 40 True 1
Fn
Data
Write - size = 16 True 2
Fn
Data
Write - size = 19 True 2
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP size = 8 True 2
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP size = 74 True 1
Fn
Data
Write - size = 8 True 2
Fn
Data
Write - size = 74 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP size = 36 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP size = 35 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP size = 82 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02120.TMP size = 4 True 1
Fn
Data
Write setup.inf size = 23 True 1
Fn
Data
Write setup.inf size = 30 True 1
Fn
Data
Write setup.inf size = 40 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\makecab.exe base_address = 0x7ff781df0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb45e10000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7ffb45e30f40 True 1
Fn
System (1)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 1
Fn
Process #13: systeminfo.exe
0 0
»
Information Value
ID #13
File Name c:\windows\system32\systeminfo.exe
Command Line systeminfo.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:13, Reason: Child Process
Unmonitor End Time: 00:03:20, Reason: Self Terminated
Monitor Duration 00:00:07
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa90
Parent PID 0x560 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BC4
0x B04
0x A28
0x B00
0x AEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000a19e6c0000 0xa19e6c0000 0xa19e6dffff Private Memory rw True False False -
pagefile_0x000000a19e6c0000 0xa19e6c0000 0xa19e6cffff Pagefile Backed Memory rw True False False -
private_0x000000a19e6d0000 0xa19e6d0000 0xa19e6d6fff Private Memory rw True False False -
pagefile_0x000000a19e6e0000 0xa19e6e0000 0xa19e6f3fff Pagefile Backed Memory r True False False -
private_0x000000a19e700000 0xa19e700000 0xa19e77ffff Private Memory rw True False False -
pagefile_0x000000a19e780000 0xa19e780000 0xa19e783fff Pagefile Backed Memory r True False False -
pagefile_0x000000a19e790000 0xa19e790000 0xa19e790fff Pagefile Backed Memory r True False False -
private_0x000000a19e7a0000 0xa19e7a0000 0xa19e7a1fff Private Memory rw True False False -
private_0x000000a19e7b0000 0xa19e7b0000 0xa19e7b6fff Private Memory rw True False False -
systeminfo.exe.mui 0xa19e7c0000 0xa19e7c3fff Memory Mapped File r False False False -
private_0x000000a19e7d0000 0xa19e7d0000 0xa19e7d0fff Private Memory rw True False False -
private_0x000000a19e7e0000 0xa19e7e0000 0xa19e8dffff Private Memory rw True False False -
locale.nls 0xa19e8e0000 0xa19e99dfff Memory Mapped File r False False False -
private_0x000000a19e9a0000 0xa19e9a0000 0xa19ea1ffff Private Memory rw True False False -
private_0x000000a19ea20000 0xa19ea20000 0xa19ea20fff Private Memory rw True False False -
pagefile_0x000000a19ea30000 0xa19ea30000 0xa19ea30fff Pagefile Backed Memory r True False False -
pagefile_0x000000a19ea40000 0xa19ea40000 0xa19ea40fff Pagefile Backed Memory r True False False -
private_0x000000a19ea50000 0xa19ea50000 0xa19eacffff Private Memory rw True False False -
private_0x000000a19ead0000 0xa19ead0000 0xa19eb4ffff Private Memory rw True False False -
private_0x000000a19eb50000 0xa19eb50000 0xa19eb5ffff Private Memory rw True False False -
pagefile_0x000000a19eb60000 0xa19eb60000 0xa19ece7fff Pagefile Backed Memory r True False False -
pagefile_0x000000a19ecf0000 0xa19ecf0000 0xa19ee70fff Pagefile Backed Memory r True False False -
pagefile_0x000000a19ee80000 0xa19ee80000 0xa1a027ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0xa1a0280000 0xa1a05b6fff Memory Mapped File r False False False -
private_0x000000a1a05c0000 0xa1a05c0000 0xa1a063ffff Private Memory rw True False False -
pagefile_0x00007df5ffc30000 0x7df5ffc30000 0x7ff5ffc2ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff6b8ac0000 0x7ff6b8ac0000 0x7ff6b8bbffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6b8bc0000 0x7ff6b8bc0000 0x7ff6b8be2fff Pagefile Backed Memory r True False False -
private_0x00007ff6b8be5000 0x7ff6b8be5000 0x7ff6b8be5fff Private Memory rw True False False -
private_0x00007ff6b8be6000 0x7ff6b8be6000 0x7ff6b8be7fff Private Memory rw True False False -
private_0x00007ff6b8be8000 0x7ff6b8be8000 0x7ff6b8be9fff Private Memory rw True False False -
private_0x00007ff6b8bea000 0x7ff6b8bea000 0x7ff6b8bebfff Private Memory rw True False False -
private_0x00007ff6b8bec000 0x7ff6b8bec000 0x7ff6b8bedfff Private Memory rw True False False -
private_0x00007ff6b8bee000 0x7ff6b8bee000 0x7ff6b8beffff Private Memory rw True False False -
systeminfo.exe 0x7ff6b9aa0000 0x7ff6b9abcfff Memory Mapped File rwx False False False -
framedynos.dll 0x7ffb36180000 0x7ffb361cdfff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7ffb38f70000 0x7ffb38f83fff Memory Mapped File rwx False False False -
fastprox.dll 0x7ffb38f90000 0x7ffb39087fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7ffb397a0000 0x7ffb397b0fff Memory Mapped File rwx False False False -
version.dll 0x7ffb3d3b0000 0x7ffb3d3b9fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7ffb3db20000 0x7ffb3db9efff Memory Mapped File rwx False False False -
mpr.dll 0x7ffb43de0000 0x7ffb43dfbfff Memory Mapped File rwx False False False -
rsaenh.dll 0x7ffb44070000 0x7ffb440a2fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7ffb44420000 0x7ffb44436fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7ffb44590000 0x7ffb4459afff Memory Mapped File rwx False False False -
sspicli.dll 0x7ffb447d0000 0x7ffb447fbfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffb449d0000 0x7ffb449f7fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7ffb44a00000 0x7ffb44a6afff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7ffb44c20000 0x7ffb44c2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7ffb45850000 0x7ffb458f4fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffb45ac0000 0x7ffb45b1afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffb45b20000 0x7ffb45c45fff Memory Mapped File rwx False False False -
user32.dll 0x7ffb45c50000 0x7ffb45d9dfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7ffb45da0000 0x7ffb45e08fff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
imm32.dll 0x7ffb46070000 0x7ffb460a5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7ffb460c0000 0x7ffb46244fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7ffb46250000 0x7ffb462a0fff Memory Mapped File rwx False False False -
msctf.dll 0x7ffb462d0000 0x7ffb4642bfff Memory Mapped File rwx False False False -
combase.dll 0x7ffb46610000 0x7ffb4688bfff Memory Mapped File rwx False False False -
nsi.dll 0x7ffb47e20000 0x7ffb47e27fff Memory Mapped File rwx False False False -
advapi32.dll 0x7ffb47e30000 0x7ffb47ed5fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7ffb47f40000 0x7ffb47ffdfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Process #19: cmd.exe
62 0
»
Information Value
ID #19
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:03:20, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x8f4
Parent PID 0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 9F4
0x 7F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000f209fc0000 0xf209fc0000 0xf209fdffff Private Memory rw True False False -
pagefile_0x000000f209fc0000 0xf209fc0000 0xf209fcffff Pagefile Backed Memory rw True False False -
private_0x000000f209fd0000 0xf209fd0000 0xf209fd6fff Private Memory rw True False False -
pagefile_0x000000f209fe0000 0xf209fe0000 0xf209ff3fff Pagefile Backed Memory r True False False -
private_0x000000f20a000000 0xf20a000000 0xf20a0fffff Private Memory rw True False False -
pagefile_0x000000f20a100000 0xf20a100000 0xf20a103fff Pagefile Backed Memory r True False False -
pagefile_0x000000f20a110000 0xf20a110000 0xf20a110fff Pagefile Backed Memory r True False False -
private_0x000000f20a120000 0xf20a120000 0xf20a121fff Private Memory rw True False False -
private_0x000000f20a130000 0xf20a130000 0xf20a136fff Private Memory rw True False False -
private_0x000000f20a170000 0xf20a170000 0xf20a26ffff Private Memory rw True False False -
locale.nls 0xf20a270000 0xf20a32dfff Memory Mapped File r False False False -
private_0x000000f20a330000 0xf20a330000 0xf20a42ffff Private Memory rw True False False -
private_0x000000f20a600000 0xf20a600000 0xf20a60ffff Private Memory rw True False False -
pagefile_0x00007df5ff350000 0x7df5ff350000 0x7ff5ff34ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7b4650000 0x7ff7b4650000 0x7ff7b474ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7b4750000 0x7ff7b4750000 0x7ff7b4772fff Pagefile Backed Memory r True False False -
private_0x00007ff7b477a000 0x7ff7b477a000 0x7ff7b477afff Private Memory rw True False False -
private_0x00007ff7b477c000 0x7ff7b477c000 0x7ff7b477dfff Private Memory rw True False False -
private_0x00007ff7b477e000 0x7ff7b477e000 0x7ff7b477ffff Private Memory rw True False False -
cmd.exe 0x7ff7b50b0000 0x7ff7b5108fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Host Behavior
File (24)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 2
Fn
Get Info STD_OUTPUT_HANDLE type = size True 1
Fn
Open STD_OUTPUT_HANDLE - True 12
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Read STD_OUTPUT_HANDLE size = 1, size_out = 1 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 11 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff7b50b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb45e10000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffb45e2d550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffb45e325e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffb45e31f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10 True 1
Fn
Environment (11)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Process #21: cmd.exe
67 0
»
Information Value
ID #21
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "net view >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:19, Reason: Child Process
Unmonitor End Time: 00:03:32, Reason: Self Terminated
Monitor Duration 00:00:13
OS Process Information
»
Information Value
PID 0x428
Parent PID 0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 534
0x 840
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
sortdefault.nls 0xb900000000 0xb900336fff Memory Mapped File r False False False -
private_0x000000b97f990000 0xb97f990000 0xb97f9affff Private Memory rw True False False -
pagefile_0x000000b97f990000 0xb97f990000 0xb97f99ffff Pagefile Backed Memory rw True False False -
private_0x000000b97f9a0000 0xb97f9a0000 0xb97f9a6fff Private Memory rw True False False -
pagefile_0x000000b97f9b0000 0xb97f9b0000 0xb97f9c3fff Pagefile Backed Memory r True False False -
private_0x000000b97f9d0000 0xb97f9d0000 0xb97facffff Private Memory rw True False False -
pagefile_0x000000b97fad0000 0xb97fad0000 0xb97fad3fff Pagefile Backed Memory r True False False -
pagefile_0x000000b97fae0000 0xb97fae0000 0xb97fae0fff Pagefile Backed Memory r True False False -
private_0x000000b97faf0000 0xb97faf0000 0xb97faf1fff Private Memory rw True False False -
locale.nls 0xb97fb00000 0xb97fbbdfff Memory Mapped File r False False False -
private_0x000000b97fbc0000 0xb97fbc0000 0xb97fbc6fff Private Memory rw True False False -
private_0x000000b97fbd0000 0xb97fbd0000 0xb97fccffff Private Memory rw True False False -
private_0x000000b97fcd0000 0xb97fcd0000 0xb97fdcffff Private Memory rw True False False -
private_0x000000b97fe30000 0xb97fe30000 0xb97fe3ffff Private Memory rw True False False -
pagefile_0x00007df5ff040000 0x7df5ff040000 0x7ff5ff03ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7b4980000 0x7ff7b4980000 0x7ff7b4a7ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7b4a80000 0x7ff7b4a80000 0x7ff7b4aa2fff Pagefile Backed Memory r True False False -
private_0x00007ff7b4aab000 0x7ff7b4aab000 0x7ff7b4aacfff Private Memory rw True False False -
private_0x00007ff7b4aad000 0x7ff7b4aad000 0x7ff7b4aaefff Private Memory rw True False False -
private_0x00007ff7b4aaf000 0x7ff7b4aaf000 0x7ff7b4aaffff Private Memory rw True False False -
cmd.exe 0x7ff7b50b0000 0x7ff7b5108fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Host Behavior
File (20)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = size True 1
Fn
Open STD_OUTPUT_HANDLE - True 10
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Read STD_OUTPUT_HANDLE size = 1, size_out = 1 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\net.exe os_pid = 0x2c8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff7b50b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb45e10000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffb45e2d550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffb45e325e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffb45e31f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000002 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #23: net.exe
0 0
»
Information Value
ID #23
File Name c:\windows\system32\net.exe
Command Line net view
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:19, Reason: Child Process
Unmonitor End Time: 00:03:32, Reason: Self Terminated
Monitor Duration 00:00:13
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x2c8
Parent PID 0x428 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 15C
0x 1B4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000f4ed910000 0xf4ed910000 0xf4ed92ffff Private Memory rw True False False -
pagefile_0x000000f4ed910000 0xf4ed910000 0xf4ed91ffff Pagefile Backed Memory rw True False False -
private_0x000000f4ed920000 0xf4ed920000 0xf4ed926fff Private Memory rw True False False -
pagefile_0x000000f4ed930000 0xf4ed930000 0xf4ed943fff Pagefile Backed Memory r True False False -
private_0x000000f4ed950000 0xf4ed950000 0xf4ed9cffff Private Memory rw True False False -
pagefile_0x000000f4ed9d0000 0xf4ed9d0000 0xf4ed9d3fff Pagefile Backed Memory r True False False -
pagefile_0x000000f4ed9e0000 0xf4ed9e0000 0xf4ed9e0fff Pagefile Backed Memory r True False False -
private_0x000000f4ed9f0000 0xf4ed9f0000 0xf4ed9f1fff Private Memory rw True False False -
locale.nls 0xf4eda00000 0xf4edabdfff Memory Mapped File r False False False -
private_0x000000f4edac0000 0xf4edac0000 0xf4edb3ffff Private Memory rw True False False -
private_0x000000f4edb40000 0xf4edb40000 0xf4edb46fff Private Memory rw True False False -
netmsg.dll 0xf4edb50000 0xf4edb52fff Memory Mapped File rwx False False False -
netmsg.dll.mui 0xf4edb60000 0xf4edb91fff Memory Mapped File r False False False -
private_0x000000f4edba0000 0xf4edba0000 0xf4edc9ffff Private Memory rw True False False -
private_0x000000f4edd90000 0xf4edd90000 0xf4edd9ffff Private Memory rw True False False -
pagefile_0x00007df5ffc40000 0x7df5ffc40000 0x7ff5ffc3ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff669bb0000 0x7ff669bb0000 0x7ff669caffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff669cb0000 0x7ff669cb0000 0x7ff669cd2fff Pagefile Backed Memory r True False False -
private_0x00007ff669cda000 0x7ff669cda000 0x7ff669cdbfff Private Memory rw True False False -
private_0x00007ff669cdc000 0x7ff669cdc000 0x7ff669cdcfff Private Memory rw True False False -
private_0x00007ff669cde000 0x7ff669cde000 0x7ff669cdffff Private Memory rw True False False -
net.exe 0x7ff66a400000 0x7ff66a41cfff Memory Mapped File rwx False False False -
cscapi.dll 0x7ffb3a360000 0x7ffb3a371fff Memory Mapped File rwx False False False -
browcli.dll 0x7ffb3c800000 0x7ffb3c813fff Memory Mapped File rwx False False False -
samcli.dll 0x7ffb41140000 0x7ffb41157fff Memory Mapped File rwx False False False -
wkscli.dll 0x7ffb416a0000 0x7ffb416b5fff Memory Mapped File rwx False False False -
winnsi.dll 0x7ffb423e0000 0x7ffb423eafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7ffb42400000 0x7ffb42437fff Memory Mapped File rwx False False False -
mpr.dll 0x7ffb43de0000 0x7ffb43dfbfff Memory Mapped File rwx False False False -
netutils.dll 0x7ffb43e00000 0x7ffb43e0bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffb43e10000 0x7ffb43e35fff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffb449d0000 0x7ffb449f7fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
sechost.dll 0x7ffb45ac0000 0x7ffb45b1afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffb45b20000 0x7ffb45c45fff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
nsi.dll 0x7ffb47e20000 0x7ffb47e27fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Process #24: cmd.exe
62 0
»
Information Value
ID #24
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:31, Reason: Child Process
Unmonitor End Time: 00:03:32, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x200
Parent PID 0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 24C
0x 380
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000004007660000 0x4007660000 0x400767ffff Private Memory rw True False False -
pagefile_0x0000004007660000 0x4007660000 0x400766ffff Pagefile Backed Memory rw True False False -
private_0x0000004007670000 0x4007670000 0x4007676fff Private Memory rw True False False -
pagefile_0x0000004007680000 0x4007680000 0x4007693fff Pagefile Backed Memory r True False False -
private_0x00000040076a0000 0x40076a0000 0x400779ffff Private Memory rw True False False -
pagefile_0x00000040077a0000 0x40077a0000 0x40077a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000040077b0000 0x40077b0000 0x40077b0fff Pagefile Backed Memory r True False False -
private_0x00000040077c0000 0x40077c0000 0x40077c1fff Private Memory rw True False False -
locale.nls 0x40077d0000 0x400788dfff Memory Mapped File r False False False -
private_0x0000004007890000 0x4007890000 0x4007896fff Private Memory rw True False False -
private_0x0000004007910000 0x4007910000 0x4007a0ffff Private Memory rw True False False -
private_0x0000004007a10000 0x4007a10000 0x4007b0ffff Private Memory rw True False False -
private_0x0000004007c60000 0x4007c60000 0x4007c6ffff Private Memory rw True False False -
pagefile_0x00007df5ff030000 0x7df5ff030000 0x7ff5ff02ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7b4440000 0x7ff7b4440000 0x7ff7b453ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7b4540000 0x7ff7b4540000 0x7ff7b4562fff Pagefile Backed Memory r True False False -
private_0x00007ff7b456b000 0x7ff7b456b000 0x7ff7b456cfff Private Memory rw True False False -
private_0x00007ff7b456d000 0x7ff7b456d000 0x7ff7b456efff Private Memory rw True False False -
private_0x00007ff7b456f000 0x7ff7b456f000 0x7ff7b456ffff Private Memory rw True False False -
cmd.exe 0x7ff7b50b0000 0x7ff7b5108fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Host Behavior
File (24)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 2
Fn
Get Info STD_OUTPUT_HANDLE type = size True 1
Fn
Open STD_OUTPUT_HANDLE - True 12
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Read STD_OUTPUT_HANDLE size = 1, size_out = 1 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 11 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff7b50b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb45e10000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffb45e2d550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffb45e325e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffb45e31f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10 True 1
Fn
Environment (11)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Process #26: cmd.exe
67 0
»
Information Value
ID #26
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "nslookup 127.0.0.1 >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:31, Reason: Child Process
Unmonitor End Time: 00:03:33, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x8cc
Parent PID 0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8EC
0x F0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000bc5c220000 0xbc5c220000 0xbc5c23ffff Private Memory rw True False False -
pagefile_0x000000bc5c220000 0xbc5c220000 0xbc5c22ffff Pagefile Backed Memory rw True False False -
private_0x000000bc5c230000 0xbc5c230000 0xbc5c236fff Private Memory rw True False False -
pagefile_0x000000bc5c240000 0xbc5c240000 0xbc5c253fff Pagefile Backed Memory r True False False -
private_0x000000bc5c260000 0xbc5c260000 0xbc5c35ffff Private Memory rw True False False -
pagefile_0x000000bc5c360000 0xbc5c360000 0xbc5c363fff Pagefile Backed Memory r True False False -
pagefile_0x000000bc5c370000 0xbc5c370000 0xbc5c370fff Pagefile Backed Memory r True False False -
private_0x000000bc5c380000 0xbc5c380000 0xbc5c381fff Private Memory rw True False False -
locale.nls 0xbc5c390000 0xbc5c44dfff Memory Mapped File r False False False -
private_0x000000bc5c450000 0xbc5c450000 0xbc5c54ffff Private Memory rw True False False -
private_0x000000bc5c550000 0xbc5c550000 0xbc5c64ffff Private Memory rw True False False -
private_0x000000bc5c650000 0xbc5c650000 0xbc5c656fff Private Memory rw True False False -
private_0x000000bc5c750000 0xbc5c750000 0xbc5c75ffff Private Memory rw True False False -
sortdefault.nls 0xbc5c760000 0xbc5ca96fff Memory Mapped File r False False False -
pagefile_0x00007df5ff1e0000 0x7df5ff1e0000 0x7ff5ff1dffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7b3fc0000 0x7ff7b3fc0000 0x7ff7b40bffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7b40c0000 0x7ff7b40c0000 0x7ff7b40e2fff Pagefile Backed Memory r True False False -
private_0x00007ff7b40e6000 0x7ff7b40e6000 0x7ff7b40e6fff Private Memory rw True False False -
private_0x00007ff7b40ec000 0x7ff7b40ec000 0x7ff7b40edfff Private Memory rw True False False -
private_0x00007ff7b40ee000 0x7ff7b40ee000 0x7ff7b40effff Private Memory rw True False False -
cmd.exe 0x7ff7b50b0000 0x7ff7b5108fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Host Behavior
File (20)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = size True 1
Fn
Open STD_OUTPUT_HANDLE - True 10
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Read STD_OUTPUT_HANDLE size = 1, size_out = 1 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\nslookup.exe os_pid = 0x410, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff7b50b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb45e10000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffb45e2d550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffb45e325e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffb45e31f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #28: nslookup.exe
8 11
»
Information Value
ID #28
File Name c:\windows\system32\nslookup.exe
Command Line nslookup 127.0.0.1
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:03:33, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x410
Parent PID 0x8cc (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 44C
0x 4B8
0x 618
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000e0fc2c0000 0xe0fc2c0000 0xe0fc2dffff Private Memory rw True False False -
pagefile_0x000000e0fc2c0000 0xe0fc2c0000 0xe0fc2cffff Pagefile Backed Memory rw True False False -
private_0x000000e0fc2d0000 0xe0fc2d0000 0xe0fc2d6fff Private Memory rw True False False -
pagefile_0x000000e0fc2e0000 0xe0fc2e0000 0xe0fc2f3fff Pagefile Backed Memory r True False False -
private_0x000000e0fc300000 0xe0fc300000 0xe0fc37ffff Private Memory rw True False False -
pagefile_0x000000e0fc380000 0xe0fc380000 0xe0fc383fff Pagefile Backed Memory r True False False -
pagefile_0x000000e0fc390000 0xe0fc390000 0xe0fc390fff Pagefile Backed Memory r True False False -
private_0x000000e0fc3a0000 0xe0fc3a0000 0xe0fc3a1fff Private Memory rw True False False -
private_0x000000e0fc3b0000 0xe0fc3b0000 0xe0fc42ffff Private Memory rw True False False -
private_0x000000e0fc430000 0xe0fc430000 0xe0fc436fff Private Memory rw True False False -
private_0x000000e0fc440000 0xe0fc440000 0xe0fc53ffff Private Memory rw True False False -
locale.nls 0xe0fc540000 0xe0fc5fdfff Memory Mapped File r False False False -
imm32.dll 0xe0fc600000 0xe0fc633fff Memory Mapped File r False False False -
nslookup.exe.mui 0xe0fc600000 0xe0fc604fff Memory Mapped File r False False False -
private_0x000000e0fc610000 0xe0fc610000 0xe0fc610fff Private Memory rw True False False -
private_0x000000e0fc620000 0xe0fc620000 0xe0fc620fff Private Memory rw True False False -
private_0x000000e0fc640000 0xe0fc640000 0xe0fc64ffff Private Memory rw True False False -
pagefile_0x000000e0fc650000 0xe0fc650000 0xe0fc7d7fff Pagefile Backed Memory r True False False -
pagefile_0x000000e0fc7e0000 0xe0fc7e0000 0xe0fc960fff Pagefile Backed Memory r True False False -
pagefile_0x000000e0fc970000 0xe0fc970000 0xe0fdd6ffff Pagefile Backed Memory r True False False -
pagefile_0x00007df5ff600000 0x7df5ff600000 0x7ff5ff5fffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff762b10000 0x7ff762b10000 0x7ff762c0ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff762c10000 0x7ff762c10000 0x7ff762c32fff Pagefile Backed Memory r True False False -
private_0x00007ff762c3b000 0x7ff762c3b000 0x7ff762c3cfff Private Memory rw True False False -
private_0x00007ff762c3d000 0x7ff762c3d000 0x7ff762c3efff Private Memory rw True False False -
private_0x00007ff762c3f000 0x7ff762c3f000 0x7ff762c3ffff Private Memory rw True False False -
nslookup.exe 0x7ff763260000 0x7ff76327afff Memory Mapped File rwx True False False -
napinsp.dll 0x7ffb3a160000 0x7ffb3a174fff Memory Mapped File rwx False False False -
pnrpnsp.dll 0x7ffb3a1c0000 0x7ffb3a1d9fff Memory Mapped File rwx False False False -
winrnr.dll 0x7ffb3a1e0000 0x7ffb3a1ecfff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x7ffb41300000 0x7ffb41319fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x7ffb41320000 0x7ffb41335fff Memory Mapped File rwx False False False -
nlaapi.dll 0x7ffb41f20000 0x7ffb41f37fff Memory Mapped File rwx False False False -
winnsi.dll 0x7ffb423e0000 0x7ffb423eafff Memory Mapped File rwx False False False -
iphlpapi.dll 0x7ffb42400000 0x7ffb42437fff Memory Mapped File rwx False False False -
dnsapi.dll 0x7ffb441c0000 0x7ffb44267fff Memory Mapped File rwx False False False -
mswsock.dll 0x7ffb443c0000 0x7ffb4441cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
sechost.dll 0x7ffb45ac0000 0x7ffb45b1afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffb45b20000 0x7ffb45c45fff Memory Mapped File rwx False False False -
user32.dll 0x7ffb45c50000 0x7ffb45d9dfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7ffb45da0000 0x7ffb45e08fff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
imm32.dll 0x7ffb46070000 0x7ffb460a5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7ffb460c0000 0x7ffb46244fff Memory Mapped File rwx False False False -
msctf.dll 0x7ffb462d0000 0x7ffb4642bfff Memory Mapped File rwx False False False -
nsi.dll 0x7ffb47e20000 0x7ffb47e27fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Host Behavior
Registry (7)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DNSLookupOrder False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = Domain True 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpDomain False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = SearchList False 1
Fn
Read Value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters value_name = DhcpSearchList False 1
Fn
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\nslookup.exe base_address = 0x7ff763260000 True 1
Fn
Network Behavior
DNS (1)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = LHnIwsj True 1
Fn
UDP Sessions (2)
»
Information Value
Total Data Sent 82 bytes
Total Data Received 105 bytes
Contacted Host Count 1
Contacted Hosts 192.168.0.1:53
UDP Session #1
»
Information Value
Handle 0x148
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address 0.0.0.0
Local Port 59246
Data Sent 42 bytes
Data Received 42 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 True 1
Fn
Send flags = NO_FLAG_SET, size = 42, size_out = 42 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 42 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
UDP Session #2
»
Information Value
Handle 0x148
Address Family AF_INET
Type SOCK_DGRAM
Protocol IPPROTO_IP
Remote Address 192.168.0.1
Remote Port 53
Local Address 0.0.0.0
Local Port 59246
Data Sent 40 bytes
Data Received 63 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Connect remote_address = 192.168.0.1, remote_port = 53 True 1
Fn
Send flags = NO_FLAG_SET, size = 40, size_out = 40 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65536, size_out = 63 True 1
Fn
Data
Close type = SOCK_DGRAM True 1
Fn
Process #29: cmd.exe
62 0
»
Information Value
ID #29
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:03:33, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x274
Parent PID 0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 770
0x 630
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000008eec0a0000 0x8eec0a0000 0x8eec0bffff Private Memory rw True False False -
pagefile_0x0000008eec0a0000 0x8eec0a0000 0x8eec0affff Pagefile Backed Memory rw True False False -
private_0x0000008eec0b0000 0x8eec0b0000 0x8eec0b6fff Private Memory rw True False False -
pagefile_0x0000008eec0c0000 0x8eec0c0000 0x8eec0d3fff Pagefile Backed Memory r True False False -
private_0x0000008eec0e0000 0x8eec0e0000 0x8eec1dffff Private Memory rw True False False -
pagefile_0x0000008eec1e0000 0x8eec1e0000 0x8eec1e3fff Pagefile Backed Memory r True False False -
pagefile_0x0000008eec1f0000 0x8eec1f0000 0x8eec1f0fff Pagefile Backed Memory r True False False -
private_0x0000008eec200000 0x8eec200000 0x8eec201fff Private Memory rw True False False -
locale.nls 0x8eec210000 0x8eec2cdfff Memory Mapped File r False False False -
private_0x0000008eec2d0000 0x8eec2d0000 0x8eec2d6fff Private Memory rw True False False -
private_0x0000008eec370000 0x8eec370000 0x8eec46ffff Private Memory rw True False False -
private_0x0000008eec470000 0x8eec470000 0x8eec56ffff Private Memory rw True False False -
private_0x0000008eec660000 0x8eec660000 0x8eec66ffff Private Memory rw True False False -
pagefile_0x00007df5ffc90000 0x7df5ffc90000 0x7ff5ffc8ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7b4de0000 0x7ff7b4de0000 0x7ff7b4edffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7b4ee0000 0x7ff7b4ee0000 0x7ff7b4f02fff Pagefile Backed Memory r True False False -
private_0x00007ff7b4f0a000 0x7ff7b4f0a000 0x7ff7b4f0bfff Private Memory rw True False False -
private_0x00007ff7b4f0c000 0x7ff7b4f0c000 0x7ff7b4f0dfff Private Memory rw True False False -
private_0x00007ff7b4f0e000 0x7ff7b4f0e000 0x7ff7b4f0efff Private Memory rw True False False -
cmd.exe 0x7ff7b50b0000 0x7ff7b5108fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Host Behavior
File (24)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 2
Fn
Get Info STD_OUTPUT_HANDLE type = size True 1
Fn
Open STD_OUTPUT_HANDLE - True 12
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Read STD_OUTPUT_HANDLE size = 1, size_out = 1 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 11 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff7b50b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb45e10000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffb45e2d550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffb45e325e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffb45e31f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10 True 1
Fn
Environment (11)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Process #31: cmd.exe
68 0
»
Information Value
ID #31
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "tasklist.exe /SVC >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:03:34, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xb18
Parent PID 0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BEC
0x 124
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000012561c0000 0x12561c0000 0x12561dffff Private Memory rw True False False -
pagefile_0x00000012561c0000 0x12561c0000 0x12561cffff Pagefile Backed Memory rw True False False -
private_0x00000012561d0000 0x12561d0000 0x12561d6fff Private Memory rw True False False -
pagefile_0x00000012561e0000 0x12561e0000 0x12561f3fff Pagefile Backed Memory r True False False -
private_0x0000001256200000 0x1256200000 0x12562fffff Private Memory rw True False False -
pagefile_0x0000001256300000 0x1256300000 0x1256303fff Pagefile Backed Memory r True False False -
pagefile_0x0000001256310000 0x1256310000 0x1256310fff Pagefile Backed Memory r True False False -
private_0x0000001256320000 0x1256320000 0x1256321fff Private Memory rw True False False -
private_0x0000001256330000 0x1256330000 0x1256336fff Private Memory rw True False False -
private_0x0000001256380000 0x1256380000 0x125647ffff Private Memory rw True False False -
locale.nls 0x1256480000 0x125653dfff Memory Mapped File r False False False -
private_0x0000001256540000 0x1256540000 0x125663ffff Private Memory rw True False False -
private_0x0000001256740000 0x1256740000 0x125674ffff Private Memory rw True False False -
sortdefault.nls 0x1256750000 0x1256a86fff Memory Mapped File r False False False -
pagefile_0x00007df5fffa0000 0x7df5fffa0000 0x7ff5fff9ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7b4450000 0x7ff7b4450000 0x7ff7b454ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7b4550000 0x7ff7b4550000 0x7ff7b4572fff Pagefile Backed Memory r True False False -
private_0x00007ff7b457b000 0x7ff7b457b000 0x7ff7b457cfff Private Memory rw True False False -
private_0x00007ff7b457d000 0x7ff7b457d000 0x7ff7b457efff Private Memory rw True False False -
private_0x00007ff7b457f000 0x7ff7b457f000 0x7ff7b457ffff Private Memory rw True False False -
cmd.exe 0x7ff7b50b0000 0x7ff7b5108fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Host Behavior
File (21)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = size True 1
Fn
Get Info tasklist.exe type = file_attributes True 1
Fn
Open STD_OUTPUT_HANDLE - True 10
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Read STD_OUTPUT_HANDLE size = 1, size_out = 1 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\tasklist.exe os_pid = 0xa3c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff7b50b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb45e10000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffb45e2d550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffb45e325e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffb45e31f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #33: tasklist.exe
0 0
»
Information Value
ID #33
File Name c:\windows\system32\tasklist.exe
Command Line tasklist.exe /SVC
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:03:33, Reason: Self Terminated
Monitor Duration 00:00:01
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xa3c
Parent PID 0xb18 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 558
0x 540
0x 984
0x 8E0
0x 880
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000020fbd0000 0x20fbd0000 0x20fbeffff Private Memory rw True False False -
pagefile_0x000000020fbd0000 0x20fbd0000 0x20fbdffff Pagefile Backed Memory rw True False False -
private_0x000000020fbe0000 0x20fbe0000 0x20fbe6fff Private Memory rw True False False -
pagefile_0x000000020fbf0000 0x20fbf0000 0x20fc03fff Pagefile Backed Memory r True False False -
private_0x000000020fc10000 0x20fc10000 0x20fc8ffff Private Memory rw True False False -
pagefile_0x000000020fc90000 0x20fc90000 0x20fc93fff Pagefile Backed Memory r True False False -
pagefile_0x000000020fca0000 0x20fca0000 0x20fca0fff Pagefile Backed Memory r True False False -
private_0x000000020fcb0000 0x20fcb0000 0x20fcb1fff Private Memory rw True False False -
locale.nls 0x20fcc0000 0x20fd7dfff Memory Mapped File r False False False -
private_0x000000020fd80000 0x20fd80000 0x20fdfffff Private Memory rw True False False -
private_0x000000020fe00000 0x20fe00000 0x20fe06fff Private Memory rw True False False -
tasklist.exe.mui 0x20fe10000 0x20fe13fff Memory Mapped File r False False False -
private_0x000000020fe20000 0x20fe20000 0x20ff1ffff Private Memory rw True False False -
pagefile_0x000000020ff20000 0x20ff20000 0x2100a7fff Pagefile Backed Memory r True False False -
private_0x00000002100b0000 0x2100b0000 0x2100b0fff Private Memory rw True False False -
private_0x00000002100c0000 0x2100c0000 0x2100c0fff Private Memory rw True False False -
pagefile_0x00000002100d0000 0x2100d0000 0x2100d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000002100e0000 0x2100e0000 0x2100e0fff Pagefile Backed Memory r True False False -
wmiutils.dll.mui 0x2100f0000 0x2100f4fff Memory Mapped File r False False False -
private_0x0000000210110000 0x210110000 0x21011ffff Private Memory rw True False False -
pagefile_0x0000000210120000 0x210120000 0x2102a0fff Pagefile Backed Memory r True False False -
pagefile_0x00000002102b0000 0x2102b0000 0x2116affff Pagefile Backed Memory r True False False -
sortdefault.nls 0x2116b0000 0x2119e6fff Memory Mapped File r False False False -
kernelbase.dll.mui 0x2119f0000 0x211acefff Memory Mapped File r False False False -
private_0x0000000211ad0000 0x211ad0000 0x211b4ffff Private Memory rw True False False -
private_0x0000000211b50000 0x211b50000 0x211bcffff Private Memory rw True False False -
private_0x0000000211bd0000 0x211bd0000 0x211c4ffff Private Memory rw True False False -
pagefile_0x00007df5ff470000 0x7df5ff470000 0x7ff5ff46ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff6f1a80000 0x7ff6f1a80000 0x7ff6f1b7ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff6f1b80000 0x7ff6f1b80000 0x7ff6f1ba2fff Pagefile Backed Memory r True False False -
private_0x00007ff6f1ba4000 0x7ff6f1ba4000 0x7ff6f1ba5fff Private Memory rw True False False -
private_0x00007ff6f1ba6000 0x7ff6f1ba6000 0x7ff6f1ba7fff Private Memory rw True False False -
private_0x00007ff6f1ba8000 0x7ff6f1ba8000 0x7ff6f1ba8fff Private Memory rw True False False -
private_0x00007ff6f1baa000 0x7ff6f1baa000 0x7ff6f1babfff Private Memory rw True False False -
private_0x00007ff6f1bac000 0x7ff6f1bac000 0x7ff6f1badfff Private Memory rw True False False -
private_0x00007ff6f1bae000 0x7ff6f1bae000 0x7ff6f1baffff Private Memory rw True False False -
tasklist.exe 0x7ff6f26c0000 0x7ff6f26dcfff Memory Mapped File rwx False False False -
dbghelp.dll 0x7ffb35d00000 0x7ffb35e89fff Memory Mapped File rwx False False False -
framedynos.dll 0x7ffb36180000 0x7ffb361cdfff Memory Mapped File rwx False False False -
wmiutils.dll 0x7ffb38f40000 0x7ffb38f64fff Memory Mapped File rwx False False False -
wbemsvc.dll 0x7ffb38f70000 0x7ffb38f83fff Memory Mapped File rwx False False False -
fastprox.dll 0x7ffb38f90000 0x7ffb39087fff Memory Mapped File rwx False False False -
wbemprox.dll 0x7ffb397a0000 0x7ffb397b0fff Memory Mapped File rwx False False False -
version.dll 0x7ffb3d3b0000 0x7ffb3d3b9fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x7ffb3db20000 0x7ffb3db9efff Memory Mapped File rwx False False False -
mpr.dll 0x7ffb43de0000 0x7ffb43dfbfff Memory Mapped File rwx False False False -
netutils.dll 0x7ffb43e00000 0x7ffb43e0bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffb43e10000 0x7ffb43e35fff Memory Mapped File rwx False False False -
rsaenh.dll 0x7ffb44070000 0x7ffb440a2fff Memory Mapped File rwx False False False -
cryptsp.dll 0x7ffb44420000 0x7ffb44436fff Memory Mapped File rwx False False False -
cryptbase.dll 0x7ffb44590000 0x7ffb4459afff Memory Mapped File rwx False False False -
winsta.dll 0x7ffb44620000 0x7ffb44677fff Memory Mapped File rwx False False False -
sspicli.dll 0x7ffb447d0000 0x7ffb447fbfff Memory Mapped File rwx False False False -
bcrypt.dll 0x7ffb449d0000 0x7ffb449f7fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7ffb44a00000 0x7ffb44a6afff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7ffb44c20000 0x7ffb44c2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
clbcatq.dll 0x7ffb45850000 0x7ffb458f4fff Memory Mapped File rwx False False False -
sechost.dll 0x7ffb45ac0000 0x7ffb45b1afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffb45b20000 0x7ffb45c45fff Memory Mapped File rwx False False False -
user32.dll 0x7ffb45c50000 0x7ffb45d9dfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7ffb45da0000 0x7ffb45e08fff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
imm32.dll 0x7ffb46070000 0x7ffb460a5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7ffb460c0000 0x7ffb46244fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7ffb46250000 0x7ffb462a0fff Memory Mapped File rwx False False False -
msctf.dll 0x7ffb462d0000 0x7ffb4642bfff Memory Mapped File rwx False False False -
combase.dll 0x7ffb46610000 0x7ffb4688bfff Memory Mapped File rwx False False False -
nsi.dll 0x7ffb47e20000 0x7ffb47e27fff Memory Mapped File rwx False False False -
advapi32.dll 0x7ffb47e30000 0x7ffb47ed5fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7ffb47f40000 0x7ffb47ffdfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Process #34: cmd.exe
62 0
»
Information Value
ID #34
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:33, Reason: Child Process
Unmonitor End Time: 00:03:34, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xbbc
Parent PID 0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BFC
0x AEC
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000073a5b40000 0x73a5b40000 0x73a5b5ffff Private Memory rw True False False -
pagefile_0x00000073a5b40000 0x73a5b40000 0x73a5b4ffff Pagefile Backed Memory rw True False False -
private_0x00000073a5b50000 0x73a5b50000 0x73a5b56fff Private Memory rw True False False -
pagefile_0x00000073a5b60000 0x73a5b60000 0x73a5b73fff Pagefile Backed Memory r True False False -
private_0x00000073a5b80000 0x73a5b80000 0x73a5c7ffff Private Memory rw True False False -
pagefile_0x00000073a5c80000 0x73a5c80000 0x73a5c83fff Pagefile Backed Memory r True False False -
pagefile_0x00000073a5c90000 0x73a5c90000 0x73a5c90fff Pagefile Backed Memory r True False False -
private_0x00000073a5ca0000 0x73a5ca0000 0x73a5ca1fff Private Memory rw True False False -
locale.nls 0x73a5cb0000 0x73a5d6dfff Memory Mapped File r False False False -
private_0x00000073a5d70000 0x73a5d70000 0x73a5d76fff Private Memory rw True False False -
private_0x00000073a5e30000 0x73a5e30000 0x73a5f2ffff Private Memory rw True False False -
private_0x00000073a5f30000 0x73a5f30000 0x73a602ffff Private Memory rw True False False -
private_0x00000073a6190000 0x73a6190000 0x73a619ffff Private Memory rw True False False -
pagefile_0x00007df5ff980000 0x7df5ff980000 0x7ff5ff97ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7b4010000 0x7ff7b4010000 0x7ff7b410ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7b4110000 0x7ff7b4110000 0x7ff7b4132fff Pagefile Backed Memory r True False False -
private_0x00007ff7b413b000 0x7ff7b413b000 0x7ff7b413bfff Private Memory rw True False False -
private_0x00007ff7b413c000 0x7ff7b413c000 0x7ff7b413dfff Private Memory rw True False False -
private_0x00007ff7b413e000 0x7ff7b413e000 0x7ff7b413ffff Private Memory rw True False False -
cmd.exe 0x7ff7b50b0000 0x7ff7b5108fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Host Behavior
File (24)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 2
Fn
Get Info STD_OUTPUT_HANDLE type = size True 1
Fn
Open STD_OUTPUT_HANDLE - True 12
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Read STD_OUTPUT_HANDLE size = 1, size_out = 1 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 11 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff7b50b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb45e10000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffb45e2d550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffb45e325e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffb45e31f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10 True 1
Fn
Environment (11)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Process #36: cmd.exe
68 0
»
Information Value
ID #36
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "driverquery.exe >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:33, Reason: Child Process
Unmonitor End Time: 00:03:38, Reason: Self Terminated
Monitor Duration 00:00:05
OS Process Information
»
Information Value
PID 0xb00
Parent PID 0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BC4
0x 5A8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000be8d000000 0xbe8d000000 0xbe8d01ffff Private Memory rw True False False -
pagefile_0x000000be8d000000 0xbe8d000000 0xbe8d00ffff Pagefile Backed Memory rw True False False -
private_0x000000be8d010000 0xbe8d010000 0xbe8d016fff Private Memory rw True False False -
pagefile_0x000000be8d020000 0xbe8d020000 0xbe8d033fff Pagefile Backed Memory r True False False -
private_0x000000be8d040000 0xbe8d040000 0xbe8d13ffff Private Memory rw True False False -
pagefile_0x000000be8d140000 0xbe8d140000 0xbe8d143fff Pagefile Backed Memory r True False False -
pagefile_0x000000be8d150000 0xbe8d150000 0xbe8d150fff Pagefile Backed Memory r True False False -
private_0x000000be8d160000 0xbe8d160000 0xbe8d161fff Private Memory rw True False False -
locale.nls 0xbe8d170000 0xbe8d22dfff Memory Mapped File r False False False -
private_0x000000be8d230000 0xbe8d230000 0xbe8d236fff Private Memory rw True False False -
private_0x000000be8d280000 0xbe8d280000 0xbe8d37ffff Private Memory rw True False False -
private_0x000000be8d380000 0xbe8d380000 0xbe8d47ffff Private Memory rw True False False -
private_0x000000be8d560000 0xbe8d560000 0xbe8d56ffff Private Memory rw True False False -
sortdefault.nls 0xbe8d570000 0xbe8d8a6fff Memory Mapped File r False False False -
pagefile_0x00007df5ff340000 0x7df5ff340000 0x7ff5ff33ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7b4100000 0x7ff7b4100000 0x7ff7b41fffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7b4200000 0x7ff7b4200000 0x7ff7b4222fff Pagefile Backed Memory r True False False -
private_0x00007ff7b422b000 0x7ff7b422b000 0x7ff7b422bfff Private Memory rw True False False -
private_0x00007ff7b422c000 0x7ff7b422c000 0x7ff7b422dfff Private Memory rw True False False -
private_0x00007ff7b422e000 0x7ff7b422e000 0x7ff7b422ffff Private Memory rw True False False -
cmd.exe 0x7ff7b50b0000 0x7ff7b5108fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Host Behavior
File (21)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = size True 1
Fn
Get Info driverquery.exe type = file_attributes True 1
Fn
Open STD_OUTPUT_HANDLE - True 10
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Read STD_OUTPUT_HANDLE size = 1, size_out = 1 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\driverquery.exe os_pid = 0x9a8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff7b50b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb45e10000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffb45e2d550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffb45e325e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffb45e31f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #38: driverquery.exe
0 0
»
Information Value
ID #38
File Name c:\windows\system32\driverquery.exe
Command Line driverquery.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:33, Reason: Child Process
Unmonitor End Time: 00:03:38, Reason: Self Terminated
Monitor Duration 00:00:05
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x9a8
Parent PID 0xb00 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 8E4
0x 9F4
0x 7F8
0x 554
0x 7C4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000a5cfdc0000 0xa5cfdc0000 0xa5cfddffff Private Memory rw True False False -
pagefile_0x000000a5cfdc0000 0xa5cfdc0000 0xa5cfdcffff Pagefile Backed Memory rw True False False -
private_0x000000a5cfdd0000 0xa5cfdd0000 0xa5cfdd6fff Private Memory rw True False False -
pagefile_0x000000a5cfde0000 0xa5cfde0000 0xa5cfdf3fff Pagefile Backed Memory r True False False -
private_0x000000a5cfe00000 0xa5cfe00000 0xa5cfe7ffff Private Memory rw True False False -
pagefile_0x000000a5cfe80000 0xa5cfe80000 0xa5cfe83fff Pagefile Backed Memory r True False False -
pagefile_0x000000a5cfe90000 0xa5cfe90000 0xa5cfe90fff Pagefile Backed Memory r True False False -
private_0x000000a5cfea0000 0xa5cfea0000 0xa5cfea1fff Private Memory rw True False False -
locale.nls 0xa5cfeb0000 0xa5cff6dfff Memory Mapped File r False False False -
private_0x000000a5cff70000 0xa5cff70000 0xa5cffeffff Private Memory rw True False False -
private_0x000000a5cfff0000 0xa5cfff0000 0xa5d00effff Private Memory rw True False False -
private_0x000000a5d00f0000 0xa5d00f0000 0xa5d00f6fff Private Memory rw True False False -
driverquery.exe.mui 0xa5d0100000 0xa5d0103fff Memory Mapped File r False False False -
private_0x000000a5d0110000 0xa5d0110000 0xa5d0110fff Private Memory rw True False False -
private_0x000000a5d0120000 0xa5d0120000 0xa5d0120fff Private Memory rw True False False -
private_0x000000a5d01c0000 0xa5d01c0000 0xa5d01cffff Private Memory rw True False False -
pagefile_0x000000a5d01d0000 0xa5d01d0000 0xa5d0357fff Pagefile Backed Memory r True False False -
pagefile_0x000000a5d0360000 0xa5d0360000 0xa5d04e0fff Pagefile Backed Memory r True False False -
pagefile_0x000000a5d04f0000 0xa5d04f0000 0xa5d18effff Pagefile Backed Memory r True False False -
sortdefault.nls 0xa5d18f0000 0xa5d1c26fff Memory Mapped File r False False False -
private_0x000000a5d1dc0000 0xa5d1dc0000 0xa5d1dcffff Private Memory rw True False False -
pagefile_0x00007df5ff760000 0x7df5ff760000 0x7ff5ff75ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff653e30000 0x7ff653e30000 0x7ff653f2ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff653f30000 0x7ff653f30000 0x7ff653f52fff Pagefile Backed Memory r True False False -
private_0x00007ff653f56000 0x7ff653f56000 0x7ff653f56fff Private Memory rw True False False -
private_0x00007ff653f5c000 0x7ff653f5c000 0x7ff653f5dfff Private Memory rw True False False -
private_0x00007ff653f5e000 0x7ff653f5e000 0x7ff653f5ffff Private Memory rw True False False -
driverquery.exe 0x7ff654e20000 0x7ff654e38fff Memory Mapped File rwx False False False -
framedynos.dll 0x7ffb36180000 0x7ffb361cdfff Memory Mapped File rwx False False False -
version.dll 0x7ffb3d3b0000 0x7ffb3d3b9fff Memory Mapped File rwx False False False -
uxtheme.dll 0x7ffb43480000 0x7ffb43515fff Memory Mapped File rwx False False False -
mpr.dll 0x7ffb43de0000 0x7ffb43dfbfff Memory Mapped File rwx False False False -
netutils.dll 0x7ffb43e00000 0x7ffb43e0bfff Memory Mapped File rwx False False False -
srvcli.dll 0x7ffb43e10000 0x7ffb43e35fff Memory Mapped File rwx False False False -
sspicli.dll 0x7ffb447d0000 0x7ffb447fbfff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x7ffb44a00000 0x7ffb44a6afff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x7ffb44c20000 0x7ffb44c2efff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
sechost.dll 0x7ffb45ac0000 0x7ffb45b1afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffb45b20000 0x7ffb45c45fff Memory Mapped File rwx False False False -
user32.dll 0x7ffb45c50000 0x7ffb45d9dfff Memory Mapped File rwx False False False -
ws2_32.dll 0x7ffb45da0000 0x7ffb45e08fff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
imm32.dll 0x7ffb46070000 0x7ffb460a5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7ffb460c0000 0x7ffb46244fff Memory Mapped File rwx False False False -
shlwapi.dll 0x7ffb46250000 0x7ffb462a0fff Memory Mapped File rwx False False False -
msctf.dll 0x7ffb462d0000 0x7ffb4642bfff Memory Mapped File rwx False False False -
combase.dll 0x7ffb46610000 0x7ffb4688bfff Memory Mapped File rwx False False False -
nsi.dll 0x7ffb47e20000 0x7ffb47e27fff Memory Mapped File rwx False False False -
oleaut32.dll 0x7ffb47f40000 0x7ffb47ffdfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Process #39: cmd.exe
62 0
»
Information Value
ID #39
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:36, Reason: Child Process
Unmonitor End Time: 00:03:38, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0x8c0
Parent PID 0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B0
0x 8F8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000022cdd60000 0x22cdd60000 0x22cdd7ffff Private Memory rw True False False -
pagefile_0x00000022cdd60000 0x22cdd60000 0x22cdd6ffff Pagefile Backed Memory rw True False False -
private_0x00000022cdd70000 0x22cdd70000 0x22cdd76fff Private Memory rw True False False -
pagefile_0x00000022cdd80000 0x22cdd80000 0x22cdd93fff Pagefile Backed Memory r True False False -
private_0x00000022cdda0000 0x22cdda0000 0x22cde9ffff Private Memory rw True False False -
pagefile_0x00000022cdea0000 0x22cdea0000 0x22cdea3fff Pagefile Backed Memory r True False False -
pagefile_0x00000022cdeb0000 0x22cdeb0000 0x22cdeb0fff Pagefile Backed Memory r True False False -
private_0x00000022cdec0000 0x22cdec0000 0x22cdec1fff Private Memory rw True False False -
locale.nls 0x22cded0000 0x22cdf8dfff Memory Mapped File r False False False -
private_0x00000022cdf90000 0x22cdf90000 0x22cdf96fff Private Memory rw True False False -
private_0x00000022ce020000 0x22ce020000 0x22ce11ffff Private Memory rw True False False -
private_0x00000022ce120000 0x22ce120000 0x22ce21ffff Private Memory rw True False False -
private_0x00000022ce3f0000 0x22ce3f0000 0x22ce3fffff Private Memory rw True False False -
pagefile_0x00007df5ff470000 0x7df5ff470000 0x7ff5ff46ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7b49c0000 0x7ff7b49c0000 0x7ff7b4abffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7b4ac0000 0x7ff7b4ac0000 0x7ff7b4ae2fff Pagefile Backed Memory r True False False -
private_0x00007ff7b4ae7000 0x7ff7b4ae7000 0x7ff7b4ae7fff Private Memory rw True False False -
private_0x00007ff7b4aec000 0x7ff7b4aec000 0x7ff7b4aedfff Private Memory rw True False False -
private_0x00007ff7b4aee000 0x7ff7b4aee000 0x7ff7b4aeffff Private Memory rw True False False -
cmd.exe 0x7ff7b50b0000 0x7ff7b5108fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Host Behavior
File (24)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 2
Fn
Get Info STD_OUTPUT_HANDLE type = size True 1
Fn
Open STD_OUTPUT_HANDLE - True 12
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Read STD_OUTPUT_HANDLE size = 1, size_out = 1 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 11 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff7b50b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb45e10000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffb45e2d550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffb45e325e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffb45e31f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10 True 1
Fn
Environment (11)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Process #41: cmd.exe
68 0
»
Information Value
ID #41
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:37, Reason: Child Process
Unmonitor End Time: 00:03:41, Reason: Self Terminated
Monitor Duration 00:00:04
OS Process Information
»
Information Value
PID 0xb6c
Parent PID 0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 7E8
0x A94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x00000071556e0000 0x71556e0000 0x71556fffff Private Memory rw True False False -
pagefile_0x00000071556e0000 0x71556e0000 0x71556effff Pagefile Backed Memory rw True False False -
private_0x00000071556f0000 0x71556f0000 0x71556f6fff Private Memory rw True False False -
pagefile_0x0000007155700000 0x7155700000 0x7155713fff Pagefile Backed Memory r True False False -
private_0x0000007155720000 0x7155720000 0x715581ffff Private Memory rw True False False -
pagefile_0x0000007155820000 0x7155820000 0x7155823fff Pagefile Backed Memory r True False False -
pagefile_0x0000007155830000 0x7155830000 0x7155830fff Pagefile Backed Memory r True False False -
private_0x0000007155840000 0x7155840000 0x7155841fff Private Memory rw True False False -
locale.nls 0x7155850000 0x715590dfff Memory Mapped File r False False False -
private_0x0000007155910000 0x7155910000 0x7155916fff Private Memory rw True False False -
private_0x0000007155950000 0x7155950000 0x7155a4ffff Private Memory rw True False False -
private_0x0000007155a50000 0x7155a50000 0x7155b4ffff Private Memory rw True False False -
private_0x0000007155cb0000 0x7155cb0000 0x7155cbffff Private Memory rw True False False -
sortdefault.nls 0x7155cc0000 0x7155ff6fff Memory Mapped File r False False False -
pagefile_0x00007df5ff730000 0x7df5ff730000 0x7ff5ff72ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7b4190000 0x7ff7b4190000 0x7ff7b428ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7b4290000 0x7ff7b4290000 0x7ff7b42b2fff Pagefile Backed Memory r True False False -
private_0x00007ff7b42b9000 0x7ff7b42b9000 0x7ff7b42b9fff Private Memory rw True False False -
private_0x00007ff7b42bc000 0x7ff7b42bc000 0x7ff7b42bdfff Private Memory rw True False False -
private_0x00007ff7b42be000 0x7ff7b42be000 0x7ff7b42bffff Private Memory rw True False False -
cmd.exe 0x7ff7b50b0000 0x7ff7b5108fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Host Behavior
File (21)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = size True 1
Fn
Get Info reg.exe type = file_attributes True 1
Fn
Open STD_OUTPUT_HANDLE - True 10
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Read STD_OUTPUT_HANDLE size = 1, size_out = 1 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\reg.exe os_pid = 0x534, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff7b50b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb45e10000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffb45e2d550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffb45e325e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffb45e31f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10 True 1
Fn
Environment (19)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 7
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 2
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 2
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Set Environment String name = COPYCMD True 1
Fn
Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Set Environment String name = =ExitCodeAscii True 1
Fn
Process #43: reg.exe
6517 0
»
Information Value
ID #43
File Name c:\windows\system32\reg.exe
Command Line reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:37, Reason: Child Process
Unmonitor End Time: 00:03:41, Reason: Self Terminated
Monitor Duration 00:00:04
OS Process Information
»
Information Value
PID 0x534
Parent PID 0xb6c (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 840
0x 1A4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000e909710000 0xe909710000 0xe90972ffff Private Memory rw True False False -
pagefile_0x000000e909710000 0xe909710000 0xe90971ffff Pagefile Backed Memory rw True False False -
private_0x000000e909720000 0xe909720000 0xe909726fff Private Memory rw True False False -
pagefile_0x000000e909730000 0xe909730000 0xe909743fff Pagefile Backed Memory r True False False -
private_0x000000e909750000 0xe909750000 0xe9097cffff Private Memory rw True False False -
pagefile_0x000000e9097d0000 0xe9097d0000 0xe9097d3fff Pagefile Backed Memory r True False False -
pagefile_0x000000e9097e0000 0xe9097e0000 0xe9097e0fff Pagefile Backed Memory r True False False -
private_0x000000e9097f0000 0xe9097f0000 0xe9097f1fff Private Memory rw True False False -
locale.nls 0xe909800000 0xe9098bdfff Memory Mapped File r False False False -
private_0x000000e9098c0000 0xe9098c0000 0xe9098c6fff Private Memory rw True False False -
private_0x000000e9098d0000 0xe9098d0000 0xe9099cffff Private Memory rw True False False -
private_0x000000e9099d0000 0xe9099d0000 0xe909a4ffff Private Memory rw True False False -
private_0x000000e909c10000 0xe909c10000 0xe909c1ffff Private Memory rw True False False -
sortdefault.nls 0xe909c20000 0xe909f56fff Memory Mapped File r False False False -
pagefile_0x00007df5ff120000 0x7df5ff120000 0x7ff5ff11ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff75d010000 0x7ff75d010000 0x7ff75d10ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff75d110000 0x7ff75d110000 0x7ff75d132fff Pagefile Backed Memory r True False False -
private_0x00007ff75d133000 0x7ff75d133000 0x7ff75d133fff Private Memory rw True False False -
private_0x00007ff75d13c000 0x7ff75d13c000 0x7ff75d13dfff Private Memory rw True False False -
private_0x00007ff75d13e000 0x7ff75d13e000 0x7ff75d13ffff Private Memory rw True False False -
reg.exe 0x7ff75d930000 0x7ff75d985fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
sechost.dll 0x7ffb45ac0000 0x7ffb45b1afff Memory Mapped File rwx False False False -
rpcrt4.dll 0x7ffb45b20000 0x7ffb45c45fff Memory Mapped File rwx False False False -
ws2_32.dll 0x7ffb45da0000 0x7ffb45e08fff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
nsi.dll 0x7ffb47e20000 0x7ffb47e27fff Memory Mapped File rwx False False False -
advapi32.dll 0x7ffb47e30000 0x7ffb47ed5fff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Host Behavior
File (5260)
»
Operation Filename Additional Information Success Count Logfile
Get Info STD_OUTPUT_HANDLE type = file_type True 2630
Fn
Open STD_OUTPUT_HANDLE - True 2630
Fn
Registry (1225)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2 - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager value_name = SystemComponent, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = DisplayName, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = DisplayName, data = Mozilla Maintenance Service True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = UninstallString, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = UninstallString, data = "C:\Program Files (x86)\Mozilla Maintenance Service\uninstall.exe" True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = DisplayIcon, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = DisplayIcon, data = C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe,0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = DisplayVersion, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = DisplayVersion, data = 53.0.3 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = Publisher, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = Publisher, data = Mozilla True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = Comments, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = Comments, data = Mozilla Maintenance Service True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = NoModify, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = NoModify, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = EstimatedSize, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService value_name = EstimatedSize, data = 426 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = UninstallString, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = UninstallString, data = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=install scenariosubtype=ARP sourcetype=None productstoremove=ProjectProRetail.16_en-us_x-none culture=en-us version.16=16.0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = ModifyPath, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = ModifyPath, data = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=repair platform=x64 culture=en-us True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = NoRepair, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = NoRepair, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = NoRemove, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = NoRemove, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = NoModify, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = NoModify, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = DisplayIcon, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = DisplayIcon, data = C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = DisplayName, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = DisplayName, data = Microsoft Project Professional 2016 - en-us True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = DisplayVersion, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = DisplayVersion, data = 16.0.10228.20134 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = Publisher, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = Publisher, data = Microsoft Corporation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = InstallLocation, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = InstallLocation, data = C:\Program Files\Microsoft Office True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = ClickToRunComponent, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us value_name = ClickToRunComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = UninstallString, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = UninstallString, data = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=install scenariosubtype=ARP sourcetype=None productstoremove=ProPlusRetail.16_en-us_x-none culture=en-us version.16=16.0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = ModifyPath, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = ModifyPath, data = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=repair platform=x64 culture=en-us True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = NoRepair, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = NoRepair, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = NoRemove, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = NoRemove, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = NoModify, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = NoModify, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = DisplayIcon, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = DisplayIcon, data = C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = DisplayName, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = DisplayName, data = Microsoft Office Professional Plus 2016 - en-us True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = DisplayVersion, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = DisplayVersion, data = 16.0.10228.20134 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = Publisher, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = Publisher, data = Microsoft Corporation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = InstallLocation, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = InstallLocation, data = C:\Program Files\Microsoft Office True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = ClickToRunComponent, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us value_name = ClickToRunComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = UninstallString, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = UninstallString, data = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=install scenariosubtype=ARP sourcetype=None productstoremove=VisioProRetail.16_en-us_x-none culture=en-us version.16=16.0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = ModifyPath, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = ModifyPath, data = "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" scenario=repair platform=x64 culture=en-us True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = NoRepair, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = NoRepair, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = NoRemove, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = NoRemove, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = NoModify, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = NoModify, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = DisplayIcon, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = DisplayIcon, data = C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = DisplayName, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = DisplayName, data = Microsoft Visio Professional 2016 - en-us True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = DisplayVersion, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = DisplayVersion, data = 16.0.10228.20134 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = Publisher, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = Publisher, data = Microsoft Corporation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = InstallLocation, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = InstallLocation, data = C:\Program Files\Microsoft Office True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = ClickToRunComponent, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us value_name = ClickToRunComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC value_name = NoRemove, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC value_name = NoRemove, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = AuthorizedCDFPrefix, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = AuthorizedCDFPrefix True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = Comments, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = Comments, data = Caution. Removing this product might prevent some applications from running. True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = Contact, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = Contact True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = DisplayVersion, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = DisplayVersion, data = 10.0.40219 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = HelpLink, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = HelpLink, data = http://go.microsoft.com/fwlink/?LinkId=146008 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = HelpTelephone, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = HelpTelephone True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = InstallDate, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = InstallDate, data = 20170524 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = InstallLocation, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = InstallLocation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = InstallSource, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = InstallSource, data = c:\99def75de868dd555ad2\ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = ModifyPath, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = ModifyPath, data = MsiExec.exe /X{1D8E6291-B0D5-35EC-8441-6616F567A0F7} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = NoModify, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = NoModify, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = NoRepair, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = NoRepair, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = Publisher, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = Publisher, data = Microsoft Corporation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = Readme, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = Readme True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = Size, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = Size True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = EstimatedSize, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = EstimatedSize, data = 14199 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = UninstallString, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = UninstallString, data = MsiExec.exe /X{1D8E6291-B0D5-35EC-8441-6616F567A0F7} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = URLInfoAbout, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = URLInfoAbout True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = URLUpdateInfo, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = URLUpdateInfo True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = VersionMajor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = VersionMajor, data = 10 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = VersionMinor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = VersionMinor, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = WindowsInstaller, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = WindowsInstaller, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = Version, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = Version, data = 167812379 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = Language, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = Language, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = DisplayName, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} value_name = DisplayName, data = Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = AuthorizedCDFPrefix, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = AuthorizedCDFPrefix True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = Comments, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = Comments True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = Contact, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = Contact, data = http://java.com True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = DisplayVersion, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = DisplayVersion, data = 8.0.1310.11 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = HelpLink, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = HelpLink, data = http://java.com/help True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = HelpTelephone, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = HelpTelephone True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = InstallDate, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = InstallDate, data = 20170524 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = InstallLocation, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = InstallLocation, data = C:\Program Files\Java\jre1.8.0_131\ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = InstallSource, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = InstallSource, data = C:\Users\CIiHmnxMn6Ps\AppData\LocalLow\Oracle\Java\jre1.8.0_131_x64\ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = ModifyPath, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = ModifyPath, data = MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F64180131F0} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = NoModify, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = NoModify, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = NoRepair, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = NoRepair, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = Publisher, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = Publisher, data = Oracle Corporation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = Readme, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = Readme, data = [INSTALLDIR]README.txt True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = Size, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = Size True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = EstimatedSize, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = EstimatedSize, data = 112318 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = UninstallString, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = UninstallString, data = MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F64180131F0} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = URLInfoAbout, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = URLInfoAbout, data = http://java.com True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = URLUpdateInfo, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = URLUpdateInfo, data = http://java.sun.com True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = VersionMajor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = VersionMajor, data = 8 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = VersionMinor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = VersionMinor, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = WindowsInstaller, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = WindowsInstaller, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = Version, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = Version, data = 134219038 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = Language, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = Language, data = 1033 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = DisplayName, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} value_name = DisplayName, data = Java 8 Update 131 (64-bit) True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = AuthorizedCDFPrefix, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = AuthorizedCDFPrefix True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = Comments, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = Comments, data = Caution. Removing this product might prevent some applications from running. True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = Contact, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = Contact True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = DisplayVersion, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = DisplayVersion, data = 11.0.61030 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = HelpLink, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = HelpLink, data = http://go.microsoft.com/fwlink/?LinkId=133405 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = HelpTelephone, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = HelpTelephone True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = InstallDate, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = InstallDate, data = 20170524 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = InstallLocation, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = InstallLocation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = InstallSource, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = InstallSource, data = C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = ModifyPath, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = ModifyPath, data = MsiExec.exe /X{37B8F9C7-03FB-3253-8781-2517C99D7C00} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = NoModify, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = NoModify, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = Publisher, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = Publisher, data = Microsoft Corporation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = Readme, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = Readme True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = Size, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = Size True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = EstimatedSize, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = EstimatedSize, data = 12272 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = SystemComponent, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = UninstallString, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = UninstallString, data = MsiExec.exe /X{37B8F9C7-03FB-3253-8781-2517C99D7C00} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = URLInfoAbout, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = URLInfoAbout True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = URLUpdateInfo, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = URLUpdateInfo True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = VersionMajor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = VersionMajor, data = 11 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = VersionMinor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = VersionMinor, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = WindowsInstaller, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = WindowsInstaller, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = Version, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = Version, data = 184610406 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = Language, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = Language, data = 1033 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = DisplayName, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} value_name = DisplayName, data = Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = AuthorizedCDFPrefix, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = AuthorizedCDFPrefix True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = Comments, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = Comments True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = Contact, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = Contact True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = DisplayVersion, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = DisplayVersion, data = 9.0.30729.6161 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = HelpLink, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = HelpLink True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = HelpTelephone, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = HelpTelephone True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = InstallDate, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = InstallDate, data = 20170524 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = InstallLocation, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = InstallLocation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = InstallSource, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = InstallSource, data = c:\44043d000a75be12f821a1ccbc\ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = ModifyPath, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = ModifyPath, data = MsiExec.exe /X{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = NoModify, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = NoModify, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = NoRepair, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = NoRepair, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = Publisher, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = Publisher, data = Microsoft Corporation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = Readme, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = Readme True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = Size, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = Size True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = EstimatedSize, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = EstimatedSize, data = 13532 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = UninstallString, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = UninstallString, data = MsiExec.exe /X{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = URLInfoAbout, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = URLInfoAbout True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = URLUpdateInfo, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = URLUpdateInfo True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = VersionMajor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = VersionMajor, data = 9 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = VersionMinor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = VersionMinor, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = WindowsInstaller, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = WindowsInstaller, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = Version, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = Version, data = 151025673 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = Language, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = Language, data = 1033 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = DisplayName, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} value_name = DisplayName, data = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = AuthorizedCDFPrefix, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = AuthorizedCDFPrefix True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = Comments, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = Comments, data = Caution. Removing this product might prevent some applications from running. True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = Contact, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = Contact True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = DisplayVersion, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = DisplayVersion, data = 14.10.25017 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = HelpLink, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = HelpLink, data = http://go.microsoft.com/fwlink/?LinkId=133405 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = HelpTelephone, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = HelpTelephone True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = InstallDate, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = InstallDate, data = 20170714 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = InstallLocation, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = InstallLocation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = InstallSource, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = InstallSource, data = C:\ProgramData\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\packages\vcRuntimeMinimum_amd64\ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = ModifyPath, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = ModifyPath, data = MsiExec.exe /X{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = NoModify, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = NoModify, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = Publisher, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = Publisher, data = Microsoft Corporation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = Readme, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = Readme True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = Size, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = Size True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = EstimatedSize, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = EstimatedSize, data = 2088 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = SystemComponent, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = UninstallString, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = UninstallString, data = MsiExec.exe /X{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = URLInfoAbout, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = URLInfoAbout True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = URLUpdateInfo, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = URLUpdateInfo True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = VersionMajor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = VersionMajor, data = 14 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = VersionMinor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = VersionMinor, data = 10 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = WindowsInstaller, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = WindowsInstaller, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = Version, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = Version, data = 235561401 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = Language, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = Language, data = 1033 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = DisplayName, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} value_name = DisplayName, data = Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.10.25017 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = AuthorizedCDFPrefix, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = AuthorizedCDFPrefix True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = Comments, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = Comments True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = Contact, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = Contact True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = DisplayVersion, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = DisplayVersion, data = 16.0.10228.20134 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = HelpLink, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = HelpLink True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = HelpTelephone, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = HelpTelephone True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = InstallDate, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = InstallDate, data = 20180720 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = InstallLocation, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = InstallLocation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = InstallSource, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = InstallSource, data = c:\program files\microsoft office\root\integration\ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = ModifyPath, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = ModifyPath, data = MsiExec.exe /I{90160000-007E-0000-1000-0000000FF1CE} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = Publisher, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = Publisher, data = Microsoft Corporation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = Readme, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = Readme True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = Size, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = Size True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = EstimatedSize, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = EstimatedSize, data = 3936 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = SystemComponent, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = UninstallString, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = UninstallString, data = MsiExec.exe /I{90160000-007E-0000-1000-0000000FF1CE} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = URLInfoAbout, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = URLInfoAbout True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = URLUpdateInfo, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = URLUpdateInfo True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = VersionMajor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = VersionMajor, data = 16 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = VersionMinor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = VersionMinor, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = WindowsInstaller, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = WindowsInstaller, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = Version, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = Version, data = 268445684 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = Language, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = Language, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = DisplayName, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} value_name = DisplayName, data = Office 16 Click-to-Run Licensing Component True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = AuthorizedCDFPrefix, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = AuthorizedCDFPrefix True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = Comments, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = Comments True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = Contact, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = Contact True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = DisplayVersion, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = DisplayVersion, data = 16.0.10228.20134 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = HelpLink, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = HelpLink True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = HelpTelephone, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = HelpTelephone True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = InstallDate, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = InstallDate, data = 20180720 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = InstallLocation, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = InstallLocation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = InstallSource, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = InstallSource, data = c:\program files\microsoft office\root\integration\ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = ModifyPath, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = ModifyPath, data = MsiExec.exe /X{90160000-008C-0000-1000-0000000FF1CE} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = NoModify, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = NoModify, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = Publisher, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = Publisher, data = Microsoft Corporation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = Readme, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = Readme True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = Size, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = Size True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = EstimatedSize, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = EstimatedSize, data = 32848 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = SystemComponent, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = UninstallString, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = UninstallString, data = MsiExec.exe /X{90160000-008C-0000-1000-0000000FF1CE} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = URLInfoAbout, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = URLInfoAbout True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = URLUpdateInfo, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = URLUpdateInfo True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = VersionMajor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = VersionMajor, data = 16 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = VersionMinor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = VersionMinor, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = WindowsInstaller, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = WindowsInstaller, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = Version, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = Version, data = 268445684 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = Language, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = Language, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = DisplayName, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} value_name = DisplayName, data = Office 16 Click-to-Run Extensibility Component True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = AuthorizedCDFPrefix, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = AuthorizedCDFPrefix True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = Comments, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = Comments True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = Contact, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = Contact True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = DisplayVersion, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = DisplayVersion, data = 16.0.10228.20134 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = HelpLink, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = HelpLink True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = HelpTelephone, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = HelpTelephone True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = InstallDate, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = InstallDate, data = 20180720 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = InstallLocation, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = InstallLocation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = InstallSource, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = InstallSource, data = c:\program files\microsoft office\root\integration\ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = ModifyPath, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = ModifyPath, data = MsiExec.exe /X{90160000-008C-0409-1000-0000000FF1CE} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = NoModify, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = NoModify, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = Publisher, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = Publisher, data = Microsoft Corporation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = Readme, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = Readme True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = Size, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = Size True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = EstimatedSize, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = EstimatedSize, data = 48 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = SystemComponent, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = UninstallString, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = UninstallString, data = MsiExec.exe /X{90160000-008C-0409-1000-0000000FF1CE} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = URLInfoAbout, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = URLInfoAbout True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = URLUpdateInfo, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = URLUpdateInfo True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = VersionMajor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = VersionMajor, data = 16 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = VersionMinor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = VersionMinor, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = WindowsInstaller, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = WindowsInstaller, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = Version, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = Version, data = 268445684 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = Language, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = Language, data = 1033 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = DisplayName, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE} value_name = DisplayName, data = Office 16 Click-to-Run Localization Component True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = AuthorizedCDFPrefix, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = AuthorizedCDFPrefix True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = Comments, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = Comments, data = Caution. Removing this product might prevent some applications from running. True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = Contact, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = Contact True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = DisplayVersion, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = DisplayVersion, data = 12.0.21005 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = HelpLink, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = HelpLink, data = http://go.microsoft.com/fwlink/?LinkId=133405 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = HelpTelephone, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = HelpTelephone True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = InstallDate, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = InstallDate, data = 20170524 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = InstallLocation, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = InstallLocation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = InstallSource, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = InstallSource, data = C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64\ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = ModifyPath, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = ModifyPath, data = MsiExec.exe /X{929FBD26-9020-399B-9A7A-751D61F0B942} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = NoModify, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = NoModify, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = Publisher, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = Publisher, data = Microsoft Corporation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = Readme, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = Readme True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = Size, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = Size True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = EstimatedSize, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = EstimatedSize, data = 11784 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = SystemComponent, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = UninstallString, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = UninstallString, data = MsiExec.exe /X{929FBD26-9020-399B-9A7A-751D61F0B942} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = URLInfoAbout, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = URLInfoAbout True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = URLUpdateInfo, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = URLUpdateInfo True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = VersionMajor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = VersionMajor, data = 12 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = VersionMinor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = VersionMinor, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = WindowsInstaller, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = WindowsInstaller, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = Version, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = Version, data = 201347597 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = Language, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = Language, data = 1033 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = DisplayName, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942} value_name = DisplayName, data = Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = AuthorizedCDFPrefix, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = AuthorizedCDFPrefix True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = Comments, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = Comments, data = Caution. Removing this product might prevent some applications from running. True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = Contact, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = Contact True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = DisplayVersion, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = DisplayVersion, data = 12.0.21005 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = HelpLink, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = HelpLink, data = http://go.microsoft.com/fwlink/?LinkId=133405 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = HelpTelephone, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = HelpTelephone True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = InstallDate, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = InstallDate, data = 20170524 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = InstallLocation, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = InstallLocation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = InstallSource, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = InstallSource, data = C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64\ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = ModifyPath, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = ModifyPath, data = MsiExec.exe /X{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = NoModify, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = NoModify, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = Publisher, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = Publisher, data = Microsoft Corporation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = Readme, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = Readme True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = Size, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = Size True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = EstimatedSize, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = EstimatedSize, data = 2532 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = SystemComponent, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = UninstallString, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = UninstallString, data = MsiExec.exe /X{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = URLInfoAbout, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = URLInfoAbout True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = URLUpdateInfo, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = URLUpdateInfo True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = VersionMajor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = VersionMajor, data = 12 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = VersionMinor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = VersionMinor, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = WindowsInstaller, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = WindowsInstaller, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = Version, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = Version, data = 201347597 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = Language, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = Language, data = 1033 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = DisplayName, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B} value_name = DisplayName, data = Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = AuthorizedCDFPrefix, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = AuthorizedCDFPrefix True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = Comments, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = Comments True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = Contact, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = Contact True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = DisplayVersion, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = DisplayVersion, data = 8.0.61000 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = HelpLink, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = HelpLink True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = HelpTelephone, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = HelpTelephone True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = InstallDate, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = InstallDate, data = 20170524 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = InstallLocation, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = InstallLocation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = InstallSource, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = InstallSource, data = C:\Users\CIIHMN~1\AppData\Local\Temp\IXP000.TMP\ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = ModifyPath, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = ModifyPath, data = MsiExec.exe /X{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = NoModify, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = NoModify, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = NoRepair, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = NoRepair, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = Publisher, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = Publisher, data = Microsoft Corporation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = Readme, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = Readme True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = Size, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = Size True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = EstimatedSize, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = EstimatedSize, data = 7000 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = UninstallString, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = UninstallString, data = MsiExec.exe /X{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = URLInfoAbout, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = URLInfoAbout True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = URLUpdateInfo, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = URLUpdateInfo True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = VersionMajor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = VersionMajor, data = 8 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = VersionMinor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = VersionMinor, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = WindowsInstaller, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = WindowsInstaller, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = Version, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = Version, data = 134278728 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = Language, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = Language, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = DisplayName, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028} value_name = DisplayName, data = Microsoft Visual C++ 2005 Redistributable (x64) True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = AuthorizedCDFPrefix, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = AuthorizedCDFPrefix True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = Comments, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = Comments, data = Caution. Removing this product might prevent some applications from running. True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = Contact, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = Contact True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = DisplayVersion, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = DisplayVersion, data = 11.0.61030 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = HelpLink, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = HelpLink, data = http://go.microsoft.com/fwlink/?LinkId=133405 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = HelpTelephone, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = HelpTelephone True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = InstallDate, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = InstallDate, data = 20170524 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = InstallLocation, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = InstallLocation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = InstallSource, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = InstallSource, data = C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = ModifyPath, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = ModifyPath, data = MsiExec.exe /X{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = NoModify, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = NoModify, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = Publisher, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = Publisher, data = Microsoft Corporation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = Readme, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = Readme True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = Size, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = Size True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = EstimatedSize, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = EstimatedSize, data = 2000 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = SystemComponent, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = UninstallString, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = UninstallString, data = MsiExec.exe /X{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = URLInfoAbout, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = URLInfoAbout True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = URLUpdateInfo, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = URLUpdateInfo True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = VersionMajor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = VersionMajor, data = 11 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = VersionMinor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = VersionMinor, data = 0 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = WindowsInstaller, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = WindowsInstaller, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = Version, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = Version, data = 184610406 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = Language, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = Language, data = 1033 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = DisplayName, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97} value_name = DisplayName, data = Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = AuthorizedCDFPrefix, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = AuthorizedCDFPrefix True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = Comments, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = Comments, data = Caution. Removing this product might prevent some applications from running. True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = Contact, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = Contact True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = DisplayVersion, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = DisplayVersion, data = 14.10.25017 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = HelpLink, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = HelpLink, data = http://go.microsoft.com/fwlink/?LinkId=133405 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = HelpTelephone, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = HelpTelephone True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = InstallDate, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = InstallDate, data = 20170714 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = InstallLocation, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = InstallLocation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = InstallSource, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = InstallSource, data = C:\ProgramData\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\packages\vcRuntimeAdditional_amd64\ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = ModifyPath, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = ModifyPath, data = MsiExec.exe /X{E512788E-C50B-3858-A4B9-73AD5F3F9E93} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = NoModify, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = NoModify, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = Publisher, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = Publisher, data = Microsoft Corporation True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = Readme, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = Readme True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = Size, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = Size True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = EstimatedSize, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = EstimatedSize, data = 12640 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = SystemComponent, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = SystemComponent, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = UninstallString, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = UninstallString, data = MsiExec.exe /X{E512788E-C50B-3858-A4B9-73AD5F3F9E93} True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = URLInfoAbout, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = URLInfoAbout True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = URLUpdateInfo, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = URLUpdateInfo True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = VersionMajor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = VersionMajor, data = 14 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = VersionMinor, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = VersionMinor, data = 10 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = WindowsInstaller, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = WindowsInstaller, data = 1 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = Version, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = Version, data = 235561401 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = Language, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = Language, data = 1033 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = DisplayName, type = REG_NONE True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E512788E-C50B-3858-A4B9-73AD5F3F9E93} value_name = DisplayName, data = Microsoft Visual C++ 2017 x64 Additional Runtime - 14.10.25017 True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProjectProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VisioProRetail - en-us - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F64180131F0} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} - True 1
Fn
Enumerate Values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE} - True 1
Fn
For performance reasons, the remaining 225 entries are omitted.
The remaining entries can be found in glog.xml.
Module (1)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\reg.exe base_address = 0x7ff75d930000 True 1
Fn
Process #44: cmd.exe
62 0
»
Information Value
ID #44
File Name c:\windows\system32\cmd.exe
Command Line cmd /C "echo -------- >> C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:03:41, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0x8ec
Parent PID 0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x F0
0x 630
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x0000008917eb0000 0x8917eb0000 0x8917ecffff Private Memory rw True False False -
pagefile_0x0000008917eb0000 0x8917eb0000 0x8917ebffff Pagefile Backed Memory rw True False False -
private_0x0000008917ec0000 0x8917ec0000 0x8917ec6fff Private Memory rw True False False -
pagefile_0x0000008917ed0000 0x8917ed0000 0x8917ee3fff Pagefile Backed Memory r True False False -
private_0x0000008917ef0000 0x8917ef0000 0x8917feffff Private Memory rw True False False -
pagefile_0x0000008917ff0000 0x8917ff0000 0x8917ff3fff Pagefile Backed Memory r True False False -
pagefile_0x0000008918000000 0x8918000000 0x8918000fff Pagefile Backed Memory r True False False -
private_0x0000008918010000 0x8918010000 0x8918011fff Private Memory rw True False False -
locale.nls 0x8918020000 0x89180ddfff Memory Mapped File r False False False -
private_0x00000089180e0000 0x89180e0000 0x89181dffff Private Memory rw True False False -
private_0x00000089181e0000 0x89181e0000 0x89182dffff Private Memory rw True False False -
private_0x00000089182e0000 0x89182e0000 0x89182e6fff Private Memory rw True False False -
private_0x0000008918340000 0x8918340000 0x891834ffff Private Memory rw True False False -
pagefile_0x00007df5ff2f0000 0x7df5ff2f0000 0x7ff5ff2effff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7b4580000 0x7ff7b4580000 0x7ff7b467ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7b4680000 0x7ff7b4680000 0x7ff7b46a2fff Pagefile Backed Memory r True False False -
private_0x00007ff7b46a8000 0x7ff7b46a8000 0x7ff7b46a8fff Private Memory rw True False False -
private_0x00007ff7b46ac000 0x7ff7b46ac000 0x7ff7b46adfff Private Memory rw True False False -
private_0x00007ff7b46ae000 0x7ff7b46ae000 0x7ff7b46affff Private Memory rw True False False -
cmd.exe 0x7ff7b50b0000 0x7ff7b5108fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Host Behavior
File (24)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 2
Fn
Get Info STD_OUTPUT_HANDLE type = size True 1
Fn
Open STD_OUTPUT_HANDLE - True 12
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Read STD_OUTPUT_HANDLE size = 1, size_out = 1 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 11 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff7b50b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb45e10000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffb45e2d550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffb45e325e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffb45e31f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10 True 1
Fn
Environment (11)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Process #46: cmd.exe
1498 0
»
Information Value
ID #46
File Name c:\windows\system32\cmd.exe
Command Line cmd /U /C "type C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 > C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin & del C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:03:40, Reason: Child Process
Unmonitor End Time: 00:03:44, Reason: Self Terminated
Monitor Duration 00:00:04
OS Process Information
»
Information Value
PID 0x3ac
Parent PID 0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 274
0x 2E4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000b0c84f0000 0xb0c84f0000 0xb0c850ffff Private Memory rw True False False -
pagefile_0x000000b0c84f0000 0xb0c84f0000 0xb0c84fffff Pagefile Backed Memory rw True False False -
private_0x000000b0c8500000 0xb0c8500000 0xb0c8506fff Private Memory rw True False False -
pagefile_0x000000b0c8510000 0xb0c8510000 0xb0c8523fff Pagefile Backed Memory r True False False -
private_0x000000b0c8530000 0xb0c8530000 0xb0c862ffff Private Memory rw True False False -
pagefile_0x000000b0c8630000 0xb0c8630000 0xb0c8633fff Pagefile Backed Memory r True False False -
pagefile_0x000000b0c8640000 0xb0c8640000 0xb0c8640fff Pagefile Backed Memory r True False False -
private_0x000000b0c8650000 0xb0c8650000 0xb0c8651fff Private Memory rw True False False -
locale.nls 0xb0c8660000 0xb0c871dfff Memory Mapped File r False False False -
private_0x000000b0c8720000 0xb0c8720000 0xb0c8726fff Private Memory rw True False False -
private_0x000000b0c8760000 0xb0c8760000 0xb0c876ffff Private Memory rw True False False -
private_0x000000b0c8780000 0xb0c8780000 0xb0c887ffff Private Memory rw True False False -
private_0x000000b0c8880000 0xb0c8880000 0xb0c897ffff Private Memory rw True False False -
pagefile_0x00007df5ff080000 0x7df5ff080000 0x7ff5ff07ffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7b4510000 0x7ff7b4510000 0x7ff7b460ffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff7b4610000 0x7ff7b4610000 0x7ff7b4632fff Pagefile Backed Memory r True False False -
private_0x00007ff7b4633000 0x7ff7b4633000 0x7ff7b4633fff Private Memory rw True False False -
private_0x00007ff7b463c000 0x7ff7b463c000 0x7ff7b463dfff Private Memory rw True False False -
private_0x00007ff7b463e000 0x7ff7b463e000 0x7ff7b463ffff Private Memory rw True False False -
cmd.exe 0x7ff7b50b0000 0x7ff7b5108fff Memory Mapped File rwx True False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin 96.51 KB MD5: a240089d327a1ebcc458c2c3161ee815
SHA1: de0c1f991cf15d6ff79b174f42651b6c4a8e2305
SHA256: 4a241e7a91d186287d30587253964c6b198c275abfef770107b5078178188c89
SSDeep: 3072:sgvF/8qnVg5BbE78GLZOWPqaNi3Uw3fwGJeXAdpcpmXJrK9xQYRIS32mjktPfzAa:qT 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 48.25 KB MD5: c892049fc102a30285e8b98aa4c6b1e5
SHA1: 6c619c97f5ef82c3d2f5623534fadded48a4648c
SHA256: 90eb06e686edc493e6c9ca57b9b71897d27e904a8efafb6046154fff2c84f4c1
SSDeep: 1536:Q1hlEd+kcUOYbi7x12MaiPz9jAr/ESZtlA8YkFNfBYk2:QPqYk2 		False
...
Host Behavior
File (1460)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 type = file_attributes True 3
Fn
Get Info - type = file_type True 1
Fn
Get Info - type = size, size_out = 0 True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 249
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp type = file_attributes True 1
Fn
Open STD_OUTPUT_HANDLE - True 475
Fn
Open STD_INPUT_HANDLE - True 3
Fn
Open - - True 165
Fn
Open \??\C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin1 desired_access = DELETE, open_options = FILE_NON_DIRECTORY_FILE, FILE_DELETE_ON_CLOSE, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_DELETE True 1
Fn
Read - size = 512, size_out = 512 True 96
Fn
Data
Read - size = 512, size_out = 260 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 160 True 394
Fn
Data
Write STD_OUTPUT_HANDLE size = 64 True 65
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff7b50b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb45e10000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ffb45e2d550 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ffb45e325e0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ffb45e31f90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ffb456c3a10 True 1
Fn
Environment (11)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Process #49: makecab.exe
77 0
»
Information Value
ID #49
File Name c:\windows\system32\makecab.exe
Command Line makecab.exe /F "C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin"
Initial Working Directory C:\Users\CIIHMN~1\AppData\Local\Temp\
Monitor Start Time: 00:03:42, Reason: Child Process
Unmonitor End Time: 00:03:44, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xa4c
Parent PID 0x824 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x BFC
0x B18
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000fa10720000 0xfa10720000 0xfa1073ffff Private Memory rw True False False -
pagefile_0x000000fa10720000 0xfa10720000 0xfa1072ffff Pagefile Backed Memory rw True False False -
private_0x000000fa10730000 0xfa10730000 0xfa10736fff Private Memory rw True False False -
pagefile_0x000000fa10740000 0xfa10740000 0xfa10753fff Pagefile Backed Memory r True False False -
private_0x000000fa10760000 0xfa10760000 0xfa107dffff Private Memory rw True False False -
pagefile_0x000000fa107e0000 0xfa107e0000 0xfa107e3fff Pagefile Backed Memory r True False False -
pagefile_0x000000fa107f0000 0xfa107f0000 0xfa107f1fff Pagefile Backed Memory r True False False -
private_0x000000fa10800000 0xfa10800000 0xfa10801fff Private Memory rw True False False -
private_0x000000fa10810000 0xfa10810000 0xfa10816fff Private Memory rw True False False -
private_0x000000fa10820000 0xfa10820000 0xfa10820fff Private Memory rw True False False -
private_0x000000fa10830000 0xfa10830000 0xfa1092ffff Private Memory rw True False False -
locale.nls 0xfa10930000 0xfa109edfff Memory Mapped File r False False False -
private_0x000000fa109f0000 0xfa109f0000 0xfa10a6ffff Private Memory rw True False False -
private_0x000000fa10a70000 0xfa10a70000 0xfa10a70fff Private Memory rw True False False -
tzres.dll 0xfa10a80000 0xfa10a82fff Memory Mapped File r False False False -
tzres.dll.mui 0xfa10a90000 0xfa10a98fff Memory Mapped File r False False False -
private_0x000000fa10b60000 0xfa10b60000 0xfa10b6ffff Private Memory rw True False False -
pagefile_0x000000fa10b70000 0xfa10b70000 0xfa10cf7fff Pagefile Backed Memory r True False False -
pagefile_0x000000fa10d00000 0xfa10d00000 0xfa10e80fff Pagefile Backed Memory r True False False -
pagefile_0x000000fa10e90000 0xfa10e90000 0xfa1228ffff Pagefile Backed Memory r True False False -
private_0x000000fa12290000 0xfa12290000 0xfa1238ffff Private Memory rw True False False -
pagefile_0x00007df5fffc0000 0x7df5fffc0000 0x7ff5fffbffff Pagefile Backed Memory - True False False -
pagefile_0x00007ff7819e0000 0x7ff7819e0000 0x7ff781adffff Pagefile Backed Memory r True False False -
pagefile_0x00007ff781ae0000 0x7ff781ae0000 0x7ff781b02fff Pagefile Backed Memory r True False False -
private_0x00007ff781b09000 0x7ff781b09000 0x7ff781b09fff Private Memory rw True False False -
private_0x00007ff781b0c000 0x7ff781b0c000 0x7ff781b0dfff Private Memory rw True False False -
private_0x00007ff781b0e000 0x7ff781b0e000 0x7ff781b0ffff Private Memory rw True False False -
makecab.exe 0x7ff781df0000 0x7ff781e09fff Memory Mapped File rwx True False False -
version.dll 0x7ffb3d3b0000 0x7ffb3d3b9fff Memory Mapped File rwx False False False -
cabinet.dll 0x7ffb3e540000 0x7ffb3e566fff Memory Mapped File rwx False False False -
kernelbase.dll 0x7ffb45670000 0x7ffb4584cfff Memory Mapped File rwx False False False -
user32.dll 0x7ffb45c50000 0x7ffb45d9dfff Memory Mapped File rwx False False False -
kernel32.dll 0x7ffb45e10000 0x7ffb45ebcfff Memory Mapped File rwx False False False -
imm32.dll 0x7ffb46070000 0x7ffb460a5fff Memory Mapped File rwx False False False -
gdi32.dll 0x7ffb460c0000 0x7ffb46244fff Memory Mapped File rwx False False False -
msctf.dll 0x7ffb462d0000 0x7ffb4642bfff Memory Mapped File rwx False False False -
msvcrt.dll 0x7ffb48000000 0x7ffb4809cfff Memory Mapped File rwx False False False -
ntdll.dll 0x7ffb48180000 0x7ffb48341fff Memory Mapped File rwx False False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_6 0.02 KB MD5: decf6c06fb2e267da61dff136ea369be
SHA1: 84cf4aadf1d8051186620896d3f10ccea1402887
SHA256: 3cff9def1c500018c81d532ab55279b08260b82c409bd4a002896c8175d73a0d
SSDeep: 3:ylKKln:ylKKln 		False
...
setup.inf 0.92 KB MD5: 6ff1b2f7e7ca141fb1f71463403c9e8e
SHA1: e01ef8a40fb4edb46e7c4af8c278ea3058900d5c
SHA256: e0a7fe9243c4c4374d6ecbd0fb982919f43ee86ba6d46d2d70535faa1b720b2e
SSDeep: 12:QxncDimwRL+pLnsP2neJheI5Hx28IncDimwRL+pLnhIv:QF8vwIpLn02nKhesHx2l8vwIpLnw 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\4D82\FE41.tmp 0.00 KB MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3:: 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_5 9.07 KB MD5: 528ff10108faa49e56f70293bf226450
SHA1: 0effb7ca1be6d0ae75f81ec439f241732300a759
SHA256: 4f405a8d1bad5189d60adb3bed9e2fd69fd8903ce27ae092ca6f89aebe387dfd
SSDeep: 192:xzPaOMbXgR4kuLfQMOfbC1cpW4Zk498gigTCiShihXt:/Mbc5VMOfbCGsKH8AtShiht 		False
...
setup.rpt 0.28 KB MD5: ddb1b807b6d49362c7e8a28fa2cc5cd8
SHA1: 0ca5e654afd9d847245c8055026c1233a7bd4b1c
SHA256: 9c4aac67c2b09d1e3ac39edca6279daf953370634bb61bddc3bdb3606ac66226
SSDeep: 6:vgqGpf6g/ukCObSmVKQBu0iwac/hQzQTlFIP:vOphXC+SmVBDiw3JXk 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2120_2 0.02 KB MD5: 4230347e5849e9c7230227a287ae4a41
SHA1: a3fa042694dc86f05973ac07231c95cf590d606a
SHA256: 2484fa669042204d83d907de45012a2aef7f6687613ce76169097240415b0abd
SSDeep: 3:R0qxv:Rf 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_3 0.03 KB MD5: b0304cd94811263bf9a2e5881eb0ca66
SHA1: b22bfa271e0bcb0071f38de41a47173bea2af7ac
SHA256: 23efcb202017c92f50d33fe1b2043147d87fbf18a4b8107825c50ebfaadaeb50
SSDeep: 3:NLBoKTsKy:ZeKT5y 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_7 9.07 KB MD5: 0e37735d8665fc514dd41d5ad9c63801
SHA1: fa1dfb9198afed2b80de5e6de894915b527c42d3
SHA256: 685d237aa1808b9430f27a4c31a2222d9218dc630a1dac63484512f9bba3ab34
SSDeep: 192:dzPaOMbXgR4kuLfQMOfbC1cpW4Zk498gigTAiShihXt:jMbc5VMOfbCGsKH8ArShiht 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_9 0.01 KB MD5: 9f69799c453769d6e3c832d6d02c614f
SHA1: 96a05ff9e89f75904d023143cb84a85a13eedf98
SHA256: 49343ffd86917455d1a41b670f9136c5c920ff4dde5094ca6ae07015ca42048e
SSDeep: 3:Oln:Oln 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\D969.bin 9.14 KB MD5: fcc8a196f218abd00dfa9f954d85747a
SHA1: fae1291da862aaaf1cabde958fcaf4503025ed4e
SHA256: 37001a6b2bf3872df263960be59d99d9f3d38aa30583ef16e3244d9ce29cee60
SSDeep: 192:WzPaOMbXgR4kuLfQMOfbC1cpW4Zk498gigTAiShihXt:SMbc5VMOfbCGsKH8ArShiht 		False
...
C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_4 0.03 KB MD5: fae16a9e78e1e2a0282d8dca387d8786
SHA1: da1cb06dc20adf7e7d79809ef2d52c0122ba2c8e
SHA256: b66f6ca27cba4c5cffde0a2e09b6f5f21c344af7e9644803eb5127507264acba
SSDeep: 3:dJgVRl2UOJRxyn:dq52UOJRgn 		False
...
Host Behavior
File (73)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin file_attributes = _O_EXCL True 1
Fn
Create CAB02636.TMP file_attributes = _O_RDWR, _O_CREAT, _O_EXCL True 2
Fn
Create setup.inf file_attributes = _O_RDWR, _O_CREAT True 1
Fn
Create setup.rpt file_attributes = _O_RDWR, _O_CREAT True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_2 file_attributes = _O_WRONLY True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_3 file_attributes = _O_WRONLY True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_4 file_attributes = _O_WRONLY True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin file_attributes = _O_EXCL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP file_attributes = _O_RDWR, _O_CREAT, _O_EXCL True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_5 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_6 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_7 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_8 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_9 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_10 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_11 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\D969.bin desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_12 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_13 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\cab_2636_14 desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_DELETE True 1
Fn
Create setup.inf file_attributes = _O_WRONLY | _O_BINARY True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_2 file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_3 file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
Create C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_4 file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
Create setup.rpt file_attributes = _O_WRONLY True 1
Fn
Get Info C:\Users\CIIHMN~1\AppData\Local\Temp\5FB1.bin type = file_attributes True 1
Fn
Read C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin size = 3 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin size = 4096 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin size = 3 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\D0C5.bin size = 4096 True 1
Fn
Data
Read - size = 32768 True 4
Fn
Data
Read - size = 16124 False 1
Fn
Read C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP size = 8 True 2
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP size = 7894 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP size = 1381 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP size = 8 False 1
Fn
Read - size = 16 True 1
Fn
Data
Read - size = 256 True 1
Fn
Data
Read - size = 16 False 1
Fn
Read - size = 8 True 1
Fn
Data
Read - size = 8 False 1
Fn
Read - size = 32768 False 2
Fn
Read C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_2 size = 2048, size_out = 23 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_3 size = 2048, size_out = 30 True 1
Fn
Data
Read C:\Users\CIIHMN~1\AppData\Local\Temp\inf_2636_4 size = 2048, size_out = 33 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP size = 8 True 3
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP size = 7894 True 1
Fn
Data
Write - size = 16 True 2
Fn
Data
Write - size = 9 True 2
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP size = 1381 True 1
Fn
Data
Write - size = 8 True 3
Fn
Data
Write - size = 7894 True 1
Fn
Data
Write - size = 1381 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP size = 36 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP size = 25 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP size = 9291 True 1
Fn
Data
Write C:\Users\CIIHMN~1\AppData\Local\Temp\CAB02636.TMP size = 4 True 1
Fn
Data
Write setup.inf size = 23 True 1
Fn
Data
Write setup.inf size = 30 True 1
Fn
Data
Write setup.inf size = 33 True 1
Fn
Data
Module (3)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\makecab.exe base_address = 0x7ff781df0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ffb45e10000 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = HeapSetInformation, address_out = 0x7ffb45e30f40 True 1
Fn
System (1)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image